github ZL154/JellyfinSecurity v2.5.17

latest release: v2.5.18
13 hours ago

v2.5.17 — App-password follow-up fixes, self-hosted ntfy, Keycloak roles & verified-email OIDC linking

In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.

Fixed

  • App-password sessions on native clients no longer get blocked mid-use (#107, DarkJackal87). After v2.5.16 made the app-password login succeed, some native clients (e.g. Symfonium) still failed on the very next request ("Can't retrieve Media Info / Version") with a 403 "Two-factor authentication required". This happened when the client's device id on the follow-up request differed from the one on the login request, so the session wasn't recognised as already-verified. The app-password login now marks the resulting session as 2FA-satisfied regardless of that device-id mismatch, and that one-shot is consumed by exactly the session it was issued for so it can never carry over to an unrelated later login.
  • Self-hosted ntfy / Gotify / webhooks on a LAN address now deliver (#116, Arson31). A self-hosted ntfy behind a reverse proxy usually resolves to a private LAN IP (e.g. ntfy.mydomain.com → 192.168.x.x), which the SSRF egress guard refused — so the test notification (and every real one) was silently dropped with "resolves to private address … refusing to dispatch". A new "Allow notifications to private/LAN addresses" toggle (Settings → Push Notifications, off by default) lets you opt into private/loopback notification targets. Link-local and cloud-metadata addresses (169.254.x, fe80::) stay blocked even when it's on. The ntfy publish URL is also now built correctly as {server}/{topic} (the topic is a path segment, not a header), which some instances require.
  • OIDC verified-email account linking (#95a, chrisbehectik). A boolean email_verified: true in the id_token was being read as "unverified", so first-time OIDC sign-ins were not matched to an existing Jellyfin user by their verified email (leading to "no email account match" / a duplicate account). Verified-email matching now works regardless of how the IdP encodes the boolean.

Added

  • Keycloak realm/client roles now drive group rules and admin elevation (#95b, BoBeR182). Keycloak nests roles under realm_access.roles and resource_access.{client}.roles rather than a flat groups/roles claim, so "Allowed groups", "Admin groups", and role→library mapping previously matched nothing on Keycloak. These nested roles are now read from both the id_token and /userinfo. To use it on Keycloak, request the built-in roles scope on the provider and enable "Add to ID token" on the realm-roles mapper (Keycloak has no groups scope).

Translations

  • Added and translated the new "Allow notifications to private/LAN addresses" setting (label, badge, and help text) across all eight languages (en, de, es, fr, it, ja, pt, zh).

Thanks

Reports and detail from DarkJackal87, Arson31, chrisbehectik, and BoBeR182 — thank you. 🙏

Don't miss a new JellyfinSecurity release

NewReleases is sending notifications on new releases.