[Enhancement]: User access control based on subnet #826

New issue

Open

opened 2026-02-20 01:10:57 -05:00 by deekerman · 3 comments

deekerman commented 2026-02-20 01:10:57 -05:00

Owner

Copy link

Originally created by @cassieesposito on GitHub (Dec 14, 2022).

Describe the feature/enhancement

Allow/deny access to particular users based on the IP/subnet they're connecting from.

There are several use cases for this:

• Deny access to admin account from external IPs
• Deny access from mobile data IP ranges so as to prevent "oopsie" moments
• Integrates with other schedule based access controls that are accomplished by making certain wi-fi networks available or not at certain times of day
• Probably others. These are just the ones I thought of. Specifically the first one, because I've finally gotten around to making my ABS instance available to me via Internet.

Originally created by @cassieesposito on GitHub (Dec 14, 2022). ### Describe the feature/enhancement Allow/deny access to particular users based on the IP/subnet they're connecting from. There are several use cases for this: - Deny access to admin account from external IPs - Deny access from mobile data IP ranges so as to prevent "oopsie" moments - Integrates with other schedule based access controls that are accomplished by making certain wi-fi networks available or not at certain times of day - Probably others. These are just the ones I thought of. Specifically the first one, because I've finally gotten around to making my ABS instance available to me via Internet.

deekerman added the

enhancement

backlog

users & permissions

labels 2026-02-20 01:10:57 -05:00

deekerman commented 2026-02-20 01:10:57 -05:00

Author

Owner

Copy link

@advplyr commented on GitHub (Mar 22, 2023):

I think this is something the end-user would configure on their server and out of the scope of Abs. I may be misunderstanding though what you are requesting. Do you have an example project that does this?

@advplyr commented on GitHub (Mar 22, 2023): I think this is something the end-user would configure on their server and out of the scope of Abs. I may be misunderstanding though what you are requesting. Do you have an example project that does this?

deekerman commented 2026-02-20 01:10:58 -05:00

Author

Owner

Copy link

@cassieesposito commented on GitHub (Mar 23, 2023):

An example of a project that does this is Jellyfin. If you go in to the Networking settings, there is a setting for LAN networks where you can define a comma separated list of IP addresses or subnets. Once you've done that, each user account has a checkbox setting for "Allow remote connections to this server"

I haven't actually looked in to the details of how this is implemented, but the approach that seems obvious to me and will (I hope) more clearly define the behavior I'm describing is as follows.
If LAN networks is defined, upon an authentication attempt, Jellyfin checks whether the user account allows remote connections. If it does not, Jellyfin checks whether the originating IP address is included in Lan networks. If it is not, the authentication request is rejected without ever making a password challenge attempt.

This has at least two use cases, possibly more:

1. The admin account can be set to disallow remote connections.
   • This dramatically improves the security of the system by preventing admin access to ABS, even if the admin password is compromised unless the following additional hoops are jumped through:
     • Finding a bug in ABS that allows escalation from a user privileges to admin privileges OR
     • Compromising the LAN
   • This comes at the cost of being unable to access ABS admin functions remotely unless you do it via VPN, SSH tunnel, or another external-to-ABS solution for making traffic originate within the LAN.
2. Allowing a child whose language skills are subpar to use an insecure password without compromising the security of the user account while still allowing other users to make remote connections.

Configuring this outside of ABS would be a significantly more difficult and fragile process. One possible approach would be to set up an intermediate layer of user authentication at the reverse proxy level. You would have to set the credentials to match the ABS credentials. Upon a successful login attempt to the the intermediate layer, it would forward the credentials to ABS.

• To allow users to update their password without breaking the system, you could create a password update option at the intermediate layer. Upon receiving a successful password update request, it would forward the request to ABS. Upon receiving a success message from ABS, it could update its internal password.
  • I believe to make this work, you would need to create and maintain apps for both iOS and Android in order to have it work with the respective ABS apps
    • You could probably somewhat reduce this burden using a framework like React Native, but you would still need some platform specific code to deal with the mobile platform's respective security policies that keep apps isolated from each other.
      • I don't honestly know whether this is even possible on iOS -- I know that system takes app isolation EXTREMELY seriously.
      • This has the high potential to break in the event that a mobile platform updates its security policies. I know Android has done this in the relatively recent past, and it's easy for me to imagine they're not done refining that.
• This is fragile for the following reasons:
  • If a user updates their password through the ABS interface, they would no longer be able to log in without manual intervention from an administrator
  • If the password update request to ABS succeeded, but the response to the intermediate layer failed, the user would get an "update failed" message, they would no longer be able to log in without manual intervention from an administrator
  • These issues could be somewhat mitigated with a message in response to failed login attempts along the lines of "authentication failed. If you've recently updated your password or attempted to update your password but failed, please enter both the old and new passwords" along with a form for both old and new passwords. Upon receiving a user/oldPW/newPW request, the intermediate layer could try both combinations and if one of them succeeded, make the relevant updates.
    • This is terrible UX
    • This only works if the user still knows both passwords. The chances of this not being the case for users who use password managers is high

