[
  {
    "category": "General",
    "guid": "b1462fca-774b-4b13-8d02-e2d4f2bc18b9",
    "name": "Bonfire",
    "description": "Adds multi-user profile switching to Jellyfin. A single account can have up to five isolated profiles — each with its own watch history, parental controls, and library access.",
    "overview": "Multi-user profile switching for Jellyfin.",
    "owner": "AHouseOfBards",
    "imageUrl": "https://raw.githubusercontent.com/AHouseOfBards/Bonfire-JellyProfiles/main/images/icon.jpg",
    "versions": [
      {
        "version": "1.1.9.0",
        "changelog": "Security & Stability Release: resolves a critical privilege escalation bug in library permission mapping (ensuring sub-profiles cannot be assigned unauthorized libraries); fixes index.html script double-injection and corruption by using safe conditional inserting; adds index.html backup before patching; mitigates IP-based PIN brute force by rate limiting per profile; resolves XSS vulnerability in profile name rendering; ensures proper lock synchronization on configuration mappings.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.9/Jellyfin.Profiles.zip",
        "checksum": "e2c022d75338c41ff4c42220f89f1803",
        "timestamp": "2026-06-19T03:45:00Z"
      },
      {
        "version": "1.1.8.0",
        "changelog": "Fix: Rename plugin name/directory from 'Bonfire/JellyProfiles' to 'Bonfire' to resolve the Windows server folder deletion and lock conflict bugs. This stops the restart loop and allows clean updates.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.8/Jellyfin.Profiles.zip",
        "checksum": "23c4779aa43583be40c45511c487b72c",
        "timestamp": "2026-06-15T13:17:00Z"
      },
      {
        "version": "1.1.7.0",
        "changelog": "Fix: profile switching now works correctly on Jellyfin 10.11+. Root cause: the Authorization header parser was not stripping the 'MediaBrowser ' scheme prefix, so the Client parameter always returned null — causing SessionManager.AuthenticateNewSessionInternal to throw ArgumentNullException (request.App). Fixed in GetAuthorizationParameter; added guaranteed fallbacks on AuthenticationRequest so the switch endpoint can never throw on missing header fields.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.7/Jellyfin.Profiles.zip",
        "checksum": "20a6598d8bb3fb94fdda30fbabebab98",
        "timestamp": "2026-06-15T10:44:00Z"
      },
      {
        "version": "1.1.6.0",
        "changelog": "Fix: merged BonfireController and AdminController back into single ProfilesController. Jellyfin's plugin loader does not support multiple controllers with the same route prefix from a plugin assembly, causing a permanent restart loop on v1.1.4 and v1.1.5. All endpoints now in one controller; ProfilesBaseController retained for shared helpers only.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.6/Jellyfin.Profiles.zip",
        "checksum": "0b6481f7f56de24f3c9757d67a73f181",
        "timestamp": "2026-06-15T10:14:42Z"
      },
      {
        "version": "1.1.5.0",
        "changelog": "Bonfire UI fixes: Generate and Join buttons are now disabled during fetch to prevent double-fire; settings checkboxes are debounced 300ms to prevent race conditions when toggling both quickly; join input/button now wraps to full width on screens under 360px; .profiles-btn:disabled visual state added.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.5/Jellyfin.Profiles.zip",
        "checksum": "3dad590ba972991ec6b410231e4cf59b",
        "timestamp": "2026-06-15T10:01:30Z"
      },
      {
        "version": "1.1.4.0",
        "changelog": "Structural refactor: ProfilesController split into ProfilesController, BonfireController, and AdminController via shared ProfilesBaseController. Five structural issues fixed: controller size, [AllowAnonymous] scope documentation, static field documentation, null-dereference guard on Plugin.Instance in audit log path, redundant SaveConfiguration eliminated from RecordDeviceActivity on known-device updates.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.4/Jellyfin.Profiles.zip",
        "checksum": "0b6481f7f56de24f3c9757d67a73f181",
        "timestamp": "2026-06-15T09:57:45Z"
      },
      {
        "version": "1.1.3.0",
        "changelog": "Structural cleanup and deletion fix: profile deletion now terminates active sessions first (fixes the root cause of deletion always failing); AuditLogEntry, request model classes, and rate limiters moved to proper namespaces; BonfireRateLimiter/PinRateLimiter merged into a single parameterized RateLimiter class.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.3/Jellyfin.Profiles.zip",
        "checksum": "07e19c30d165285e71cc9c155ff1df8d",
        "timestamp": "2026-06-15T09:46:00Z"
      },
      {
        "version": "1.1.2.0",
        "changelog": "Bug fixes: GIF profile avatars now served correctly; master token cleared on native sign-out; deletion fallback no longer orphans plugin mapping; Bonfire GroupId no longer re-randomizes on config reload; JS file cached server-side (reduced memory pressure); DOM polling reduced from 150ms to 500ms; audit logs moved to separate file (no longer bloats PluginConfiguration.xml rewrite); profile image uploads capped at 2 MB; Bonfire code lookup is now case-insensitive.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.2/Jellyfin.Profiles.zip",
        "checksum": "0b6481f7f56de24f3c9757d67a73f181",
        "timestamp": "2026-06-15T09:30:00Z"
      },
      {
        "version": "1.1.1.0",
        "changelog": "Fix: Simplified client-side script auto-injection troubleshooting instructions to use dynamic resolved file paths and a robust permission-granting chmod approach.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1.1/Jellyfin.Profiles.zip",
        "checksum": "8b4245e2f41f435789fd701deabb7891",
        "timestamp": "2026-06-15T00:30:00Z"
      },
      {
        "version": "1.1.0.0",
        "changelog": "Release 1.1.0: Codebase cleanup, optimization, documentation updates, and developer API reference alignment.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.1/Jellyfin.Profiles.zip",
        "checksum": "91686f53f8a192d625e361daa4a5b688",
        "timestamp": "2026-06-14T00:50:00Z"
      },
      {
        "version": "1.0.0.0",
        "changelog": "Initial release.",
        "targetAbi": "10.11.0.0",
        "sourceUrl": "https://github.com/AHouseOfBards/Bonfire-JellyProfiles/releases/download/v1.0.0/Jellyfin.Profiles.zip",
        "checksum": "4d60f997f3a2b9ce7494c3a737777f00",
        "timestamp": "2026-06-11T00:00:00Z"
      }
    ]
  }
]