Added a new field to manage Jellyfin administrator privilege

nikarh · nikarh · commit 02ce3113b587 · 2023-11-14T12:54:42.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,6 +13,9 @@ updates:
     commit-message:
       prefix: chore
       include: scope
+    ignore:
+      - dependency-name: "Jellyfin.Controller"
+        update-types: ["version-update:semver-patch"]
 
   # Fetch and update latest `github-actions` pkgs
   - package-ecosystem: github-actions
diff --git a/.vscode/launch.json b/.vscode/launch.json
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
diff --git a/Authelia-Auth.Tests/AuthenticatorTests.cs b/Authelia-Auth.Tests/AuthenticatorTests.cs
@@ -9,12 +9,14 @@ public class AuthenticatorTests
     [Fact(Skip = "skip")]
     public async void AuthenticatorTest()
     {
-        var config = new PluginConfiguration();
-        config.JellyfinUrl = "http://jellyfin";
-        config.AutheliaServer = "http://authelia";
+        var config = new PluginConfiguration
+        {
+            JellyfinUrl = "http://jellyfin",
+            AutheliaServer = "http://authelia"
+        };
 
         var authenticator = new Authenticator();
         var result = await authenticator.Authenticate(config, "test", "test");
-        Assert.Equal("test", result.DisplayName);
+        Assert.Equal("test", result.AuthenticationResult.DisplayName);
     }
 }
diff --git a/Authelia-Auth/Authelia-Auth.csproj b/Authelia-Auth/Authelia-Auth.csproj
@@ -3,8 +3,8 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <RootNamespace>Jellyfin.Plugin.Authelia_Auth</RootNamespace>
-    <AssemblyVersion>1.0.12.0</AssemblyVersion>
-    <FileVersion>1.0.12.0</FileVersion>
+    <AssemblyVersion>1.0.13.0</AssemblyVersion>
+    <FileVersion>1.0.13.0</FileVersion>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <ProduceReferenceAssemblyInOutDir>true</ProduceReferenceAssemblyInOutDir>
diff --git a/Authelia-Auth/AutheliaAuthenticationProviderPlugin.cs b/Authelia-Auth/AutheliaAuthenticationProviderPlugin.cs
@@ -2,6 +2,7 @@
 using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Jellyfin.Data.Entities;
+using Jellyfin.Data.Enums;
 using MediaBrowser.Common;
 using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Library;
@@ -56,7 +57,7 @@ public async Task<ProviderAuthenticationResult> Authenticate(string username, st
 
             var auth = await new Authenticator().Authenticate(config, username, password);
 
-            User user = null;
+            User user;
             try
             {
                 user = userManager.GetUserByName(username);
@@ -76,7 +77,13 @@ public async Task<ProviderAuthenticationResult> Authenticate(string username, st
                 user.Password = _cryptoProvider.CreatePasswordHash(Convert.ToBase64String(RandomNumberGenerator.GetBytes(64))).ToString();
             }
 
-            return auth;
+            // Only manage admin permissions if the admin group is set in config
+            if (!string.IsNullOrWhiteSpace(config.AutheliaAdminGroup))
+            {
+                user.SetPermission(PermissionKind.IsAdministrator, auth.IsAdmin);
+            }
+
+            return auth.AuthenticationResult;
         }
 
         /// <inheritdoc />
diff --git a/Authelia-Auth/Authenticator.cs b/Authelia-Auth/Authenticator.cs
@@ -1,11 +1,10 @@
 using System;
+using System.Linq;
 using System.Net;
 using System.Net.Http;
-using System.Net.Http.Json;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json.Nodes;
-using System.Text.Json.Serialization;
 using System.Threading.Tasks;
 using Jellyfin.Plugin.Authelia_Auth.Config;
 using MediaBrowser.Controller.Authentication;
@@ -15,27 +14,19 @@ namespace Jellyfin.Plugin.Authelia_Auth
 #pragma warning disable SA1649
 #pragma warning disable SA1402
     /// <summary>
-    /// Response data field.
+    /// AutheliaUser is ProviderAuthenticationResult enriched with group information.
     /// </summary>
-    public class UserInfoResponseData
+    public class AutheliaUser
     {
         /// <summary>
-        /// Gets users full name.
+        /// Gets ProviderAuthenticationResult.
         /// </summary>
-        [JsonPropertyName("display_name")]
-        public string DisplayName { get; init; }
-    }
+        public ProviderAuthenticationResult AuthenticationResult { get; init; }
 
