-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #358 - Plex Oauth #387
Conversation
src/lib/util/api.ts
Outdated
@@ -337,6 +338,16 @@ export async function unfollowUser(id: number) { | |||
}); | |||
} | |||
|
|||
// TODO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hoping for some help specifically on this part, @IRHM. We need a server-unique but constant identifier here, and a way to fetch the current version. I was hoping you'd have thoughts on how this can be done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stephaje If the clientIdentifier must be unique for each selfhosted Watcharr instance, then I suppose we could generate one and place it in the watcharr.json config (similar to how we generate the JWT_SECRET in the config) when needed (when plex auth is enabled by an admin). If it only needs to be unique for Watcharr and doesn't matter if different instances share it, we could just hard code a string here.
We have a global variable defined in Vites config: __WATCHARR_VERSION__
which we use in the face menu, that might work for the version here. If it doesn't, I'm sure it doesn't matter if we just hard code that property at "1.0.0"
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(when plex auth is enabled by an admin)
I think it needs to be done immediately so that the admin can use oauth for their own log in. Then it can be disabled if they don't want to use it. The only concern I see here is the possibility that if OAuth breaks or goes down, the admin could be locked out of the account.
Maybe I should write it to support both a base login + associated Plex account?
Thanks for the code pointers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem @stephaje,
I guess thats just the downside of using Plex, if their servers go offline, theres not much you can do.
For now, maybe the first admin account should be a normal user, like it is currently. Then they can login via plex to make a new account and give it admin if they'd like.
Then hopefully in the future when we allow linking services to your account we can make this easier for admins.
The confusing part for allowing plex auth and normal auth as backup, is that usernames might not be unique for normal users and plex ones.
If first admin must be a normal user, at least the login can be saved for an emergency. (Then a plex one can be made and given admin if wanted).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm okay with that strategy. I'll take a look at updating it later today.
server/auth.go
Outdated
slog.Error("registerFirstPlexUser: Could not fetch Plex username", "error", err) | ||
return AuthResponse{}, errors.New("could not fetch plex username") | ||
} | ||
user := UserRegisterRequest{Username: username, Password: token.AuthToken, Type: PLEX_USER} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the auth token as the password is just temporary. In the future, when pulling plex history, the token would need to be stored somewhere in plaintext, and the password should instead be a non-related random string. This works for the purposes of only supporting oauth log in, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stephaje I'm a little confused, but could it work like jellyfin auth does? I assume every time the plex user wants to login, they would have to go through the same oauth procedure with plex.
If that will give us a token and some sort of unique identifier, we could store them in the third_party_id
and third_party_auth
fields. Then on each login, we just compare the users id we get from plex to our third_party_id
(if none exists, we can create them a user).
Then the password field can be left empty (like we do with jellyfin users), since we won't use it, and we will have the auth token stored for later use.
Edit: I noticed there's register and login with plex buttons, if we just have the login with plex button and create a user if they don't exist locally, that could work better (like mentioned above)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I can take a look at doing it that way instead. I wasn't sure if the API's were still protected w/o the password filled out and I didn't get to reading the code for it just yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's awesome, thanks @stephaje!
Yep as long as we only give the user their watcharr token after we authenticate them against plex (and locate/add them to our db) then we're all good
Hi @stephaje, thanks for working on this. Sorry I've had a busy week, will reply to the comments now. |
@IRHM The only comment I didn't accommodate was merging the login and register paths, just because I think it's better to keep the separate to more cleanly support when new signups are disabled. Everything else should be more in line with the jellyfin experience. I did separate the plex button from the other buttons because it makes more sense visually to not tie the plex button to the login and password fields, but feel free to tweak as desired. I also added color to the Jellyfin button, but feel free to revert or pick a more suitable color. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the great work @stephaje!
….0@2aeab7a by renovate (#19454) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/sbondco/watcharr](https://togithub.com/sbondCo/Watcharr) | minor | `v1.35.2` -> `v1.36.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>sbondCo/Watcharr (ghcr.io/sbondco/watcharr)</summary> ### [`v1.36.0`](https://togithub.com/sbondCo/Watcharr/releases/tag/v1.36.0) [Compare Source](https://togithub.com/sbondCo/Watcharr/compare/v1.35.2...v1.36.0) #### 🌚 New - Plex authentication by [@​stephaje](https://togithub.com/stephaje) in [sbondCo/Watcharr#387 and [@​IRHM](https://togithub.com/IRHM) in [sbondCo/Watcharr#402 - Plex sync by [@​IRHM](https://togithub.com/IRHM) and [@​stephaje](https://togithub.com/stephaje) in [sbondCo/Watcharr#413 #### 🔧 Fixed - Jobs: Fix getting job when id includes a slash (/) by [@​IRHM](https://togithub.com/IRHM) in [sbondCo/Watcharr#415 #### ⛰️ Maintenance - ui: bump vite from 5.1.3 to 5.1.6 by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#408 - ui: bump [@​sveltejs/kit](https://togithub.com/sveltejs/kit) from 2.5.0 to 2.5.3 by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#405 - ui: bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 7.0.2 to 7.2.0 by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#406 - server: bump github.com/golang-jwt/jwt/v5 from 5.2.0 to 5.2.1 in /server by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#404 - server: bump golang.org/x/crypto from 0.19.0 to 0.21.0 in /server by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#393 - ui: bump eslint from 8.56.0 to 8.57.0 by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#378 - server: bump github.com/gin-contrib/cors from 1.5.0 to 1.7.0 in /server by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#403 - ui: bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 7.0.2 to 7.2.0 by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#407 - ui: bump follow-redirects from 1.15.4 to 1.15.6 by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#412 - Bump follow-redirects from 1.15.5 to 1.15.6 in /doc by [@​dependabot](https://togithub.com/dependabot) in [sbondCo/Watcharr#414 #### 🆘 Getting Help If you need help, encounter an issue or find a bug please [create an issue](https://togithub.com/sbondCo/Watcharr/issues/new/choose) or [join our space on Matrix](https://matrix.to/#/#watcharr:matrix.org) for support. Always happy to help! **Package**: https://github.com/orgs/sbondCo/packages/container/watcharr/192128255?tag=v1.36.0 **Full Changelog**: sbondCo/Watcharr@v1.35.2...v1.36.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNTIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjI1Mi4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
Changes made
Allow users to log in via Plex. Their username will be the same as their Plex username.
Some stuff to iron out, but just wanted to open this up for feedback/review.