feat(jellyfin): store access token in encrypted local store

2026-02-28 06:22:45 -08:00 · 2026-02-20 03:26:37 -08:00
parent a4532a5fa0
commit 46a2ac5dc7
22 changed files with 306 additions and 13 deletions
--- a/src/config/definitions.ts
+++ b/src/config/definitions.ts
@@ -807,7 +807,8 @@ export const CONFIG_TEMPLATE_SECTIONS: ConfigTemplateSection[] = [
    title: 'Jellyfin',
    description: [
      'Optional Jellyfin integration for auth, browsing, and playback launch.',
-      'Access token is stored in config and should be treated as a secret.',
+      'Access token is stored in local encrypted token storage after login/setup.',
+      'jellyfin.accessToken remains an optional explicit override in config.',
    ],
    key: 'jellyfin',
  },
--- a/src/core/services/jellyfin-token-store.ts
+++ b/src/core/services/jellyfin-token-store.ts
@@ -0,0 +1,100 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { safeStorage } from 'electron';
+
+interface PersistedTokenPayload {
+  encryptedToken?: string;
+  plaintextToken?: string;
+  updatedAt?: number;
+}
+
+export interface JellyfinTokenStore {
+  loadToken: () => string | null;
+  saveToken: (token: string) => void;
+  clearToken: () => void;
+}
+
+function ensureDirectory(filePath: string): void {
+  const dir = path.dirname(filePath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+}
+
+function writePayload(filePath: string, payload: PersistedTokenPayload): void {
+  ensureDirectory(filePath);
+  fs.writeFileSync(filePath, JSON.stringify(payload, null, 2), 'utf-8');
+}
+
+export function createJellyfinTokenStore(
+  filePath: string,
+  logger: {
+    info: (message: string) => void;
+    warn: (message: string, details?: unknown) => void;
+    error: (message: string, details?: unknown) => void;
+  },
+): JellyfinTokenStore {
+  return {
+    loadToken(): string | null {
+      if (!fs.existsSync(filePath)) {
+        return null;
+      }
+      try {
+        const raw = fs.readFileSync(filePath, 'utf-8');
+        const parsed = JSON.parse(raw) as PersistedTokenPayload;
+        if (typeof parsed.encryptedToken === 'string' && parsed.encryptedToken.length > 0) {
+          const encrypted = Buffer.from(parsed.encryptedToken, 'base64');
+          if (!safeStorage.isEncryptionAvailable()) {
+            logger.warn('Jellyfin token encryption is not available on this system.');
+            return null;
+          }
+          const decrypted = safeStorage.decryptString(encrypted).trim();
+          return decrypted.length > 0 ? decrypted : null;
+        }
+        if (typeof parsed.plaintextToken === 'string' && parsed.plaintextToken.trim().length > 0) {
+          const plaintext = parsed.plaintextToken.trim();
+          this.saveToken(plaintext);
+          return plaintext;
+        }
+      } catch (error) {
+        logger.error('Failed to read Jellyfin token store.', error);
+      }
+      return null;
+    },
+
+    saveToken(token: string): void {
+      const trimmed = token.trim();
+      if (trimmed.length === 0) {
+        this.clearToken();
+        return;
+      }
+      try {
+        if (!safeStorage.isEncryptionAvailable()) {
+          logger.warn('Jellyfin token encryption unavailable; storing token in plaintext fallback.');
+          writePayload(filePath, {
+            plaintextToken: trimmed,
+            updatedAt: Date.now(),
+          });
+          return;
+        }
+        const encrypted = safeStorage.encryptString(trimmed);
+        writePayload(filePath, {
+          encryptedToken: encrypted.toString('base64'),
+          updatedAt: Date.now(),
+        });
+      } catch (error) {
+        logger.error('Failed to persist Jellyfin token.', error);
+      }
+    },
+
+    clearToken(): void {
+      if (!fs.existsSync(filePath)) return;
+      try {
+        fs.unlinkSync(filePath);
+        logger.info('Cleared stored Jellyfin token.');
+      } catch (error) {
+        logger.error('Failed to clear stored Jellyfin token.', error);
+      }
+    },
+  };
+}
--- a/src/main.ts
+++ b/src/main.ts
@@ -530,6 +530,7 @@ import {
 } from './core/services/anilist/anilist-updater';
 import { createAnilistTokenStore } from './core/services/anilist/anilist-token-store';
 import { createAnilistUpdateQueue } from './core/services/anilist/anilist-update-queue';
+import { createJellyfinTokenStore } from './core/services/jellyfin-token-store';
 import { applyRuntimeOptionResultRuntime } from './core/services/runtime-options-ipc';
 import { createAppReadyRuntimeRunner } from './main/app-lifecycle';
 import { handleMpvCommandFromIpcRuntime } from './main/ipc-mpv-command';
@@ -581,6 +582,7 @@ const ANILIST_UPDATE_MIN_WATCH_SECONDS = 10 * 60;
 const ANILIST_DURATION_RETRY_INTERVAL_MS = 15_000;
 const ANILIST_MAX_ATTEMPTED_UPDATE_KEYS = 1000;
 const ANILIST_TOKEN_STORE_FILE = 'anilist-token-store.json';
+const JELLYFIN_TOKEN_STORE_FILE = 'jellyfin-token-store.json';
 const ANILIST_RETRY_QUEUE_FILE = 'anilist-retry-queue.json';
 const TRAY_TOOLTIP = 'SubMiner';

