From b944b8f8c54963f61eee5eeb97cd1745ae42ac50 Mon Sep 17 00:00:00 2001
From: crobibero <cody@robibe.ro>
Date: Mon, 1 Jun 2020 11:03:08 -0600
Subject: [PATCH 1/3] Enable CORS and Authentication.

---
 .../ApiServiceCollectionExtensions.cs         |  8 ++++-
 Jellyfin.Server/Models/ServerCorsPolicy.cs    | 30 +++++++++++++++++++
 Jellyfin.Server/Startup.cs                    |  4 ++-
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 Jellyfin.Server/Models/ServerCorsPolicy.cs

diff --git a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
index 344ef6a5ff..239c71503a 100644
--- a/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
+++ b/Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs
@@ -11,6 +11,7 @@ using Jellyfin.Api.Auth.RequiresElevationPolicy;
 using Jellyfin.Api.Constants;
 using Jellyfin.Api.Controllers;
 using Jellyfin.Server.Formatters;
+using Jellyfin.Server.Models;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.Extensions.DependencyInjection;
@@ -71,7 +72,12 @@ namespace Jellyfin.Server.Extensions
         /// <returns>The MVC builder.</returns>
         public static IMvcBuilder AddJellyfinApi(this IServiceCollection serviceCollection, string baseUrl)
         {
-            return serviceCollection.AddMvc(opts =>
+            return serviceCollection
+                .AddCors(options =>
+                {
+                    options.AddPolicy(ServerCorsPolicy.DefaultPolicyName, ServerCorsPolicy.DefaultPolicy);
+                })
+                .AddMvc(opts =>
                 {
                     opts.UseGeneralRoutePrefix(baseUrl);
                     opts.OutputFormatters.Insert(0, new CamelCaseJsonProfileFormatter());
diff --git a/Jellyfin.Server/Models/ServerCorsPolicy.cs b/Jellyfin.Server/Models/ServerCorsPolicy.cs
new file mode 100644
index 0000000000..ae010c042e
--- /dev/null
+++ b/Jellyfin.Server/Models/ServerCorsPolicy.cs
@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Cors.Infrastructure;
+
+namespace Jellyfin.Server.Models
+{
+    /// <summary>
+    /// Server Cors Policy.
+    /// </summary>
+    public static class ServerCorsPolicy
+    {
+        /// <summary>
+        /// Default policy name.
+        /// </summary>
+        public const string DefaultPolicyName = "DefaultCorsPolicy";
+
+        /// <summary>
+        /// Default Policy. Allow Everything.
+        /// </summary>
+        public static readonly CorsPolicy DefaultPolicy = new CorsPolicy
+        {
+            // Allow any origin
+            Origins = { "*" },
+
+            // Allow any method
+            Methods = { "*" },
+
+            // Allow any header
+            Headers = { "*" }
+        };
+    }
+}
\ No newline at end of file
diff --git a/Jellyfin.Server/Startup.cs b/Jellyfin.Server/Startup.cs
index 7c49afbfc6..bd2887e4a0 100644
--- a/Jellyfin.Server/Startup.cs
+++ b/Jellyfin.Server/Startup.cs
@@ -1,5 +1,6 @@
 using Jellyfin.Server.Extensions;
 using Jellyfin.Server.Middleware;
+using Jellyfin.Server.Models;
 using MediaBrowser.Controller;
 using MediaBrowser.Controller.Configuration;
 using Microsoft.AspNetCore.Builder;
@@ -68,9 +69,10 @@ namespace Jellyfin.Server
             // TODO app.UseMiddleware<WebSocketMiddleware>();
             app.Use(serverApplicationHost.ExecuteWebsocketHandlerAsync);
 
-            // TODO use when old API is removed: app.UseAuthentication();
+            app.UseAuthentication();
             app.UseJellyfinApiSwagger(_serverConfigurationManager);
             app.UseRouting();
+            app.UseCors(ServerCorsPolicy.DefaultPolicyName);
             app.UseAuthorization();
             app.UseEndpoints(endpoints =>
             {

