v2.4.9 — Diagnostic pre-release (do NOT auto-deploy)
This release is NOT in the public plugin catalog. It's a diagnostic build for #35 only. The next stable release is v2.4.8 — auto-updating servers will stay on that until v2.4.10 ships with the real fix.
Purpose
Issue #35 reports a 2FA-enabled user stuck on the login spinner after submitting credentials. Logs show the request reaches [2FA] 2FA required for X — middleware will replace response with challenge, but the response isn't actually replaced — the browser gets a normal auth-success response with a token, then post-login API calls all 401 because the token is blocked.
That signature means TwoFactorEnforcementMiddleware bailed early on one of its response-shape gates (status, content-type, or LooksLikeAuthResponse body shape). Today the middleware silently bails — no Info-level log surfaces which gate failed.
What v2.4.9 adds
Two diagnostic log lines in TwoFactorEnforcementMiddleware:
- Information level when
LooksLikeAuthResponserejects (the most likely failure for #35). Logs only the substring-presence flags —Has "AccessToken",Has "User",Has "SessionInfo"— NOT the body itself (which contains AccessToken + PII). - Debug level when status or content-type causes a skip (would spam Info on legitimate non-200 auth failures like wrong password).
Who should install this
Only people affected by issue #35 — primarily @FsxShader2012. If you're not in that thread, do not install this. The next stable release (v2.4.10) will include the real fix once we have the diagnostic logs.
How to install
Download `Jellyfin.Plugin.TwoFactorAuthv2.4.9.0.zip` below, extract into your Jellyfin plugins folder (replacing the existing `Jellyfin Security_2.4.x.x/` folder contents), and restart Jellyfin.
166/166 tests pass. Build clean. No behavioral changes — just observability.