-    /// <summary>
-    /// User info response.
-    /// </summary>
-    public class UserInfoResponse
-    {
         /// <summary>
-        /// Gets user info response data.
+        /// Gets a value indicating whether a user has admin privileges .
         /// </summary>
-        [JsonPropertyName("data")]
-        public UserInfoResponseData Data { get; init; }
+        public bool IsAdmin { get; init; }
     }
 #pragma warning restore SA1649
 #pragma warning restore SA1402
@@ -53,7 +44,7 @@ public class Authenticator
         /// <param name="password">Password to authenticate.</param>
         /// <returns>A <see cref="ProviderAuthenticationResult"/> with the authentication result.</returns>
         /// <exception cref="AuthenticationException">Exception when failing to authenticate.</exception>
-        public async Task<ProviderAuthenticationResult> Authenticate(PluginConfiguration config, string username, string password)
+        public async Task<AutheliaUser> Authenticate(PluginConfiguration config, string username, string password)
         {
             var cookieContainer = new CookieContainer();
             using var handler = new HttpClientHandler()
@@ -100,22 +91,34 @@ public async Task<ProviderAuthenticationResult> Authenticate(PluginConfiguration
                 {
                     throw new AuthenticationException("User doesn't have access to this service.");
                 }
-            }
 
-            try
-            {
-                var userInfoResponse = await client.GetFromJsonAsync<UserInfoResponse>("/api/user/info");
+                var isAdmin = false;
+                var displayName = string.Empty;
+
+                if (accessResponse.Headers.TryGetValues("Remote-Groups", out var groups))
+                {
+                    isAdmin = groups.FirstOrDefault().Split(",").Any(e => e == config.AutheliaAdminGroup);
+                }
 
-                return new ProviderAuthenticationResult
+                if (accessResponse.Headers.TryGetValues("Remote-Name", out var names))
                 {
-                    Username = username,
-                    DisplayName = userInfoResponse.Data.DisplayName,
+                    displayName = names.First();
+                }
+                else
+                {
+                    throw new AuthenticationException("Authelia didn't return a Remote-Name header.");
+                }
+
+                return new AutheliaUser
+                {
+                    AuthenticationResult = new ProviderAuthenticationResult
+                    {
+                        Username = username,
+                        DisplayName = displayName,
+                    },
+                    IsAdmin = isAdmin
                 };
             }
-            catch
-            {
-                throw new AuthenticationException("Invalid username or password.");
-            }
         }
     }
 }
diff --git a/Authelia-Auth/Config/PluginConfiguration.cs b/Authelia-Auth/Config/PluginConfiguration.cs
@@ -15,6 +15,7 @@ public PluginConfiguration()
             AutheliaServer = "http://authelia";
             JellyfinUrl = "http://jellyfin";
             AutheliaRootCa = string.Empty;
+            AutheliaAdminGroup = string.Empty;
             CreateUserIfNotExists = true;
         }
 
@@ -28,6 +29,11 @@ public PluginConfiguration()
         /// </summary>
         public string AutheliaRootCa { get; set; }
 
