2025-02-17, 02:09 AM
(This post was last modified: 2025-02-17, 02:56 PM by TheDreadPirate. Edited 1 time in total.)
Just something I stumbled on today...
If I click the 3 dots next to a song, tv show, etc, and use the Copy Stream URL option and then paste it into an incognito browser, it downloads the file without me having to authenticate. My expectation is that the file would be blocked or I would at least get a login page.
Here is a typical URL: http://{IP - Censored by TDP}:8096/Items/7dfe409daf79f5b4815786ac9e0a5898/Download?api_key={API_KEY - Censored by TDP} (This is not a valid URL. Just an example.)
If I mess with the Items key, I get the correct error returned via JSON.
If I mess with the api_key, it returns a 401 error in the console.
It seems like the api_key is not necessarily checking for a valid session before sending the file?
If I click the 3 dots next to a song, tv show, etc, and use the Copy Stream URL option and then paste it into an incognito browser, it downloads the file without me having to authenticate. My expectation is that the file would be blocked or I would at least get a login page.
Here is a typical URL: http://{IP - Censored by TDP}:8096/Items/7dfe409daf79f5b4815786ac9e0a5898/Download?api_key={API_KEY - Censored by TDP} (This is not a valid URL. Just an example.)
If I mess with the Items key, I get the correct error returned via JSON.
If I mess with the api_key, it returns a 401 error in the console.
It seems like the api_key is not necessarily checking for a valid session before sending the file?
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github){kind=icon}