Authorized clients and removal

Beta Community DVR Beta
#1

It would be nice if the web interface listed the authorized web clients and had the ability to remove access for a specific client. I view this both as a security and partially a family friendly feature. There may be remote/external devices I’ve previously authorized which I no longer want to have access. Allowing all devices that have ever been authorized to remotely access the web interface/recordings doesn’t sound the most secure.

Also, less important, would be a a log of section detailing the last access by each device (or other logging info).

Add secondary away from home authentication option
#2

Hmm. I don’t store cookies and run in private mode. Every time I watch I get a new token on the same device.

#3

Reviving an old thread, is there anyway to revoke individual authorized devices?

#4

I’m going to update this tread and ask the same question. Can I revoke access to a device I previously granted remote access to?

Example: Rented a cabin with family members who brought a Fire Stick for the kids to watch. I downloaded Channels DVR to it and granted access to Channels DVR so we could watch Live TV. Now the trip is over and I want to remove access from the Fire Stick.

What’s the easiest method?

#5

Is anyone aware of a way to know what remote clients are connected to my DVR? Is there a way to remove or even view these clients?

If not, what’s the easiest way to reset my server so any remote client will need to sign in again and reauthorize?

#6

Is it possible to show a list of active clients on the web ui? Similar to how Plex will list all clients and gives you the option to remove access for any old devices?

I love how accessible Channels is to use remotely, but at the same time, if I connect from a relatives or friends device, it would be nice to be able to remove access at a later date.

#7

There is no way at the moment. Sorry we were so radio silent on this topic.

This was not a priority when we first spun up remote connections. This is something that will be bumped soon though.

Security is very important to us, and we know what standards we should be implementing for it. It’s why we never launched remote connections until we had secure connections in place.

So yeah, sorry it isn’t there now. It won’t be easy to add after the fact, and I can’t say when it will happen, but consider it on our radar now.

Thanks for pushing this!

5 Likes
#8

Just double checking a workaround. If the password is changed and remote connection is disabled and then reenabled, will that trigger reauthenticaton from clients ?

#10

Has this been implemented yet? I see the option to remove a client in the Web UI but it doesn't seem to actually revoke authorization.

#11

Has there been any progress to remove a client? I have removed the client from server, but the next time they connect, it connect right in. I have changed the password for the account and it not not seem to matter. Once a device has successfully logged in, it appears there is not way to remove the client. Any help would be great.

#12

Assuming your talking a remote client, you'd need to revoke the session in whatever oauth provider you signed in with. I believe FB & Google are supported. If local it'll always connect.

#13

You are correct, this is for a remote client. I used the Channel Community Sign in without an oauth provider such as Google. Is their a way I can change my sign on to use my Google account to authorize? I change my password on the Channels Community page, but the remote devices are still able to access. They are not verifying the id before Channels connects back to DVR.

#14

Channels clients use long lived tokens and can only be signed out in the client, not remotely.

Permanently delete a client
#15

Thank you for the clarification. How long is long lived? Is there a chance that the token expires after 6 months, or at renewal of Channels subscription?

1 Like
#16

Forever. All of this is explained in my comment in the back scroll.

As a reminder, Channels is designed as a family DVR, not a sharing piracy platform.

And yeah, we're way late on actually doing this. We'll get to it. It's obviously very complicated to do it after the fact.

1 Like
#17

Bummer. I have an AirBnb I own and use occasionally and got new Google TVs. I thought I was logging them out when I removed them from the GUI. I just found out that they were still active when I launched the app. Until you get this to truly de-authenticate the devices, it would probably be good to put a note on the GUI that removing a device is not de-authenticating it. Better yet, don't let us remove them until they are really removable.

As an alternative to revoking the token, would it be easier to add a knob to suspend them?

#18

I'm doing the following as a workaround that sort of works. I don't use Kids Mode, so I turned on Kids Mode and Kiosk Mode. That disables all recorded content and most of the live channels. It also disables the settings menu on the device. It blocks most everything, but could be better.

I tried creating a Channel Collection and Content Collection called "none" in hopes of using the Allow Content and Channel Collections Server Side settings. Unfortunately, the Channel Collection Server Side setting still allows HD and All. There is no option to Allow Content (or Hide Content) by Collection. Those settings look at content tags instead. I created a content tag on a test video (for surround sound) and was able to block everything but that video.

Based on this, would it be possible to create a "block all content for this client" knob that blocked it from all content, live TV, settings, etc? This would be a great workaround until the delete client functionality could be figured out.