In conclusion, this would be dramatically more work than handling this within ABS and would produce a significantly worse product.

@cassieesposito commented on GitHub (Mar 23, 2023): An example of a project that does this is Jellyfin. If you go in to the Networking settings, there is a setting for LAN networks where you can define a comma separated list of IP addresses or subnets. Once you've done that, each user account has a checkbox setting for "Allow remote connections to this server" I haven't actually looked in to the details of how this is implemented, but the approach that seems obvious to me and will (I hope) more clearly define the behavior I'm describing is as follows. If LAN networks is defined, upon an authentication attempt, Jellyfin checks whether the user account allows remote connections. If it does not, Jellyfin checks whether the originating IP address is included in Lan networks. If it is not, the authentication request is rejected without ever making a password challenge attempt. This has at least two use cases, possibly more: 1. The admin account can be set to disallow remote connections. - This dramatically improves the security of the system by preventing admin access to ABS, even if the admin password is compromised unless the following additional hoops are jumped through: - Finding a bug in ABS that allows escalation from a user privileges to admin privileges OR - Compromising the LAN - This comes at the cost of being unable to access ABS admin functions remotely unless you do it via VPN, SSH tunnel, or another external-to-ABS solution for making traffic originate within the LAN. 2. Allowing a child whose language skills are subpar to use an insecure password without compromising the security of the user account while still allowing other users to make remote connections. Configuring this outside of ABS would be a significantly more difficult and fragile process. One possible approach would be to set up an intermediate layer of user authentication at the reverse proxy level. You would have to set the credentials to match the ABS credentials. Upon a successful login attempt to the the intermediate layer, it would forward the credentials to ABS. - To allow users to update their password without breaking the system, you could create a password update option at the intermediate layer. Upon receiving a successful password update request, it would forward the request to ABS. Upon receiving a success message from ABS, it could update its internal password. - I believe to make this work, you would need to create and maintain apps for both iOS and Android in order to have it work with the respective ABS apps - You could probably somewhat reduce this burden using a framework like React Native, but you would still need some platform specific code to deal with the mobile platform's respective security policies that keep apps isolated from each other. - I don't honestly know whether this is even possible on iOS -- I know that system takes app isolation EXTREMELY seriously. - This has the high potential to break in the event that a mobile platform updates its security policies. I know Android has done this in the relatively recent past, and it's easy for me to imagine they're not done refining that. - This is fragile for the following reasons: - If a user updates their password through the ABS interface, they would no longer be able to log in without manual intervention from an administrator - If the password update request to ABS succeeded, but the response to the intermediate layer failed, the user would get an "update failed" message, they would no longer be able to log in without manual intervention from an administrator - These issues could be somewhat mitigated with a message in response to failed login attempts along the lines of "authentication failed. If you've recently updated your password or attempted to update your password but failed, please enter both the old and new passwords" along with a form for both old and new passwords. Upon receiving a user/oldPW/newPW request, the intermediate layer could try both combinations and if one of them succeeded, make the relevant updates. - This is terrible UX - This only works if the user still knows both passwords. The chances of this not being the case for users who use password managers is high In conclusion, this would be dramatically more work than handling this within ABS and would produce a significantly worse product.

deekerman commented 2026-02-20 01:10:58 -05:00

Author

Owner

Copy link

@advplyr commented on GitHub (Apr 30, 2023):

I still think this would be better suited for the user to setup once we finish implementing passportjs here https://github.com/advplyr/audiobookshelf/pull/1636

I'm not sure though

@advplyr commented on GitHub (Apr 30, 2023): I still think this would be better suited for the user to setup once we finish implementing passportjs here https://github.com/advplyr/audiobookshelf/pull/1636 I'm not sure though