@@ -644,6 +646,14 @@ const anilistTokenStore = createAnilistTokenStore(
    error: (message: string, details?: unknown) => console.error(message, details),
  },
 );
+const jellyfinTokenStore = createJellyfinTokenStore(
+  path.join(USER_DATA_PATH, JELLYFIN_TOKEN_STORE_FILE),
+  {
+    info: (message: string) => console.info(message),
+    warn: (message: string, details?: unknown) => console.warn(message, details),
+    error: (message: string, details?: unknown) => console.error(message, details),
+  },
+);
 const anilistUpdateQueue = createAnilistUpdateQueue(
  path.join(USER_DATA_PATH, ANILIST_RETRY_QUEUE_FILE),
  {
@@ -1205,6 +1215,7 @@ function getResolvedConfig() {
 const buildGetResolvedJellyfinConfigMainDepsHandler =
  createBuildGetResolvedJellyfinConfigMainDepsHandler({
  getResolvedConfig: () => getResolvedConfig(),
+  loadStoredToken: () => jellyfinTokenStore.loadToken(),
 });
 const getResolvedJellyfinConfigHandler = createGetResolvedJellyfinConfigHandler(
  buildGetResolvedJellyfinConfigMainDepsHandler(),
@@ -1345,6 +1356,8 @@ const buildHandleJellyfinAuthCommandsMainDepsHandler =
  },
  authenticateWithPassword: (serverUrl, username, password, clientInfo) =>
    authenticateWithPasswordRuntime(serverUrl, username, password, clientInfo),
+  saveStoredToken: (token) => jellyfinTokenStore.saveToken(token),
+  clearStoredToken: () => jellyfinTokenStore.clearToken(),
  logInfo: (message) => logger.info(message),
 });
 const handleJellyfinAuthCommands = createHandleJellyfinAuthCommands(
@@ -1585,13 +1598,14 @@ const buildOpenJellyfinSetupWindowMainDepsHandler =
    authenticateWithPassword: (server, username, password, clientInfo) =>
      authenticateWithPasswordRuntime(server, username, password, clientInfo),
    getJellyfinClientInfo: () => getJellyfinClientInfo(),
+    saveStoredToken: (token) => jellyfinTokenStore.saveToken(token),
    patchJellyfinConfig: (session) => {
      configService.patchRawConfig({
        jellyfin: {
          enabled: true,
          serverUrl: session.serverUrl,
          username: session.username,
-          accessToken: session.accessToken,
+          accessToken: '',
          userId: session.userId,
        },
      });
--- a/src/main/runtime/jellyfin-cli-auth.test.ts
+++ b/src/main/runtime/jellyfin-cli-auth.test.ts
@@ -6,6 +6,8 @@ test('jellyfin auth handler processes logout', async () => {
  const calls: string[] = [];
  const handleAuth = createHandleJellyfinAuthCommands({
    patchRawConfig: () => calls.push('patch'),
+    saveStoredToken: () => calls.push('save'),
+    clearStoredToken: () => calls.push('clear'),
    authenticateWithPassword: async () => {
      throw new Error('should not authenticate');
    },
@@ -34,13 +36,15 @@ test('jellyfin auth handler processes logout', async () => {
  });

