From 937589c7a24e85c40df78a55d62c8bce65739320 Mon Sep 17 00:00:00 2001 From: s8n Date: Fri, 8 May 2026 15:36:14 +0100 Subject: [PATCH] redact: scrub leaked Jellyfin admin API token from public repo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Token 76858153...f8b1 was committed across 9 docs + 1 snapshot RESTORE.md and exposed via the brief public window of this repo. Replaced with `` placeholder. WARNING: this commit only redacts HEAD — the token remains in git history. Anyone who cloned during the public window has the full value. Treat the old token as compromised and rotate at Jellyfin Dashboard > API Keys. Original value backed up to private s8n/secrets/ARRFLIX/. --- docs/01-artwork-and-images.md | 2 +- docs/02-metadata-and-titles.md | 2 +- docs/03-subtitles.md | 2 +- docs/04-theming-and-users.md | 4 ++-- docs/05-file-structure-rules.md | 2 +- docs/06-per-library-themes.md | 2 +- docs/12-dev-instance.md | 2 +- docs/15-force-english.md | 4 ++-- snapshots/2026-05-08-pre-elegantfin/RESTORE.md | 4 ++-- 9 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/01-artwork-and-images.md b/docs/01-artwork-and-images.md index 92bdd28..891dd87 100644 --- a/docs/01-artwork-and-images.md +++ b/docs/01-artwork-and-images.md @@ -10,7 +10,7 @@ nullstone). Auth header below uses the long-lived API token — replace with you own `X-Emby-Token` if needed. ```bash -TOKEN="*redacted*" +TOKEN="" H="-H \"Authorization: MediaBrowser Token=${TOKEN}\"" BASE="https://arrflix.s8n.ru" ``` diff --git a/docs/02-metadata-and-titles.md b/docs/02-metadata-and-titles.md index 5f2c6fe..d31ffa0 100644 --- a/docs/02-metadata-and-titles.md +++ b/docs/02-metadata-and-titles.md @@ -203,7 +203,7 @@ For our Futurama set, all files are single-episode (`s01e01.pl.mkv`), so this di Step-by-step, with the exact commands run: ```bash -TOKEN=*redacted* +TOKEN= SERIES_ID=156e57437f795e5c8cd80fc98bafaee0 # Futurama LIB_ID=767bffe4f11c93ef34b805451a696a4e # TV Shows library diff --git a/docs/03-subtitles.md b/docs/03-subtitles.md index f371ba0..8132b00 100644 --- a/docs/03-subtitles.md +++ b/docs/03-subtitles.md @@ -90,7 +90,7 @@ User does NOT need to obtain an API key. The plugin embeds its own key (verified After signup at opensubtitles.com, save creds via API: ```bash -TOKEN=*redacted* +TOKEN= USER='your-opensubtitles-com-username' PASS='your-opensubtitles-com-password' diff --git a/docs/04-theming-and-users.md b/docs/04-theming-and-users.md index 6018d9d..f6b07be 100644 --- a/docs/04-theming-and-users.md +++ b/docs/04-theming-and-users.md @@ -129,7 +129,7 @@ Rollback paths: ### Branding API (Cineplex, applied 2026-05-08) ```bash -TOKEN=*redacted* +TOKEN= cat > /tmp/branding.json <<'EOF' { @@ -558,7 +558,7 @@ to `/System/Configuration/branding`. > friend account that will exist later. ```bash -TOKEN=*redacted* +TOKEN= TVSHOWS_ID=767bffe4f11c93ef34b805451a696a4e # 1. Create the user (auth header REQUIRED — admin token). diff --git a/docs/05-file-structure-rules.md b/docs/05-file-structure-rules.md index 9c60de1..4de88b3 100644 --- a/docs/05-file-structure-rules.md +++ b/docs/05-file-structure-rules.md @@ -968,7 +968,7 @@ used at library creation.) ### 12.1 Creating libraries via API ```bash -TOKEN=*redacted* +TOKEN= H="-H \"X-Emby-Token: ${TOKEN}\"" B="https://arrflix.s8n.ru" diff --git a/docs/06-per-library-themes.md b/docs/06-per-library-themes.md index aae8aaa..bc5384e 100644 --- a/docs/06-per-library-themes.md +++ b/docs/06-per-library-themes.md @@ -55,7 +55,7 @@ information needed to scope styles is simply not in the DOM. ### Why approach #3 fails -`GET /Library/VirtualFolders` (auth `X-Emby-Token: *redacted*`) returns +`GET /Library/VirtualFolders` (auth `X-Emby-Token: `) returns `LibraryOptions` containing only metadata/scan/subtitle settings. No `CustomCss`, no `Theme`, no `Branding` per library. The single global CustomCss field at `/System/Configuration/branding` is the only knob the server exposes. diff --git a/docs/12-dev-instance.md b/docs/12-dev-instance.md index ea323b0..13e8f45 100644 --- a/docs/12-dev-instance.md +++ b/docs/12-dev-instance.md @@ -62,7 +62,7 @@ When a dev theme is "shipped": 2. **POST to prod**: ```bash curl -k -X POST \ - -H "X-Emby-Token: *redacted*" \ + -H "X-Emby-Token: " \ -H "Content-Type: application/json" \ --data @/tmp/branding.json \ https://arrflix.s8n.ru/System/Configuration/branding diff --git a/docs/15-force-english.md b/docs/15-force-english.md index 3bfdec8..1bf59f5 100644 --- a/docs/15-force-english.md +++ b/docs/15-force-english.md @@ -84,7 +84,7 @@ of `add-jellyfin-user.sh` already uses. **Reference curl** (single user, marco): ```bash -TOKEN=*redacted* +TOKEN= USER_ID=d787fbfc373a44119a247e7406b2721e curl -s "https://arrflix.s8n.ru/Users/$USER_ID" \ -H "Authorization: MediaBrowser Token=$TOKEN" > /tmp/u.json @@ -170,7 +170,7 @@ That is a one-line addition; the rest of the wrapper is untouched. 1. Review this doc and `bin/force-english-all-users.sh`. 2. Run the script with the admin token in env: ``` - JELLYFIN_TOKEN=*redacted* bin/force-english-all-users.sh + JELLYFIN_TOKEN= bin/force-english-all-users.sh ``` 3. Hard-refresh each browser (Ctrl-Shift-R) to clear any cached locale bundle the SPA loaded on previous visit. diff --git a/snapshots/2026-05-08-pre-elegantfin/RESTORE.md b/snapshots/2026-05-08-pre-elegantfin/RESTORE.md index 25eb5f3..4fba25e 100644 --- a/snapshots/2026-05-08-pre-elegantfin/RESTORE.md +++ b/snapshots/2026-05-08-pre-elegantfin/RESTORE.md @@ -33,7 +33,7 @@ User IDs captured: ```bash SNAP=/tmp/ARRFLIX/snapshots/2026-05-08-pre-elegantfin -TOKEN="*redacted*" +TOKEN="" BASE="https://arrflix.s8n.ru" ``` @@ -76,7 +76,7 @@ done ```bash SNAP=/tmp/ARRFLIX/snapshots/2026-05-08-pre-elegantfin -TOKEN="*redacted*" +TOKEN="" BASE="https://arrflix.s8n.ru" # 1. branding