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

book_tags_genres_dedupe

episode_download_fallback

Issue-4540-SortBy-StartedDate-and-FinishedDate

episode_meta_tagging

fix_authorize_race_condition

redirect_transcode_requests

progress_updated_sort

fix_ereader_socket_event

fix_change_empty_root_password

fix_podcast_session_track_index

fix_set_token

session_modal_user

localize_durations

fix_oidc_create_user

jwt_auth_refactor

fix_scanner_deleting_single_file_books

fix_mediaprogress_updatedat_2

experimental_next_client

podcast_episode_duration

episode-timestamps-clickable

book_author_secondary_sort_title

podcast_useragents

pathexists_user_access

fix_pathexists_join

book_author_secondary_sort

clean_duplicate_mediaprogress

sanitize_html_description

trix_prevent_attachments

check_path_api_fix

fix_mediaprogress_updatedat

increase_express_json_limit

fix_dockerfile_nunicode

search_episodes

audiobook_tools_update

episode_secondary_sorts

hls_stream_url_update

new_session_track_endpoint

audiobook_tools_enhancements

watcher_rescans_update

player_track_tooltip

fix_exclude_prefixes_crash

socket_item_events

fix_podcast_episode_scanner_promise

new_stats_controller

count_cache_for_userpermissions

parsing-opf-v3

validate_migration_files

fix-quick-match-all-crash

fix-chapter-end-sleep-timer

stringify_sequelize_query

remove-col-ambiguity

fix_next_prev_edit_description

details_trim_whitespace

fix_content_url_basepath

fix_logger_fatal

progress_bar_visibility

batch-edit-populate-map-details

feed_generator_updates

bookmark-modal-updates

migrate-library-item-in-scanner

migrate-new-library-items

migrate-podcasts-new-library-item-2

migrate-podcasts-new-library-item

fix-remove-episode-from-playlist

playback-session-use-new-library-item

refactor-library-item

fix-heatmap-caption

feed-episodes-upsert

share-media-player-media-session-api

remove-old-playlist

remove_old_collection_object

plugin-implementation-demo

feed_migration

refactor-feeds-from-item

fix_remove_authors_no_books

v2.17.3-fk-constraints-migration

migrations-first-upgrade

sqlite_2

feature/nuxt-target-server

waveform

sqlite

playlists

video

v2.32.1

v2.32.0

v2.31.0

v2.30.0

v2.29.0

v2.28.0

v2.27.0

v2.26.3

v2.26.2

v2.26.1

v2.26.0

v2.25.1

v2.25.0

v2.24.0

v2.23.0

v2.22.0

v2.21.0

v2.20.0

v2.19.5

v2.19.4

v2.19.3

v2.19.2

v2.19.1

v2.19.0

v2.18.1

v2.18.0

v2.17.7

v2.17.6

v2.17.5

v2.17.4

v2.17.3

v2.17.2

v2.17.1

v2.17.0

v2.16.2

v2.16.1

v2.16.0

v2.15.1

v2.15.0

v2.14.0

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.0

v2.10.1

v2.10.0

v2.9.0

v2.8.1

v2.8.0

v2.7.2

v2.7.1

v2.7.0

v2.6.0

v2.5.0

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.23

v2.2.22

v2.2.21

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.9

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.24

v2.0.23

v2.0.22

v2.0.21

v2.0.20

v2.0.19

v2.0.18

v2.0.17

v2.0.16

v2.0.15

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.5

v1.5.0

v1.4.11

v1.4.9

v1.4.7

v1.4.6

v1.4.4

v1.4.2

v1.4.1

v1.4.0

v1.3.4

v1.3.3

v1.3.1

v1.2.8

v1.2.6

v1.2.5

v1.2.4

v1.2.1

v1.1.15

v1.1.14

v1.1.13

v1.1.12

v1.1.11

v1.1.10

v1.1.9

v1.1.8

v1.0.0

0.9.61-beta.0

0.9.61-beta

Labels

Clear labels   

authentication

  

awaiting release

  

backlog

  

bug

  

chapter editor

  

config-issue

  

ebooks

  

encoding/embedding

  

enhancement

  

help wanted

  

listening sessions & progress

  

planned

  

possible plugin

  

progress sync

  

sorting/filtering/searching

  

unable to reproduce

  

upload

  

users & permissions

  

waiting

No labels

authentication

awaiting release

backlog

bug

chapter editor

config-issue

ebooks

encoding/embedding

enhancement

help wanted

listening sessions & progress

planned

possible plugin

progress sync

sorting/filtering/searching

unable to reproduce

upload

users & permissions

waiting

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/audiobookshelf#826

No description provided.