Force logout all clients when changing the admin password

plexpy/config.py

@@ -624,6 +624,7 @@ _CONFIG_DEFINITIONS = {
     'XBMC_ON_CONCURRENT': (int, 'XBMC', 0),
     'XBMC_ON_NEWDEVICE': (int, 'XBMC', 0),
     'JWT_SECRET': (str, 'Advanced', ''),
+    'JWT_UUID': (str, 'Advanced', ''),
     'SYSTEM_ANALYTICS': (int, 'Advanced', 1),
     'WIN_SYS_TRAY': (int, 'General', 1)
 }
@@ -921,3 +922,8 @@ class Config(object):
             self.BUFFER_THRESHOLD = max(self.BUFFER_THRESHOLD, 10)
 
             self.CONFIG_VERSION = 13
+
+        if self.CONFIG_VERSION == 13:
+            self.JWT_UUID = self.PMS_UUID
+
+            self.CONFIG_VERSION = 14

plexpy/webauth.py

@@ -138,8 +138,15 @@ def check_credentials(username=None, password=None, token=None, admin_login='0',
     return False, None, None
 
 
+def jwt_uuid(refresh=False):
+    if not plexpy.CONFIG.JWT_UUID or refresh:
+        plexpy.CONFIG.JWT_UUID = plexpy.generate_uuid()
+        plexpy.CONFIG.write()
+    return plexpy.CONFIG.JWT_UUID
+
+
 def check_jwt_token():
-    jwt_cookie = JWT_COOKIE_NAME + plexpy.CONFIG.PMS_UUID
+    jwt_cookie = JWT_COOKIE_NAME + jwt_uuid()
     jwt_token = cherrypy.request.cookie.get(jwt_cookie)
 
     if jwt_token:
@@ -285,7 +292,7 @@ class AuthController(object):
         if payload:
             self.on_logout(payload['user'], payload['user_group'])
 
-        jwt_cookie = JWT_COOKIE_NAME + plexpy.CONFIG.PMS_UUID
+        jwt_cookie = JWT_COOKIE_NAME + jwt_uuid()
         cherrypy.response.cookie[jwt_cookie] = 'expire'
         cherrypy.response.cookie[jwt_cookie]['expires'] = 0
         cherrypy.response.cookie[jwt_cookie]['path'] = '/'
@@ -331,14 +338,14 @@ class AuthController(object):
                           success=True,
                           oauth=bool(token))
 
-            jwt_cookie = JWT_COOKIE_NAME + plexpy.CONFIG.PMS_UUID
+            jwt_cookie = JWT_COOKIE_NAME + jwt_uuid()
             cherrypy.response.cookie[jwt_cookie] = jwt_token
             cherrypy.response.cookie[jwt_cookie]['expires'] = int(time_delta.total_seconds())
             cherrypy.response.cookie[jwt_cookie]['path'] = '/'
 
             cherrypy.request.login = payload
             cherrypy.response.status = 200
-            return {'status': 'success', 'token': jwt_token.decode('utf-8'), 'uuid': plexpy.CONFIG.PMS_UUID}
+            return {'status': 'success', 'token': jwt_token.decode('utf-8'), 'uuid': jwt_uuid()}
 
         elif admin_login == '1' and username:
             self.on_login(username=username)

plexpy/webserve.py

@@ -53,6 +53,7 @@ import pmsconnect
 import users
 import versioncheck
 import web_socket
+import webauth
 from plexpy.api2 import API2
 from plexpy.helpers import checked, addtoapi, get_ip, create_https_certificates, build_datatables_json, sanitize_out
 from plexpy.session import get_session_info, get_session_user_id, allow_session_user, allow_session_library
@@ -2855,10 +2856,16 @@ class WebInterface(object):
                 else:
                     kwargs['http_password'] = plexpy.CONFIG.HTTP_PASSWORD
 
+                # Refresh JWT uuid to log out clients
+                webauth.jwt_uuid(refresh=True)
+
             elif kwargs['http_password'] and kwargs.get('http_hash_password'):
                 kwargs['http_password'] = make_hash(kwargs['http_password'])
                 kwargs['http_hashed_password'] = 1
 
+                # Refresh JWT uuid to log out clients
+                webauth.jwt_uuid(refresh=True)
+
             elif not kwargs.get('http_hash_password'):
                 kwargs['http_hashed_password'] = 0
         else: