2023-07-19, 04:02 PM
First, I'm thrilled to have discovered the Jellyfin project. I'm embarrassed to be so late to the party: I've been plodding away on Plex for years and didn't know there was life outside... but as Plex has lost their way I realized I needed to find something else. And I couldn't be more happy with Jellyfin so far!
My question: Why can't I let my users create their own accounts and then me as admin approve them?
To be clear: I DO NOT want just anyone on the internet to be able to access my server. My audience is about 15 people, family members and a few friends. So I get the idea that it's safer to have the admin create and distribute accounts. However, I don't like the idea of emailing passwords to people. And even if I tell them to do so, I can't assume that they'll all be diligent enough to reset their passwords when I send it to them. Some thoughts/questions/suggestions:
Super excited about the project. Thanks in advance for any input!
My question: Why can't I let my users create their own accounts and then me as admin approve them?
To be clear: I DO NOT want just anyone on the internet to be able to access my server. My audience is about 15 people, family members and a few friends. So I get the idea that it's safer to have the admin create and distribute accounts. However, I don't like the idea of emailing passwords to people. And even if I tell them to do so, I can't assume that they'll all be diligent enough to reset their passwords when I send it to them. Some thoughts/questions/suggestions:
- Have there been thoughts on creating some sort of option on the Create User screen like "force user to reset password on next login?" That way I can email my brother a password, but then he HAS to change it and I don't worry about someone else reading his unsecured email. And I don't have to talk to him (he's a chowderhead).
- The whole forgot password process - can it not be self-serve? I realize that accounts don't currently store or verify user email addresses. But has that been explored? That would enable a more standard self-serve forgot password process that wouldn't require admin intervention. Then I could at least create accounts for my users with some bogus password. I would email them their usernames but NOT the password, and tell them to click the Forgot Password link to set their own password. But as it stands right now it looks like if I told them to do it now I'd then have to look up their new password on the server and email it to them anyway.
- Roll my own login interface - I am NOT a "real" developer, but certainly like to tinker/learn. So the following thought process occurs to me and I wonder if anyone has already gone down this path: I have my jellyfin instance set up as a subdomain (jellyfin.example.com) of a parent domain I own (example.com). I already have user account functionality on the parent site at example.com - people can create accounts, reset their own passwords, I can grant access to roles, etc. - traditional stuff, asp.net core, entity framework, identity, etc). I see there's "create user" functionality in the jellyfin API... what if I have people create user accounts on my website (the parent domain). Then, if they're a user I want to have access to my jellyfin instance, I could grant then access to some role I create like "jellyfinuser." Then have my code hit the jellyfin API to create a jellyfin account, password, etc. and link it to my the parent account at example.com. It seems like the happy path could work, but I imagine it could also create a lot of confusion between where to sign in, different accounts, sync issues, etc. It'd be like SSO without any of the benefits of SSO! Would love any thoughts from folks who may have done something similar or at least a glass of cold water to my face telling me "don't do this, there is a better way..."
Super excited about the project. Thanks in advance for any input!