  assert.equal(handled, true);
-  assert.equal(calls[0], 'patch');
+  assert.deepEqual(calls.slice(0, 2), ['clear', 'patch']);
 });

 test('jellyfin auth handler processes login', async () => {
  const calls: string[] = [];
  const handleAuth = createHandleJellyfinAuthCommands({
    patchRawConfig: () => calls.push('patch'),
+    saveStoredToken: () => calls.push('save'),
+    clearStoredToken: () => calls.push('clear'),
    authenticateWithPassword: async () => ({
      serverUrl: 'http://localhost',
      username: 'user',
@@ -72,6 +76,7 @@ test('jellyfin auth handler processes login', async () => {
  });

  assert.equal(handled, true);
+  assert.ok(calls.includes('save'));
  assert.ok(calls.includes('patch'));
  assert.ok(calls.some((entry) => entry.includes('Jellyfin login succeeded')));
 });
@@ -79,6 +84,8 @@ test('jellyfin auth handler processes login', async () => {
 test('jellyfin auth handler no-ops when no auth command', async () => {
  const handleAuth = createHandleJellyfinAuthCommands({
    patchRawConfig: () => {},
+    saveStoredToken: () => {},
+    clearStoredToken: () => {},
    authenticateWithPassword: async () => ({
      serverUrl: '',
      username: '',
--- a/src/main/runtime/jellyfin-cli-auth.ts
+++ b/src/main/runtime/jellyfin-cli-auth.ts
@@ -39,6 +39,8 @@ export function createHandleJellyfinAuthCommands(deps: {
    password: string,
    clientInfo: JellyfinClientInfo,
  ) => Promise<JellyfinSession>;
+  saveStoredToken: (token: string) => void;
+  clearStoredToken: () => void;
  logInfo: (message: string) => void;
 }) {
  return async (params: {
@@ -48,6 +50,7 @@ export function createHandleJellyfinAuthCommands(deps: {
    clientInfo: JellyfinClientInfo;
  }): Promise<boolean> => {
    if (params.args.jellyfinLogout) {
+      deps.clearStoredToken();
      deps.patchRawConfig({
        jellyfin: {
          accessToken: '',
@@ -70,12 +73,13 @@ export function createHandleJellyfinAuthCommands(deps: {
      password,
      params.clientInfo,
    );
+    deps.saveStoredToken(session.accessToken);
    deps.patchRawConfig({
      jellyfin: {
        enabled: true,
        serverUrl: session.serverUrl,
        username: session.username,
-        accessToken: session.accessToken,
+        accessToken: '',
        userId: session.userId,
        deviceId: params.clientInfo.deviceId,
        clientName: params.clientInfo.clientName,
--- a/src/main/runtime/jellyfin-cli-main-deps.test.ts
+++ b/src/main/runtime/jellyfin-cli-main-deps.test.ts
@@ -12,6 +12,8 @@ test('jellyfin auth commands main deps builder maps callbacks', async () => {
  const deps = createBuildHandleJellyfinAuthCommandsMainDepsHandler({
    patchRawConfig: () => calls.push('patch'),
    authenticateWithPassword: async () => ({}) as never,
+    saveStoredToken: () => calls.push('save'),
+    clearStoredToken: () => calls.push('clear'),
    logInfo: (message) => calls.push(`info:${message}`),
  })();

