Include ApiKey in /Videos/{id} requests for future auth compatibility

[santoscarias]

This feature request respects the following points:

• This feature has not already been requested on GitHub.
• I agree to follow Jellyfin's Code of Conduct.

Platform

iOS

Describe the feature you'd like to see

Hi 👋 When inspect Swiftfin's network traffic to the server I noticed it does unauthenticated requests for /Video, e.g.:

/Videos/f4a0b1c2d3e5c4b8a9e6f7d8e9a0b1d4/stream?mediaSourceId=2f0340563593c4d98b97c9bfa21ce24f&playSessionId=e3a869b7a901f8894de8ee65688db6c0&static=true&tag=J3wen7c44lC5rRKFo9Hb did not appear to include an apikey or authorization header. Given jellyfin/jellyfin#13984, server-side auth will eventually be required..?

Would it be an idea to already future proof and add authorization details to the request?
(See https://gist.github.com/nielsvanvelzen/ea047d9028f676185832e51ffaf12a6f#sending-authorization-values for how to add this to a request)

[JPKribs]

This should already be accounted for on 1.4 of Swiftfin for iOS/iPadOS. Please see:

#1859 (comment)

I've tested this now using 10.11 with legacy auth disabled and this works without issue. Are you able to recreate this as an issue on 10.12 or 10.11?

---

Tested

1.0.1 (tvOS App Store) does not have the newer SDK with the auth changes so this is expected to fail and prove we are using the updated <EnableLegacyAuthorization>false</EnableLegacyAuthorization> to validate against 10.12/12.0.

1.0.1 - Older SDK: Fails Login (Expected)
1.0.1 - Older SDK: Fails Stream (Expected)

Tested on current release, I am unable to recreate this issue which is also expected as 0.5.3+ correctly uses the new structure. 1.4.1 is on 0.6.0 for 10.11. Below is what I checked and found:

1.4.1 - Newer SDK: Successful Login
1.4.1 - Newer SDK: Successful Direct Stream
1.4.1 - Newer SDK: Successful Transcoded Stream

---

I believe this is already resolved in our latest App Store release but please let me know if you have issues on 10.12 / 12.0 or 10.11 with EnableLegacyAuthorization set to false. At this time, I cannot recreate any issue.

[santoscarias]

Hi @JPKribs, Thanks for quick reply! Please note these two items are related but are probably not the same..

Jellyfin's <EnableLegacyAuthorization>false</EnableLegacyAuthorization> is about Jellyfin removing support for having the API token in various HTTP headers. After deprecation the token has to be in the same HTTP header Authorization or query parameter apiKey. (See https://gist.github.com/nielsvanvelzen/ea047d9028f676185832e51ffaf12a6f more details)

This ticket is about always setting the Authorization header when making requests against a Jellyfin server. Please note this is not yet an issue with 10.12 but might become an issue in the future when authentication becomes necessary on more endpoints. (see jellyfin/jellyfin#13988 and jellyfin/jellyfin#13984)

Currently Swiftfin does not appear to send Authorization header on image and/or video requests.
An example from the built in logger (nice feature btw!!)

version 1.4.1, @ ios:

An image request:

Headers:

[JPKribs]

This would most likely be completed on the SDK instead of Swiftfin: https://github.com/jellyfin/jellyfin-sdk-swift

We don't really do anything special with auth here we just inherit everything from that project. My understanding is, as that is implemented, we just inherit that from the spec doc as well so I don't believe there is any actual work to be done.