cdf56801cd
apiKey (OpenSubsonic) is preferred. t+s uses md5(subsonic_password+salt) with a constant-time compare. p is disabled by default and gated by SubsonicConfig.AllowPlaintextPassword; enc:HEX obfuscation decoded. Auth failures write a Subsonic "failed" envelope so clients don't see HTTP 401.