From e30a85025f3d0f8b936827613239da7c2c2387c2 Mon Sep 17 00:00:00 2001
From: crobibero <cody@robibe.ro>
Date: Mon, 1 Jun 2020 12:42:59 -0600
Subject: [PATCH 2/3] Remove log spam when using legacy api

---
 .../HttpServer/Security/AuthService.cs                |  6 ++++++
 Jellyfin.Api/Auth/CustomAuthenticationHandler.cs      | 11 +++++++++--
 MediaBrowser.Controller/Net/AuthenticatedAttribute.cs |  4 ++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
index 58421aaf19..18bea59ad5 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
@@ -146,11 +146,17 @@ namespace Emby.Server.Implementations.HttpServer.Security
             {
                 return true;
             }
+
             if (authAttribtues.AllowLocalOnly && request.IsLocal)
             {
                 return true;
             }
 
+            if (authAttribtues.IgnoreLegacyAuth)
+            {
+                return true;
+            }
+
             return false;
         }
 
diff --git a/Jellyfin.Api/Auth/CustomAuthenticationHandler.cs b/Jellyfin.Api/Auth/CustomAuthenticationHandler.cs
index 26f7d9d2dd..a0c9c3f5aa 100644
--- a/Jellyfin.Api/Auth/CustomAuthenticationHandler.cs
+++ b/Jellyfin.Api/Auth/CustomAuthenticationHandler.cs
@@ -37,13 +37,20 @@ namespace Jellyfin.Api.Auth
         /// <inheritdoc />
         protected override Task<AuthenticateResult> HandleAuthenticateAsync()
         {
-            var authenticatedAttribute = new AuthenticatedAttribute();
+            var authenticatedAttribute = new AuthenticatedAttribute
+            {
+                IgnoreLegacyAuth = true
+            };
+
             try
             {
                 var user = _authService.Authenticate(Request, authenticatedAttribute);
                 if (user == null)
                 {
-                    return Task.FromResult(AuthenticateResult.Fail("Invalid user"));
+                    return Task.FromResult(AuthenticateResult.NoResult());
+                    // TODO return when legacy API is removed.
+                    // Don't spam the log with "Invalid User"
+                    // return Task.FromResult(AuthenticateResult.Fail("Invalid user"));
                 }
 
                 var claims = new[]
diff --git a/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs b/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs
index 29fb81e32a..9f2743ea18 100644
--- a/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs
+++ b/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs
@@ -52,6 +52,8 @@ namespace MediaBrowser.Controller.Net
             return (Roles ?? string.Empty).Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
         }
 
+        public bool IgnoreLegacyAuth { get; set; }
+        
         public bool AllowLocalOnly { get; set; }
     }
 
@@ -63,5 +65,7 @@ namespace MediaBrowser.Controller.Net
         bool AllowLocalOnly { get; }
 
         string[] GetRoles();
+        
+        bool IgnoreLegacyAuth { get; }
     }
 }

From 2476848dd3d69252c5bc8b45a4eddf545354a0c0 Mon Sep 17 00:00:00 2001
From: crobibero <cody@robibe.ro>
Date: Tue, 2 Jun 2020 10:12:55 -0600
Subject: [PATCH 3/3] Fix tests

---
 .../Auth/CustomAuthenticationHandlerTests.cs                  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/Jellyfin.Api.Tests/Auth/CustomAuthenticationHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/CustomAuthenticationHandlerTests.cs
index 3b3d03c8b7..437dfa410b 100644
--- a/tests/Jellyfin.Api.Tests/Auth/CustomAuthenticationHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/CustomAuthenticationHandlerTests.cs
@@ -88,7 +88,9 @@ namespace Jellyfin.Api.Tests.Auth
             var authenticateResult = await _sut.AuthenticateAsync();
 
             Assert.False(authenticateResult.Succeeded);
-            Assert.Equal("Invalid user", authenticateResult.Failure.Message);
+            Assert.True(authenticateResult.None);
+            // TODO return when legacy API is removed.
+            // Assert.Equal("Invalid user", authenticateResult.Failure.Message);
         }
 
         [Fact]