From 72ca694f212ab616ca7b7fe02e428ff61f79c67c Mon Sep 17 00:00:00 2001
From: notfakie <103784113+notfakie@users.noreply.github.com>
Date: Thu, 28 Apr 2022 17:58:05 +1200
Subject: [PATCH] fix: don't allow login for unimported Jellyfin users if not
 set in settings

---
 server/routes/auth.ts | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index c1473c911..1aacb69b0 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -255,11 +255,33 @@ authRoutes.post('/jellyfin', async (req, res, next) => {
         user.username = '';
       }
       await userRepository.save(user);
+    } else if (!settings.main.newPlexLogin) {
+      logger.warn(
+        'Failed sign-in attempt by unimported Jellyfin user with access to the media server',
+        {
+          label: 'API',
+          ip: req.ip,
+          jellyfinUserId: account.User.Id,
+          jellyfinUsername: account.User.Name,
+        }
+      );
+      return next({
+        status: 403,
+        message: 'Access denied.',
+      });
     } else {
       // Here we check if it's the first user. If it is, we create the user with no check
       // and give them admin permissions
       const totalUsers = await userRepository.count();
       if (totalUsers === 0) {
+        logger.info(
+          'Sign-in attempt from Jellyfin user with access to the media server; creating initial admin user for Overseerr',
+          {
+            label: 'API',
+            ip: req.ip,
+            jellyfinUsername: account.User.Name,
+          }
+        );
         user = new User({
           email: body.email,
           jellyfinUsername: account.User.Name,