4 files changed, 31 insertions, 13 deletions

diff --git a/Jellyfin.Api/Controllers/DisplayPreferencesController.cs b/Jellyfin.Api/Controllers/DisplayPreferencesController.cs
index 14fd7eb3c..67cceb4a8 100644
--- a/Jellyfin.Api/Controllers/DisplayPreferencesController.cs
+++ b/Jellyfin.Api/Controllers/DisplayPreferencesController.cs
@@ -178,7 +178,7 @@ namespace Jellyfin.Api.Controllers
 
             foreach (var key in displayPreferences.CustomPrefs.Keys.Where(key => key.StartsWith("homesection", StringComparison.OrdinalIgnoreCase)))
             {
-                var order = int.Parse(key.AsSpan().Slice("homesection".Length), NumberStyles.Any, CultureInfo.InvariantCulture);
+                var order = int.Parse(key.AsSpan().Slice("homesection".Length), CultureInfo.InvariantCulture);
                 if (!Enum.TryParse<HomeSectionType>(displayPreferences.CustomPrefs[key], true, out var type))
                 {
                     type = order < 8 ? defaults[order] : HomeSectionType.None;
diff --git a/Jellyfin.Api/Controllers/ImageController.cs b/Jellyfin.Api/Controllers/ImageController.cs
index 260b9536e..49342ad5c 100644
--- a/Jellyfin.Api/Controllers/ImageController.cs
+++ b/Jellyfin.Api/Controllers/ImageController.cs
@@ -28,6 +28,7 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
 using Microsoft.Net.Http.Headers;
 
 namespace Jellyfin.Api.Controllers
@@ -2026,8 +2027,13 @@ namespace Jellyfin.Api.Controllers
             }
 
             var acceptParam = Request.Query[HeaderNames.Accept];
+            if (StringValues.IsNullOrEmpty(acceptParam))
+            {
+                return Array.Empty<ImageFormat>();
+            }
 
-            var supportsWebP = SupportsFormat(supportedFormats, acceptParam, ImageFormat.Webp, false);
+            // Can't be null, checked above
+            var supportsWebP = SupportsFormat(supportedFormats, acceptParam!, ImageFormat.Webp, false);
 
             if (!supportsWebP)
             {
@@ -2049,7 +2055,8 @@ namespace Jellyfin.Api.Controllers
             formats.Add(ImageFormat.Jpg);
             formats.Add(ImageFormat.Png);
 
-            if (SupportsFormat(supportedFormats, acceptParam, ImageFormat.Gif, true))
+            // Can't be null, checked above
+            if (SupportsFormat(supportedFormats, acceptParam!, ImageFormat.Gif, true))
             {
                 formats.Add(ImageFormat.Gif);
             }
diff --git a/Jellyfin.Api/Controllers/QuickConnectController.cs b/Jellyfin.Api/Controllers/QuickConnectController.cs
index 77d88475f..6dbcdae22 100644
--- a/Jellyfin.Api/Controllers/QuickConnectController.cs
+++ b/Jellyfin.Api/Controllers/QuickConnectController.cs
@@ -1,3 +1,4 @@
+using System;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
@@ -51,7 +52,7 @@ namespace Jellyfin.Api.Controllers
         /// <response code="200">Quick connect request successfully created.</response>
         /// <response code="401">Quick connect is not active on this server.</response>
         /// <returns>A <see cref="QuickConnectResult"/> with a secret and code for future use or an error message.</returns>
-        [HttpGet("Initiate")]
+        [HttpPost("Initiate")]
         [ProducesResponseType(StatusCodes.Status200OK)]
         public async Task<ActionResult<QuickConnectResult>> InitiateQuickConnect()
         {
@@ -67,6 +68,16 @@ namespace Jellyfin.Api.Controllers
         }
 
         /// <summary>
+        /// Old version of <see cref="InitiateQuickConnect" /> using a GET method.
+        /// Still available to avoid breaking compatibility.
+        /// </summary>
+        /// <returns>The result of <see cref="InitiateQuickConnect" />.</returns>
+        [Obsolete("Use POST request instead")]
+        [HttpGet("Initiate")]
+        [ApiExplorerSettings(IgnoreApi = true)]
+        public Task<ActionResult<QuickConnectResult>> InitiateQuickConnectLegacy() => InitiateQuickConnect();
+
+        /// <summary>
         /// Attempts to retrieve authentication information.
         /// </summary>
         /// <param name="secret">Secret previously returned from the Initiate endpoint.</param>
@@ -96,6 +107,7 @@ namespace Jellyfin.Api.Controllers
         /// Authorizes a pending quick connect request.
         /// </summary>
         /// <param name="code">Quick connect code to authorize.</param>
+        /// <param name="userId">The user the authorize. Access to the requested user is required.</param>
         /// <response code="200">Quick connect result authorized successfully.</response>
         /// <response code="403">Unknown user id.</response>
         /// <returns>Boolean indicating if the authorization was successful.</returns>
@@ -103,17 +115,19 @@ namespace Jellyfin.Api.Controllers
         [Authorize(Policy = Policies.DefaultAuthorization)]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status403Forbidden)]
-        public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code)
+        public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null)
         {
-            var userId = User.GetUserId();
-            if (userId.Equals(default))
+            var currentUserId = User.GetUserId();
+            var actualUserId = userId ?? currentUserId;
+
+            if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator)))
             {
-                return StatusCode(StatusCodes.Status403Forbidden, "Unknown user id");
+                return Forbid("Unknown user id");
             }
 
             try
             {
-                return await _quickConnect.AuthorizeRequest(userId, code).ConfigureAwait(false);
+                return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false);
             }
             catch (AuthenticationException)
             {
diff --git a/Jellyfin.Api/Controllers/SessionController.cs b/Jellyfin.Api/Controllers/SessionController.cs
index 9218c3b5c..25f930135 100644
--- a/Jellyfin.Api/Controllers/SessionController.cs
+++ b/Jellyfin.Api/Controllers/SessionController.cs
@@ -294,10 +294,7 @@ namespace Jellyfin.Api.Controllers
         {
             var currentSession = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false);
 
-            if (command is null)
-            {
-                throw new ArgumentException("Request body may not be null");
-            }
+            ArgumentNullException.ThrowIfNull(command);
 
             command.ControllingUserId = currentSession.UserId;