+        /// <summary>
+        /// Gets or sets the Authelia group name for admin users.
+        /// </summary>
+        public string AutheliaAdminGroup { get; set; }
+
         /// <summary>
         /// Gets or sets a value indicating whether a user will be created on successful authentication if it does not exist in Jellyfin.
         /// </summary>
diff --git a/Authelia-Auth/Config/configPage.html b/Authelia-Auth/Config/configPage.html
@@ -18,7 +18,7 @@
                             <div class="sectionTitleContainer flex align-items-center">
                                 <h2 class="sectionTitle">Authelia Settings:</h2>
                             </div>
-                            <p><i>Note:</i> Making changes to this configuration requires a restart of Jellyfin.</p>
+                            <p><i>Note:</i> Making changes to this configuration does not require restarting Jellyfin.</p>
                             <div
                                 class="verticalSection"
                                 title="Authelia Settings"
@@ -27,7 +27,7 @@ <h2 class="sectionTitle">Authelia Settings:</h2>
                                     <input
                                         is="emby-input"
                                         type="text"
-                                        id="txtAutheliaServer"
+                                        id="AutheliaServer"
                                         required
                                         placeholder="authelia"
                                         label="Authelia Server:"
@@ -41,22 +41,19 @@ <h2 class="sectionTitle">Authelia Settings:</h2>
                                             is="emby-textarea"
                                             class="emby-textarea"
                                             type="text"
-                                            id="txtAutheliaRootCa"
+                                            id="AutheliaRootCa"
                                             placeholder="-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
                                             rows="3"
                                         ></textarea>
                                     </label>
-                                    <div class="fieldDescription">
-                                        <div>The root CA for the Authelia server you wish to use for Authentication.</div>
-                                        <div>Leave this field empty unless you use a self-signed certificate for Authelia.</div>
-                                    </div>
+                                    <div class="fieldDescription">The root CA for the Authelia server you wish to use for Authentication. Leave this field empty unless you use a self-signed certificate for Authelia.</div>
                                 </div>
                                 <div class="checkboxContainer checkboxContainer-withDescription">
                                     <label>
                                         <input
                                             is="emby-checkbox"
                                             type="checkbox"
-                                            id="boolCreateUserIfNotExists"
+                                            id="CreateUserIfNotExists"
                                         />
                                         <span>Create a new user on successful login</span>
                                     </label>
@@ -66,7 +63,23 @@ <h2 class="sectionTitle">Authelia Settings:</h2>
                                     <input
                                         is="emby-input"
                                         type="text"
-                                        id="txtJellyfinUrl"
+                                        id="AutheliaAdminGroup"
+                                        label="Authelia admin group name:"
+                                    />
+                                    <div class="fieldDescription">
+                                        <p>If not blank, this plugin will actively manage users administrator permissions in Jellyfin. On every successful log in this plugin will check if a user is a member of this group in Authelia:</p>
+                                        <ul>
+                                            <li>If a user is a member of this group, they will be given administrator permissions in Jellyfin.</li>
+                                            <li>If a user is not a member of this group, the administrator permission will be revoked in Jellyfin.</li>
+                                            <li>If left blank, this plugin will not alter administrator permissions in Jellyfin.</li>
+                                        </ul>
+                                    </div>
+                                </div>
+                                <div class="inputContainer">
+                                    <input
+                                        is="emby-input"
+                                        type="text"
+                                        id="JellyfinUrl"
                                         required
                                         placeholder="jellyfin"
                                         label="Jellyfin Url:"
@@ -118,22 +131,27 @@ <h2 class="sectionTitle">Authelia Settings:</h2>
                 .emby-textarea + .fieldDescription {
                     margin-top: 0.25em;
                 }
+                .fieldDescription > p {
+                    margin-top: 0;
+                }
             </style>
 
             <script type="text/javascript">
                 var AutheliaConfigurationPage = {
                     pluginUniqueId: "6bb8dbba-2aaa-4b19-9da4-f3bbb6c44091",
-                    AutheliaServer: document.querySelector("#txtAutheliaServer"),
-                    AutheliaRootCa: document.querySelector("#txtAutheliaRootCa"),
-                    CreateUserIfNotExists: document.querySelector("#boolCreateUserIfNotExists"),
-                    JellyfinUrl: document.querySelector("#txtJellyfinUrl"),
+                    AutheliaServer: document.querySelector("#AutheliaServer"),
+                    AutheliaRootCa: document.querySelector("#AutheliaRootCa"),
+                    CreateUserIfNotExists: document.querySelector("#CreateUserIfNotExists"),
+                    AutheliaAdminGroup: document.querySelector("#AutheliaAdminGroup"),
+                    JellyfinUrl: document.querySelector("#JellyfinUrl"),
                 };
 
