Merge pull request #14950 from nielsvanvelzen/security-remove-has-password

Deprecate HasPassword property on UserDto

Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs

@@ -59,7 +59,7 @@ namespace Jellyfin.Server.Implementations.Users
             }
 
             // As long as jellyfin supports password-less users, we need this little block here to accommodate
-            if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
+            if (string.IsNullOrEmpty(resolvedUser.Password) && string.IsNullOrEmpty(password))
             {
                 return Task.FromResult(new ProviderAuthenticationResult
                 {
@@ -93,10 +93,6 @@ namespace Jellyfin.Server.Implementations.Users
             });
         }
 
-        /// <inheritdoc />
-        public bool HasPassword(User user)
-            => !string.IsNullOrEmpty(user?.Password);
-
         /// <inheritdoc />
         public Task ChangePassword(User user, string newPassword)
         {

Jellyfin.Server.Implementations/Users/InvalidAuthProvider.cs

@@ -21,12 +21,6 @@ namespace Jellyfin.Server.Implementations.Users
             throw new AuthenticationException("User Account cannot login with this provider. The Normal provider for this user cannot be found");
         }
 
-        /// <inheritdoc />
-        public bool HasPassword(User user)
-        {
-            return true;
-        }
-
         /// <inheritdoc />
         public Task ChangePassword(User user, string newPassword)
         {

Jellyfin.Server.Implementations/Users/UserManager.cs

@@ -306,15 +306,12 @@ namespace Jellyfin.Server.Implementations.Users
         /// <inheritdoc/>
         public UserDto GetUserDto(User user, string? remoteEndPoint = null)
         {
-            var hasPassword = GetAuthenticationProvider(user).HasPassword(user);
             var castReceiverApplications = _serverConfigurationManager.Configuration.CastReceiverApplications;
             return new UserDto
             {
                 Name = user.Username,
                 Id = user.Id,
                 ServerId = _appHost.SystemId,
-                HasPassword = hasPassword,
-                HasConfiguredPassword = hasPassword,
                 EnableAutoLogin = user.EnableAutoLogin,
                 LastLoginDate = user.LastLoginDate,
                 LastActivityDate = user.LastActivityDate,

MediaBrowser.Controller/Authentication/IAuthenticationProvider.cs

@@ -14,8 +14,6 @@ namespace MediaBrowser.Controller.Authentication
 
         Task<ProviderAuthenticationResult> Authenticate(string username, string password);
 
-        bool HasPassword(User user);
-
         Task ChangePassword(User user, string newPassword);
     }
 

MediaBrowser.Model/Dto/UserDto.cs

@@ -1,5 +1,6 @@
 #nullable disable
 using System;
+using System.ComponentModel;
 using MediaBrowser.Model.Configuration;
 using MediaBrowser.Model.Users;
 
@@ -54,20 +55,22 @@ namespace MediaBrowser.Model.Dto
         /// Gets or sets a value indicating whether this instance has password.
         /// </summary>
         /// <value><c>true</c> if this instance has password; otherwise, <c>false</c>.</value>
-        public bool HasPassword { get; set; }
+        [Obsolete("This information is no longer provided")]
+        public bool? HasPassword { get; set; } = true;
 
         /// <summary>
         /// Gets or sets a value indicating whether this instance has configured password.
         /// </summary>
         /// <value><c>true</c> if this instance has configured password; otherwise, <c>false</c>.</value>
-        public bool HasConfiguredPassword { get; set; }
+        [Obsolete("This is always true")]
+        public bool? HasConfiguredPassword { get; set; } = true;
 
         /// <summary>
         /// Gets or sets a value indicating whether this instance has configured easy password.
         /// </summary>
         /// <value><c>true</c> if this instance has configured easy password; otherwise, <c>false</c>.</value>
         [Obsolete("Easy Password has been replaced with Quick Connect")]
-        public bool HasConfiguredEasyPassword { get; set; }
+        public bool? HasConfiguredEasyPassword { get; set; } = false;
 
         /// <summary>
         /// Gets or sets whether async login is enabled or not.

tests/Jellyfin.Server.Integration.Tests/Controllers/UserControllerTests.cs

@@ -61,7 +61,6 @@ namespace Jellyfin.Server.Integration.Tests.Controllers
             var users = await response.Content.ReadFromJsonAsync<UserDto[]>(_jsonOptions);
             Assert.NotNull(users);
             Assert.Single(users);
-            Assert.False(users![0].HasConfiguredPassword);
         }
 
         [Fact]
@@ -92,8 +91,6 @@ namespace Jellyfin.Server.Integration.Tests.Controllers
             Assert.Equal(HttpStatusCode.OK, response.StatusCode);
             var user = await response.Content.ReadFromJsonAsync<UserDto>(_jsonOptions);
             Assert.Equal(TestUsername, user!.Name);
-            Assert.False(user.HasPassword);
-            Assert.False(user.HasConfiguredPassword);
 
             _testUserId = user.Id;
 
@@ -149,12 +146,6 @@ namespace Jellyfin.Server.Integration.Tests.Controllers
 
             using var response = await UpdateUserPassword(client, _testUserId, createRequest);
             Assert.Equal(HttpStatusCode.NoContent, response.StatusCode);
-
-            var users = await JsonSerializer.DeserializeAsync<UserDto[]>(
-                await client.GetStreamAsync("Users"), _jsonOptions);
-            var user = users!.First(x => x.Id.Equals(_testUserId));
-            Assert.True(user.HasPassword);
-            Assert.True(user.HasConfiguredPassword);
         }
 
         [Fact]
@@ -172,12 +163,6 @@ namespace Jellyfin.Server.Integration.Tests.Controllers
 
             using var response = await UpdateUserPassword(client, _testUserId, createRequest);
             Assert.Equal(HttpStatusCode.NoContent, response.StatusCode);
-
-            var users = await JsonSerializer.DeserializeAsync<UserDto[]>(
-                await client.GetStreamAsync("Users"), _jsonOptions);
-            var user = users!.First(x => x.Id.Equals(_testUserId));
-            Assert.False(user.HasPassword);
-            Assert.False(user.HasConfiguredPassword);
         }
     }
 }