@@ -21,8 +23,10 @@ test('jellyfin auth commands main deps builder maps callbacks', async () => {
    clientName: '',
    clientVersion: '',
  });
+  deps.saveStoredToken('token');
+  deps.clearStoredToken();
  deps.logInfo('ok');
-  assert.deepEqual(calls, ['patch', 'info:ok']);
+  assert.deepEqual(calls, ['patch', 'save', 'clear', 'info:ok']);
 });

 test('jellyfin list commands main deps builder maps callbacks', async () => {
--- a/src/main/runtime/jellyfin-cli-main-deps.ts
+++ b/src/main/runtime/jellyfin-cli-main-deps.ts
@@ -25,6 +25,8 @@ export function createBuildHandleJellyfinAuthCommandsMainDepsHandler(
    patchRawConfig: (patch) => deps.patchRawConfig(patch),
    authenticateWithPassword: (serverUrl, username, password, clientInfo) =>
      deps.authenticateWithPassword(serverUrl, username, password, clientInfo),
+    saveStoredToken: (token) => deps.saveStoredToken(token),
+    clearStoredToken: () => deps.clearStoredToken(),
    logInfo: (message: string) => deps.logInfo(message),
  });
 }
--- a/src/main/runtime/jellyfin-client-info-main-deps.test.ts
+++ b/src/main/runtime/jellyfin-client-info-main-deps.test.ts
@@ -9,8 +9,10 @@ test('get resolved jellyfin config main deps builder maps callbacks', () => {
  const resolved = { jellyfin: { url: 'https://example.com' } };
  const deps = createBuildGetResolvedJellyfinConfigMainDepsHandler({
    getResolvedConfig: () => resolved as never,
+    loadStoredToken: () => 'stored-token',
  })();
  assert.equal(deps.getResolvedConfig(), resolved);
+  assert.equal(deps.loadStoredToken(), 'stored-token');
 });

 test('get jellyfin client info main deps builder maps callbacks', () => {
--- a/src/main/runtime/jellyfin-client-info-main-deps.ts
+++ b/src/main/runtime/jellyfin-client-info-main-deps.ts
@@ -11,6 +11,7 @@ export function createBuildGetResolvedJellyfinConfigMainDepsHandler(
 ) {
  return (): GetResolvedJellyfinConfigMainDeps => ({
    getResolvedConfig: () => deps.getResolvedConfig(),
+    loadStoredToken: () => deps.loadStoredToken(),
  });
 }

--- a/src/main/runtime/jellyfin-client-info.test.ts
+++ b/src/main/runtime/jellyfin-client-info.test.ts
@@ -9,11 +9,32 @@ test('get resolved jellyfin config returns jellyfin section from resolved config
  const jellyfin = { url: 'https://jellyfin.local' } as never;
  const getConfig = createGetResolvedJellyfinConfigHandler({
    getResolvedConfig: () => ({ jellyfin } as never),
+    loadStoredToken: () => null,
  });

  assert.equal(getConfig(), jellyfin);
 });

+test('get resolved jellyfin config falls back to stored token when config token is blank', () => {
+  const getConfig = createGetResolvedJellyfinConfigHandler({
+    getResolvedConfig: () =>
+      ({
+        jellyfin: {
+          serverUrl: 'http://localhost:8096',
+          accessToken: '   ',
+          userId: 'uid-1',
+        },
+      }) as never,
+    loadStoredToken: () => 'stored-token',
+  });
+
+  assert.deepEqual(getConfig(), {
+    serverUrl: 'http://localhost:8096',
+    accessToken: 'stored-token',
+    userId: 'uid-1',
+  });
+});
+
 test('jellyfin client info resolves defaults when fields are missing', () => {
  const getClientInfo = createGetJellyfinClientInfoHandler({
    getResolvedJellyfinConfig: () => ({ clientName: '', clientVersion: '', deviceId: '' } as never),
--- a/src/main/runtime/jellyfin-client-info.ts
+++ b/src/main/runtime/jellyfin-client-info.ts
@@ -1,7 +1,25 @@
 export function createGetResolvedJellyfinConfigHandler(deps: {
  getResolvedConfig: () => { jellyfin: unknown };
+  loadStoredToken: () => string | null | undefined;
 }) {
-  return () => deps.getResolvedConfig().jellyfin as never;
+  return () => {
+    const jellyfin = deps.getResolvedConfig().jellyfin as {
+      accessToken?: string;
+      [key: string]: unknown;
+    };
+    const configToken = jellyfin.accessToken?.trim() ?? '';
+    if (configToken.length > 0) {
+      return jellyfin as never;
+    }
+    const storedToken = deps.loadStoredToken()?.trim() ?? '';
+    if (storedToken.length === 0) {
+      return jellyfin as never;
+    }
+    return {
+      ...jellyfin,
+      accessToken: storedToken,
+    } as never;
+  };
 }