                 document.querySelector(".esqConfigurationPage").addEventListener("pageshow", function () {
                     window.ApiClient.getPluginConfiguration(AutheliaConfigurationPage.pluginUniqueId).then(function (config) {
                         AutheliaConfigurationPage.AutheliaServer.value = config.AutheliaServer;
                         AutheliaConfigurationPage.AutheliaRootCa.value = config.AutheliaRootCa;
                         AutheliaConfigurationPage.CreateUserIfNotExists.checked = config.CreateUserIfNotExists;
+                        AutheliaConfigurationPage.AutheliaAdminGroup.value = config.AutheliaAdminGroup;
                         AutheliaConfigurationPage.JellyfinUrl.value = config.JellyfinUrl;
 
                         AutheliaConfigurationPage.AutheliaRootCa.placeholder = AutheliaConfigurationPage.AutheliaRootCa.placeholder.replace(/\\n/g, "\n");
@@ -145,13 +163,12 @@ <h2 class="sectionTitle">Authelia Settings:</h2>
                     e.preventDefault();
                     Dashboard.showLoadingMsg();
 
-                    console.log("calling api????");
                     window.ApiClient.getPluginConfiguration(AutheliaConfigurationPage.pluginUniqueId).then(function (config) {
                         config.AutheliaServer = AutheliaConfigurationPage.AutheliaServer.value;
                         config.AutheliaRootCa = AutheliaConfigurationPage.AutheliaRootCa.value;
                         config.CreateUserIfNotExists = AutheliaConfigurationPage.CreateUserIfNotExists.checked;
+                        config.AutheliaAdminGroup = AutheliaConfigurationPage.AutheliaAdminGroup.value;
                         config.JellyfinUrl = AutheliaConfigurationPage.JellyfinUrl.value;
-                        console.log("????");
                         window.ApiClient.updatePluginConfiguration(AutheliaConfigurationPage.pluginUniqueId, config).then(Dashboard.processPluginConfigurationUpdateResult);
                     });
 
diff --git a/build.yaml b/build.yaml
@@ -15,9 +15,8 @@ category: "Authentication"
 artifacts:
   - "Authelia-Auth.dll"
 changelog: |2-
-  ### Fixed
-  - Latest version didn't work with Jellyfin 10.8.0 
-
   ### Added
-  - A new configuration param for a custom root CA certificate
-  - A new configuration param to enable/disable user creation on login
+  - Added a new field to manage Jellyfin administrator privilege for users authorized with this plugin
+
+  ### Changed
+  - Simplified authentication by 1 HTTP call, extracting full name from `Remote-Name` header instead of an additional call to `/api/user/info`

Original file line number	Diff line number	Diff line change
`@@ -9,12 +9,14 @@ public class AuthenticatorTests`
`9`	`9`	`[Fact(Skip = "skip")]`
`10`	`10`	`public async void AuthenticatorTest()`
`11`	`11`	`{`
`12`		`- var config = new PluginConfiguration();`
`13`		`- config.JellyfinUrl = "http://jellyfin";`
`14`		`- config.AutheliaServer = "http://authelia";`
	`12`	`+ var config = new PluginConfiguration`
	`13`	`+ {`
	`14`	`+ JellyfinUrl = "http://jellyfin",`
	`15`	`+ AutheliaServer = "http://authelia"`
	`16`	`+ };`
`15`	`17`
`16`	`18`	`var authenticator = new Authenticator();`
`17`	`19`	`var result = await authenticator.Authenticate(config, "test", "test");`
`18`		`- Assert.Equal("test", result.DisplayName);`
	`20`	`+ Assert.Equal("test", result.AuthenticationResult.DisplayName);`
`19`	`21`	`}`
`20`	`22`	`}`