starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-03-01 11:20:59 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

Passwordless user authentication fails when using form encoded request #633

New Issue
Closed
opened 2026-02-06 19:55:17 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-06 19:55:17 +03:00
Owner
Copy Link

Originally created by @thornbill on GitHub (Apr 24, 2019).

Describe the bug
The authenticatebyname API endpoint returns an error when trying to login as a user without a password when using a request that is form encoded.

To Reproduce

  1. Use curl to issue an authentication request for a user account without a password.

    curl 'http://jft.thornton.lan/emby/Users/authenticatebyname' --compressed -H 'X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="deviceid", Version="10.3.1"' -H 'Content-Type: application/x-www-form-urlencoded' --data 'username=nopass&passwordMd5=d41d8cd98f00b204e9800998ecf8427e&pw=&password=da39a3ee5e6b4b0d3255bfef95601890afd80709&'

  2. Receive the following error message

    Invalid user or password entered.

  3. Additionally if the password or passwordMd5 values are blank the following error is returned.

    Object reference not set to an instance of an object.

Expected behavior
The user should successfully authenticate and a user object should be returned.

Logs
This does not generate any errors in the logs.

Screenshots
N/A

System (please complete the following information):

  • OS: Docker
  • Browser: N/A
  • Jellyfin Version: 10.3.1
  • Reverse proxy: Caddy

Additional context
This is affecting the Android TV app, refs https://github.com/jellyfin/jellyfin-androidtv/issues/90

Originally created by @thornbill on GitHub (Apr 24, 2019). **Describe the bug** The authenticatebyname API endpoint returns an error when trying to login as a user without a password when using a request that is form encoded. **To Reproduce** 1. Use `curl` to issue an authentication request for a user account without a password. ``` curl 'http://jft.thornton.lan/emby/Users/authenticatebyname' --compressed -H 'X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="deviceid", Version="10.3.1"' -H 'Content-Type: application/x-www-form-urlencoded' --data 'username=nopass&passwordMd5=d41d8cd98f00b204e9800998ecf8427e&pw=&password=da39a3ee5e6b4b0d3255bfef95601890afd80709&' ``` 2. Receive the following error message > Invalid user or password entered. 3. Additionally if the `password` or `passwordMd5` values are blank the following error is returned. > Object reference not set to an instance of an object. **Expected behavior** The user should successfully authenticate and a user object should be returned. **Logs** This does not generate any errors in the logs. **Screenshots** N/A **System (please complete the following information):** - OS: Docker - Browser: N/A - Jellyfin Version: 10.3.1 - Reverse proxy: Caddy **Additional context** This is affecting the Android TV app, refs https://github.com/jellyfin/jellyfin-androidtv/issues/90
OVERLORD added the bug label 2026-02-06 19:55:17 +03:00
OVERLORD commented 2026-02-06 19:55:20 +03:00
Author
Owner
Copy Link

@bugfixin commented on GitHub (Apr 25, 2019):

https://github.com/jellyfin/jellyfin/blob/master/Emby.Server.Implementations/Services/StringMapTypeDeserializer.cs on line 74 the isnullorempty check effectively converts empty fields to null fields, resulting in the null Pw later on. application/json requests effectively bypass this (the instance is already populated via a previous deserializer). We could replace that with checking directly if the propertyTextValue is null on that line 74, or we could change the AuthenticateLocalUser function in https://github.com/jellyfin/jellyfin/blob/master/Emby.Server.Implementations/Library/UserManager.cs (or some step earlier) to explicitly set hashedpassword or password to an empty string if they are null.

@bugfixin commented on GitHub (Apr 25, 2019): https://github.com/jellyfin/jellyfin/blob/master/Emby.Server.Implementations/Services/StringMapTypeDeserializer.cs on line 74 the isnullorempty check effectively converts empty fields to null fields, resulting in the null Pw later on. application/json requests effectively bypass this (the instance is already populated via a previous deserializer). We could replace that with checking directly if the propertyTextValue is null on that line 74, or we could change the AuthenticateLocalUser function in https://github.com/jellyfin/jellyfin/blob/master/Emby.Server.Implementations/Library/UserManager.cs (or some step earlier) to explicitly set hashedpassword or password to an empty string if they are null.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#633
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?