[Issue]: Admin password cannot be unset, vague error ensues

kjkent commented 3 months ago

Please describe your bug

I have spent some time trying to unset my account password but am presented with

Login Failure
Invalid username or password. Please try again.

My account was the first created when Jellyfin was set up, other accounts do not have this issue. I first interpreted the error as meaning I'd entered my account password incorrectly, but this is not the case.

It could be argued that this is a security requirement, but Jellyfin allows me to set 0 or 1234 as a password, which is negligibly safer. Jellyfin is isolated from external network access, so a password for media isn't a necessity for my use case.

There is the inverse issue raised here: https://github.com/jellyfin/jellyfin/issues/2658, which has similar potential resolutions. In this case, I suggest:

More explicit UI: Display an error saying "The admin account cannot have a blank password"
A settings toggle such as "User is allowed to have a blank password"
If the above isn't acceptable, then accompanying password quality enforcement for the existing hard requirement

Reproduction Steps

In either web UI or Android app, attempt to unset the password of the first-created user by filling the "Current password" box, leaving the "New password" boxes unfilled, and hitting "Save Password"
Observe error message

Jellyfin Version

10.9.0

if other:

jellyfin Docker "-latest" tag

Environment

- OS: Arch Linux
- Linux Kernel: 6.9.7
- Virtualization: Docker 27.0.3, Docker Compose 2.28.1
- Clients: NVIDIA Shield TV (the tube one!), Linux web clients, Android client
- Browser: Chrome, Chrome (Android)
- FFmpeg Version: Whichever is bundled in Jellyfin's "-latest" tagged container
- Playback Method: External player on Android, embedded web player on web, Android app on Shield.
- Hardware Acceleration: NVENC
- GPU Model: NVIDIA GeForce 3060 Ti Founders Edition
- Plugins: AudioDB, MusicBrainz, OMDb, Studio Images, TMDb, Webhook
- Reverse Proxy: Traefik
- Base URL: registered domain name used primarily for LAN services
- Networking: Container on bridge network
- Storage: media storage on HDD, runtime storage on SSD & tmpfs

Jellyfin logs

[2024-07-03 14:27:07.248 +00:00] [INF] [24] Jellyfin.Server.Implementations.Users.UserManager: Authentication request for "kjkent" has succeeded.
[2024-07-03 14:27:07.248 +00:00] [ERR] [24] Jellyfin.Api.Middleware.ExceptionMiddleware: Error processing request. URL "POST" "/Users/44aba189fc384fc5bb57d61b3fbdc2ea/Password".
System.ArgumentException: Admin user passwords must not be empty (Parameter 'newPassword')
   at Jellyfin.Server.Implementations.Users.UserManager.ChangePassword(User user, String newPassword)
   at Jellyfin.Api.Controllers.UserController.UpdateUserPassword(Nullable`1 userId, UpdateUserPassword request)
   at lambda_method1195(Closure, Object)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfActionResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Jellyfin.Api.Middleware.ServerStartupMessageMiddleware.Invoke(HttpContext httpContext, IServerApplicationHost serverApplicationHost, ILocalizationManager localizationManager)
   at Jellyfin.Api.Middleware.WebSocketHandlerMiddleware.Invoke(HttpContext httpContext, IWebSocketManager webSocketManager)
   at Jellyfin.Api.Middleware.IPBasedAccessValidationMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager)
   at Jellyfin.Api.Middleware.LanFilteringMiddleware.Invoke(HttpContext httpContext, INetworkManager networkManager, IServerConfigurationManager serverConfigurationManager)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.QueryStringDecodingMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.ReDoc.ReDocMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Jellyfin.Api.Middleware.RobotsRedirectionMiddleware.Invoke(HttpContext httpContext)
   at Jellyfin.Api.Middleware.LegacyEmbyRouteRewriteMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Jellyfin.Api.Middleware.ResponseTimeMiddleware.Invoke(HttpContext context, IServerConfigurationManager serverConfigurationManager)
   at Jellyfin.Api.Middleware.ExceptionMiddleware.Invoke(HttpContext context)

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

jellyfin-bot commented 3 months ago

Hi, it seems like your issue report has the following item(s) that need to be addressed:

You have not filled in the environment completely.

This is an automated message, currently under testing. Please file an issue here if you encounter any problems.

kjkent commented 3 months ago

Edited to fill missed env item

crobibero commented 3 months ago

Requiring administrators to have passwords was a conscious decision, so moving this to web to update the error message

sunnyd24 commented 2 months ago

I am having the same issue, with the error message in logs with a continuously loading circle in GUI that never timeouts.

Log error: Admin user passwords must not be empty

GUI: Loading/waiting circle that never ends with no useful indication of the password requirement for admin account.

Similarly to @kjkent, my instance is behind a VPN, so cannot be accessed over the Internet, only local access.

It would be great to have a admin password bypass in the jellyfin config for advanced users?

jellyfin / jellyfin-web