 export function createGetJellyfinClientInfoHandler(deps: {
--- a/src/main/runtime/jellyfin-setup-window-main-deps.test.ts
+++ b/src/main/runtime/jellyfin-setup-window-main-deps.test.ts
@@ -17,6 +17,7 @@ test('open jellyfin setup window main deps builder maps callbacks', async () =>
      userId: 'uid',
    }),
    getJellyfinClientInfo: () => ({ clientName: 'SubMiner', clientVersion: '1.0', deviceId: 'dev' }),
+    saveStoredToken: () => calls.push('save'),
    patchJellyfinConfig: () => calls.push('patch'),
    logInfo: (message) => calls.push(`info:${message}`),
    logError: (message) => calls.push(`error:${message}`),
@@ -43,6 +44,7 @@ test('open jellyfin setup window main deps builder maps callbacks', async () =>
    accessToken: 'token',
    userId: 'uid',
  });
+  deps.saveStoredToken('token');
  deps.patchJellyfinConfig({
    serverUrl: 'http://127.0.0.1:8096',
    username: 'alice',
@@ -55,5 +57,5 @@ test('open jellyfin setup window main deps builder maps callbacks', async () =>
  deps.clearSetupWindow();
  deps.setSetupWindow({} as never);
  assert.equal(deps.encodeURIComponent('a b'), 'a%20b');
-  assert.deepEqual(calls, ['patch', 'info:ok', 'error:bad', 'osd:toast', 'clear', 'set-window']);
+  assert.deepEqual(calls, ['save', 'patch', 'info:ok', 'error:bad', 'osd:toast', 'clear', 'set-window']);
 });
--- a/src/main/runtime/jellyfin-setup-window-main-deps.ts
+++ b/src/main/runtime/jellyfin-setup-window-main-deps.ts
@@ -15,6 +15,7 @@ export function createBuildOpenJellyfinSetupWindowMainDepsHandler(
    authenticateWithPassword: (server: string, username: string, password: string, clientInfo) =>
      deps.authenticateWithPassword(server, username, password, clientInfo),
    getJellyfinClientInfo: () => deps.getJellyfinClientInfo(),
+    saveStoredToken: (token: string) => deps.saveStoredToken(token),
    patchJellyfinConfig: (session) => deps.patchJellyfinConfig(session),
    logInfo: (message: string) => deps.logInfo(message),
    logError: (message: string, error: unknown) => deps.logError(message, error),
--- a/src/main/runtime/jellyfin-setup-window.test.ts
+++ b/src/main/runtime/jellyfin-setup-window.test.ts
@@ -49,6 +49,7 @@ test('createHandleJellyfinSetupSubmissionHandler applies successful login', asyn
      userId: 'uid',
    }),
    getJellyfinClientInfo: () => ({ clientName: 'SubMiner', clientVersion: '1.0', deviceId: 'did' }),
+    saveStoredToken: () => calls.push('save'),
    patchJellyfinConfig: () => calls.push('patch'),
    logInfo: () => calls.push('info'),
    logError: () => calls.push('error'),
@@ -60,7 +61,7 @@ test('createHandleJellyfinSetupSubmissionHandler applies successful login', asyn
    'subminer://jellyfin-setup?server=http%3A%2F%2Flocalhost&username=a&password=b',
  );
  assert.equal(handled, true);
-  assert.deepEqual(calls, ['patch', 'info', 'osd:Jellyfin login success', 'close']);
+  assert.deepEqual(calls, ['save', 'patch', 'info', 'osd:Jellyfin login success', 'close']);
 });

