v2.4.10.1 — Diagnostic pre-release for issue #35 (do NOT auto-deploy)
This release is NOT in the public plugin catalog. It's a targeted diagnostic + speculative-fix build for issue #35 only. The current stable is v2.4.10 — auto-updating servers will stay on that. Only install this manually if you're affected by the stuck-on-login bug.
Why this exists
v2.4.10's case-insensitive LooksLikeAuthResponse widening didn't resolve @FsxShader2012's case — his v2.4.10 logs showed all three substring flags still False even with OrdinalIgnoreCase. That rules out the camelCase hypothesis. The body is something else: most likely gzip-compressed before our middleware reads the buffer (binary bytes contain no JSON substrings), but could also be wrapped JSON, snake_case, or HTML.
What v2.4.10.1 tries
1. Speculative fix — suppress auth-path response compression
The middleware now rewrites the request's Accept-Encoding header to identity before invoking the inner pipeline. Any downstream response-compression middleware (ASP.NET's ResponseCompression, Jellyfin-internal gzip, anything else) will skip compressing this specific response. Our middleware then sees plain JSON in the buffer, the existing substring check matches, and the 2FA challenge UI shows as expected. Scoped to auth paths only; auth response grows from ~600 bytes gzipped → ~2000 bytes plain (negligible).
2. Expanded diagnostic — if the fix doesn't apply, surface what the body actually IS
If the response still doesn't look like a Jellyfin auth response, the Info-level log line now also includes:
- First 8 bytes of body as hex —
1f 8b= gzip,78 9c= zlib,3c= HTML<,7b= JSON{ - First 100 chars of body as text — Jellyfin auth response has AccessToken further into the JSON, so first 100 chars show shape without leaking credentials. Binary noise itself is diagnostic
Content-Encodingresponse header — direct evidence of gzip/br/deflate- Full
Content-Typeheader — was abridged to a substring check before
Also switched the log's substring flags to OrdinalIgnoreCase to match what LooksLikeAuthResponse actually evaluates, so "Has AccessToken: False" is no longer ambiguous about casing.
Who should install this
Only people affected by issue #35 — primarily @FsxShader2012 or anyone hitting the same "2FA-enabled user stuck on login spinner" symptom on v2.4.10. If you're not in that thread, don't install this. v2.4.11 will ship the real fix once we have data back.
How to install
Download Jellyfin.Plugin.TwoFactorAuthv2.4.10.1.zip below, extract into your Jellyfin Security_2.4.10.0/TwoFactorAuth/ plugin folder (replacing the existing contents), restart Jellyfin.
172/172 tests pass. Build clean.