Call to get libraries being made via HTTP even in environments where only HTTPS is allowed

[Undeadllama]

Preface - Not sure if this was intentionally coded this way due to some Plex limitations I'm unaware of, however thought it was worth mentioning...

Essentially I'm running a full HTTPS stack where possible. Plex is configured for secure connections only and is externally accessible directly (not via a reverse proxy). The nginx box from where Pasta is served (mmm sounds tasty!) is configured for HTTPS only and redirects all HTTP calls to HTTPS automatically. (As a result presumably if Plex was being reverse proxied and Pasta was pointed towards the reverse proxy address this would actually work without a code change... but I digress).

Authentication works fine via PIN and I can see a list of Plex servers accessible to my account. The issue comes when selecting the Plex server from the list to load the libraries. I see no libraries loaded and the following error appears in Chrome console because an attempt was made to load content via HTTP rather than HTTPS:

jquery-3.4.1.min.js:2 Mixed Content: The page at 'https://******.com/pasta/#authentication' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://***.***.***.***:32900/library/sections/'. This request has been blocked; the content must be served over HTTPS.
send @ jquery-3.4.1.min.js:2
ajax @ jquery-3.4.1.min.js:2
connectToPlex @ main.js:364
chooseServer @ main.js:302
onclick @ (index):1
main.js:391 Trying to use http over a https site with PIN authentication

If I change the following line in main.js function "chooseServer" to make the request via HTTPS instead everything works great.

Before: plexUrl =http://${serverList[number].address}:${serverList[number].port};

After: plexUrl =https://${serverList[number].address}:${serverList[number].port};

function chooseServer(number, row) {
    $("#libraryTable tbody").empty();
    $("#tvShowsTable tbody").empty();
    $("#seasonsTable tbody").empty();
    $("#episodesTable tbody").empty();
    $("#audioTable tbody").empty();
    $("#subtitleTable tbody").empty();

    $(row).siblings().removeClass("table-active");
    $(row).addClass("table-active");

    plexToken = serverList[number].accessToken;
    plexUrl = `http://${serverList[number].address}:${serverList[number].port}`;
    connectToPlex();
}

[ukdtom]

https://github.com/WebTools-NG/WebTools-NG/blob/master/src/components/modules/General/plextv.js#L9

[ukdtom]

In above, server.connections are fetched from here: https://github.com/WebTools-NG/WebTools-NG/blob/master/src/store/modules/plextv.js#L48

[cglatot]

Thanks for all of this information, both of you. It's extremely helpful. I haven't had much time lately so this has been on the backburner, but the next thing I will be working on is overhauling the whole authentication mechanisms.

[ukdtom]

You can't use https://plex.tv/pms/servers.xml since that doesn't tell if it's https or plain http Ref: https://github.com/cglatot/pasta/blob/https-server-connections/js/main.js#L250

You need to call https://plex.tv/api/v2/resources?includeHttps=1 in order to get the protocol used

As I outlined here: https://github.com/cglatot/pasta/issues/25#issuecomment-703894136

Also note, that some servers might publish more than one public or privat address, depending on the infrastructure used, so you after getting the list needs to try them one by one, as I also provided code towards

[cglatot]

Your timing is insane @ukdtom , I'm literally right in the middle of testing this and discovered that about 3 minutes ago haha!

Also, do you know if there is any documentation on the V2 API anywhere? I can't seem to find anything useful at all other than the code you've shared with me (once again, MUCH appreciated!)

[ukdtom]

Sadly, AFAIK, all docs are internal only, so Chrome Debugger is your friend here ;)

[ukdtom]

And note, that https://plex.tv/api/v2/resources also shows servers shared towards you, so you need to filter on owned

[cglatot]

Ugh, that is really annoying lol. How did you find the proper endpoints though? Just trial and error?

Luckily, I don't need to filter on owned as I never need ownership rights to achieve what my tool does (changes audio and subtitle tracks)

[ukdtom]

Well, I use the WebClient, and track what it's doing, both regarding local PMS, as well as towards plex.tv

[cglatot]

@Undeadllama @ukdtom - This should now be working natively - at least, it works for the servers I have access to. Would you mind doing a test on your end to see if it works now?

[ukdtom]

How strange it might sound, I'm not a user of your SW, since not a valid use-case for me ;)

Just stumbled across a link to your Git, and looked into the code and open issues

So I'll leave testing to @Undeadllama

[Undeadllama]

Just pulled an updated copy onto my web server and can confirm its looking good, everything appears to be working as expected! Plex auth is working well too, no more PIN required :)

[cglatot]

Excellent, thank you very much for confirming @Undeadllama

@ukdtom Even more reason for my thanks then! Could not have implemented this so easily without your help.