From 4ae20684092b5b28527b23dfbc1a3417858fee8e Mon Sep 17 00:00:00 2001
From: fallenbagel <98979876+fallenbagel@users.noreply.github.com>
Date: Fri, 27 Feb 2026 21:36:17 +0500
Subject: [PATCH] Merge commit from fork

Fix a logic flaw in the jellyfin auth guard that allowed unauthenticated users to register accounts
on Plex-configured instances by authenticating against an attacker-controlled Jellyfin server.
---
 server/routes/auth.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index b74befe5..d625d85e 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -244,8 +244,7 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
     (settings.main.mediaServerLogin === false ||
       // media server is neither jellyfin or emby
       (settings.main.mediaServerType !== MediaServerType.JELLYFIN &&
-        settings.main.mediaServerType !== MediaServerType.EMBY &&
-        settings.jellyfin.ip !== ''))
+        settings.main.mediaServerType !== MediaServerType.EMBY))
   ) {
     return res.status(500).json({ error: 'Jellyfin login is disabled' });
   }