 test('createHandleJellyfinSetupSubmissionHandler reports failure to OSD', async () => {
@@ -71,6 +72,7 @@ test('createHandleJellyfinSetupSubmissionHandler reports failure to OSD', async
      throw new Error('bad credentials');
    },
    getJellyfinClientInfo: () => ({ clientName: 'SubMiner', clientVersion: '1.0', deviceId: 'did' }),
+    saveStoredToken: () => calls.push('save'),
    patchJellyfinConfig: () => calls.push('patch'),
    logInfo: () => calls.push('info'),
    logError: () => calls.push('error'),
@@ -164,6 +166,7 @@ test('createOpenJellyfinSetupWindowHandler no-ops when existing setup window is
      throw new Error('should not auth');
    },
    getJellyfinClientInfo: () => ({ clientName: 'SubMiner', clientVersion: '1.0', deviceId: 'did' }),
+    saveStoredToken: () => {},
    patchJellyfinConfig: () => {},
    logInfo: () => {},
    logError: () => {},
@@ -216,6 +219,7 @@ test('createOpenJellyfinSetupWindowHandler wires navigation, load, and window li
      userId: 'uid',
    }),
    getJellyfinClientInfo: () => ({ clientName: 'SubMiner', clientVersion: '1.0', deviceId: 'did' }),
+    saveStoredToken: () => calls.push('save'),
    patchJellyfinConfig: () => calls.push('patch'),
    logInfo: () => calls.push('info'),
    logError: () => calls.push('error'),
@@ -245,6 +249,7 @@ test('createOpenJellyfinSetupWindowHandler wires navigation, load, and window li
  await Promise.resolve();

  assert.equal(prevented, true);
+  assert.ok(calls.includes('save'));
  assert.ok(calls.includes('patch'));
  assert.ok(calls.includes('osd:Jellyfin login success'));
  assert.ok(calls.includes('close'));
--- a/src/main/runtime/jellyfin-setup-window.ts
+++ b/src/main/runtime/jellyfin-setup-window.ts
@@ -117,6 +117,7 @@ export function createHandleJellyfinSetupSubmissionHandler(deps: {
    clientInfo: JellyfinClientInfo,
  ) => Promise<JellyfinSession>;
  getJellyfinClientInfo: () => JellyfinClientInfo;
+  saveStoredToken: (token: string) => void;
  patchJellyfinConfig: (session: JellyfinSession) => void;
  logInfo: (message: string) => void;
  logError: (message: string, error: unknown) => void;
@@ -136,6 +137,7 @@ export function createHandleJellyfinSetupSubmissionHandler(deps: {
        submission.password,
        deps.getJellyfinClientInfo(),
      );
+      deps.saveStoredToken(session.accessToken);
      deps.patchJellyfinConfig(session);
      deps.logInfo(`Jellyfin setup saved for ${session.username}.`);
      deps.showMpvOsd('Jellyfin login success');
@@ -195,6 +197,7 @@ export function createOpenJellyfinSetupWindowHandler<TWindow extends JellyfinSet
    clientInfo: JellyfinClientInfo,
  ) => Promise<JellyfinSession>;
  getJellyfinClientInfo: () => JellyfinClientInfo;
+  saveStoredToken: (token: string) => void;
  patchJellyfinConfig: (session: JellyfinSession) => void;
  logInfo: (message: string) => void;
  logError: (message: string, error: unknown) => void;
@@ -218,6 +221,7 @@ export function createOpenJellyfinSetupWindowHandler<TWindow extends JellyfinSet
      authenticateWithPassword: (server, username, password, clientInfo) =>
        deps.authenticateWithPassword(server, username, password, clientInfo),
      getJellyfinClientInfo: () => deps.getJellyfinClientInfo(),
+      saveStoredToken: (token) => deps.saveStoredToken(token),
      patchJellyfinConfig: (session) => deps.patchJellyfinConfig(session),
      logInfo: (message) => deps.logInfo(message),
      logError: (message, error) => deps.logError(message, error),