github ZL154/JellyfinSecurity v2.4.10.1

latest releases: v2.5.19, v2.5.18, v2.5.17...
pre-releaseone month ago

v2.4.10.1 — Diagnostic pre-release for issue #35 (do NOT auto-deploy)

This release is NOT in the public plugin catalog. It's a targeted diagnostic + speculative-fix build for issue #35 only. The current stable is v2.4.10 — auto-updating servers will stay on that. Only install this manually if you're affected by the stuck-on-login bug.

Why this exists

v2.4.10's case-insensitive LooksLikeAuthResponse widening didn't resolve @FsxShader2012's case — his v2.4.10 logs showed all three substring flags still False even with OrdinalIgnoreCase. That rules out the camelCase hypothesis. The body is something else: most likely gzip-compressed before our middleware reads the buffer (binary bytes contain no JSON substrings), but could also be wrapped JSON, snake_case, or HTML.

What v2.4.10.1 tries

1. Speculative fix — suppress auth-path response compression

The middleware now rewrites the request's Accept-Encoding header to identity before invoking the inner pipeline. Any downstream response-compression middleware (ASP.NET's ResponseCompression, Jellyfin-internal gzip, anything else) will skip compressing this specific response. Our middleware then sees plain JSON in the buffer, the existing substring check matches, and the 2FA challenge UI shows as expected. Scoped to auth paths only; auth response grows from ~600 bytes gzipped → ~2000 bytes plain (negligible).

2. Expanded diagnostic — if the fix doesn't apply, surface what the body actually IS

If the response still doesn't look like a Jellyfin auth response, the Info-level log line now also includes:

  • First 8 bytes of body as hex1f 8b = gzip, 78 9c = zlib, 3c = HTML <, 7b = JSON {
  • First 100 chars of body as text — Jellyfin auth response has AccessToken further into the JSON, so first 100 chars show shape without leaking credentials. Binary noise itself is diagnostic
  • Content-Encoding response header — direct evidence of gzip/br/deflate
  • Full Content-Type header — was abridged to a substring check before

Also switched the log's substring flags to OrdinalIgnoreCase to match what LooksLikeAuthResponse actually evaluates, so "Has AccessToken: False" is no longer ambiguous about casing.

Who should install this

Only people affected by issue #35 — primarily @FsxShader2012 or anyone hitting the same "2FA-enabled user stuck on login spinner" symptom on v2.4.10. If you're not in that thread, don't install this. v2.4.11 will ship the real fix once we have data back.

How to install

Download Jellyfin.Plugin.TwoFactorAuthv2.4.10.1.zip below, extract into your Jellyfin Security_2.4.10.0/TwoFactorAuth/ plugin folder (replacing the existing contents), restart Jellyfin.

172/172 tests pass. Build clean.

Don't miss a new JellyfinSecurity release

NewReleases is sending notifications on new releases.