Is quick start supposed to launch every time you access Jellyfin from a new browser?

[Dorca]

Greetings!

I'll start by saying Jellyfin is my first big personal tech project, and I've been having a blast with it. It's been awesome for doing movie nights with my friends on the other side of the country that I can't hang out with in person anymore. However, it's come to my attention that any time I share the server with a friend, it takes them directly to quick start where they can make an admin account. I already have accounts made up for the people that I share it with, and I don't want them to have admin access. I don't see anything in the settings that would alter that functionality. After they access it for the first time, it works as intended. This is also concerning to me though, because it means that anyone who could theoretically stumble across my IP could get admin access without me knowing anything about it.

If it makes a difference, I am using caddy for a reverse proxy with a duckdns subdomain.

[TheDreadPirate]

Can you describe your setup more? What OS? What install method for Jellyfin did you use?

And can you share your jellyfin logs via pastebin.

[Dorca]

Nevermind, I got it worked out. It seems to have something to do with having it set up so that all of the accounts have a manual login and don't show up at the login screen. Once I changed that, everything worked correctly. Sorry to waste your time with it!

[JaggedJax]

I have this problem too. I had no idea my JellyFin server was wide open for anyone to setup admin access to! It is weird that this is allowed.

I already have my admin user setup and this issue started happening when I added additional users. Accessing the Jellyfin URL when not logged in was showing the setup wizard!

Disabling the "Hide this user from login screens" option for all users did not fix the issue for me. This must be a security bug, there's no way it should be letting anyone take over my server. It's like some internal "Server Setup" flag isn't properly set so the server is still trying to perform the Wizard again.


OS: Ubuntu Linux
Install method: Debian repo
Logs: Not showing anything other than video play content. Nothing login or app related at all.

Wizard shown when accessing Jellyfin from web browser while logged out (even though this is a fully setup server!)

Clicking Next shows an admin user setup screen!!!

But I am already an admin and have already setup a second user.

[JaggedJax]

UPDATE:
I found that in /etc/jellyfin/system.xml the IsStartupWizardCompleted value was set to false. I have no clue how that got reset and it is scary that can happen and open the server wide up. It feels like there should be more protections against that. Could some update have caused it? Or maybe there was an error on the initial setup and it never was properly set? Maybe there should be a big warning in the admin page if that's still false with a way to mark it as completed?

[0konomiyaki]

Made an account just to note that I found the same with IsStartupWizardCompleted being set to false. Was very confused when this started happening.

[M B]

I have the same issue, but my biggest concern is that even if IsStartupWizardCompleted is set to true, I can still open wizard http://server:8097/web/#/wizardstart.html and reset the admin passwords any time.
I think it is a very big security issue.

[I-G-1-1]

If I manually open the wizard with the link http://server:8096/web/#/wizardstart.html I get a rotating circle and I cannot select any language or click to go ahead to reset anything. Seems secure to me.

[theguymadmax]

I have the same issue, but my biggest concern is that even if IsStartupWizardCompleted is set to true, I can still open wizard http://server:8097/web/#/wizardstart.html and reset the admin passwords any time.
I think it is a very big security issue.

That's because you are you'll re-logging in from a browser that remembers a session with the admin account. This topic has already been brought up and debunked by the Dev team. https://github.com/jellyfin/jellyfin-web/issues/6486

[Efficient_Good_5784]

You can read through the github repo that @theguymadmax linked above to get a better understanding of this topic.

Yes you can access the startup wizard, but anyone that's not an admin will not be able to do anything with it. It will just endlessly load for non-admins.

As the last post in that github issue thread states, a fix has been merged that will prevent the startup wizard from ever loading if "IsStartupWizardCompleted" is set to true in the config files.
You will still be able to open it if it's set to false though.