github ZL154/JellyfinSecurity v2.5.18

11 hours ago

v2.5.18 — Recovery codes on the verify screen, accurate security score, tidier SSO hint

In-place upgrade from any 2.5.x — no schema or data migration, no config changes required. Supports Jellyfin 10.11.x (10.11.9+). Sigstore-signed + SLSA build-provenance attested.

Fixed

  • Recovery codes are now offered on the "verify your identity" 2FA screen. When an already–signed-in session is asked to confirm 2FA, the challenge page now shows a Recovery tab (alongside Authenticator / Email) whenever the account has unused recovery codes — so a user who's lost their authenticator can fall back to a recovery code mid-session. Previously that tab only appeared during an emergency-lockout, even though the full login portal always offered "Use a recovery code instead"; the two are now consistent.
  • Security-posture score no longer counts deleted users. The "2FA coverage" factor divided by every stored 2FA record, including leftovers from deleted accounts — so the score was capped (e.g. "10 / 30 — enroll 8 users" when every current user was already enrolled). It now counts live Jellyfin users only, so coverage reflects reality. Anyone who's ever removed a user was seeing an artificially low score.
  • SSO redirect-URI hint renders correctly. On the Sign-in Methods tab, the OIDC callback-URL hint (/TwoFactorAuth/Oidc/Callback/<providerId>) showed its raw <code> markup as literal text instead of a formatted code snippet. It now renders properly in all eight languages (via an opt-in HTML-translation path in the i18n loader).

Notes

Screenshots of the admin dashboard, login, 2FA enrollment, and audit log are now in the README and on the wiki Screenshots page.

Don't miss a new JellyfinSecurity release

NewReleases is sending notifications on new releases.