From 6176777d0f55ec85293007fabbb1fa90a27a540d Mon Sep 17 00:00:00 2001
From: Josh Patra <joshpatra12@gmail.com>
Date: Fri, 30 Jan 2026 22:09:09 -0500
Subject: [PATCH] fix: forward client auth headers for login

---
 .../Services/Jellyfin/JellyfinProxyService.cs | 27 ++++++++++++++++---
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/allstarr/Services/Jellyfin/JellyfinProxyService.cs b/allstarr/Services/Jellyfin/JellyfinProxyService.cs
index 4cbeba3..308dfd3 100644
--- a/allstarr/Services/Jellyfin/JellyfinProxyService.cs
+++ b/allstarr/Services/Jellyfin/JellyfinProxyService.cs
@@ -297,8 +297,10 @@ public class JellyfinProxyService
         {
             if (header.Key.Equals("X-Emby-Authorization", StringComparison.OrdinalIgnoreCase))
             {
-                request.Headers.TryAddWithoutValidation("X-Emby-Authorization", header.Value.ToString());
+                var headerValue = header.Value.ToString();
+                request.Headers.TryAddWithoutValidation("X-Emby-Authorization", headerValue);
                 authHeaderAdded = true;
+                _logger.LogDebug("Forwarded X-Emby-Authorization from client");
                 break;
             }
         }
@@ -309,21 +311,38 @@ public class JellyfinProxyService
             {
                 if (header.Key.Equals("Authorization", StringComparison.OrdinalIgnoreCase))
                 {
-                    request.Headers.TryAddWithoutValidation("Authorization", header.Value.ToString());
+                    var headerValue = header.Value.ToString();
+                    
+                    // Check if it's MediaBrowser/Jellyfin format
+                    if (headerValue.Contains("MediaBrowser", StringComparison.OrdinalIgnoreCase) || 
+                        headerValue.Contains("Client=", StringComparison.OrdinalIgnoreCase))
+                    {
+                        // Forward as X-Emby-Authorization
+                        request.Headers.TryAddWithoutValidation("X-Emby-Authorization", headerValue);
+                        _logger.LogDebug("Converted Authorization to X-Emby-Authorization");
+                    }
+                    else
+                    {
+                        // Standard Bearer token
+                        request.Headers.TryAddWithoutValidation("Authorization", headerValue);
+                        _logger.LogDebug("Forwarded Authorization header");
+                    }
                     authHeaderAdded = true;
                     break;
                 }
             }
         }
         
-        // For login requests without auth headers, provide a minimal client auth header
-        if (!authHeaderAdded)
+        // For non-auth requests without headers, use API key
+        // For auth requests, client MUST provide their own client info
+        if (!authHeaderAdded && !endpoint.Contains("Authenticate", StringComparison.OrdinalIgnoreCase))
         {
             var clientAuthHeader = $"MediaBrowser Client=\"{_settings.ClientName}\", " +
                                    $"Device=\"{_settings.DeviceName}\", " +
                                    $"DeviceId=\"{_settings.DeviceId}\", " +
                                    $"Version=\"{_settings.ClientVersion}\"";
             request.Headers.TryAddWithoutValidation("X-Emby-Authorization", clientAuthHeader);
+            _logger.LogDebug("Using server API key for non-auth request");
         }
         
         request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));