That's no different from how just about any other webapp works.
"Bothering" with client-side password hashing, in the absence of TLS, is security theater. It provides only the most trivial protection against eavesdroppers.
If someone can steal an unhashed password, then they can also steal whatever hash you send instead. If you try to fix this with some kind of ad-hoc challenge-response protocol, then the attacker can just steal your session cookie after login.
There shouldn't even be a question of using insecure HTTP for anything that requires authentication.
A lot of these users are not very sophisticated themselves. The least sophisticated attackers are likely to be the most numerous.
This is bad. People who say it's not bad (or worse, suggesting anyone dumb enough to publicly expose their server without TLS) are engaging in security snobbery.
Yes, TLS should be considered a given. Set things up right and you can use TLS locally, too, with Let's Encrypt, which is a prereq to stream some things to streaming sticks using Jellyfin's raw HTTP streaming without a Jellyfin client.
"Bothering" with client-side password hashing, in the absence of TLS, is security theater. It provides only the most trivial protection against eavesdroppers.
If someone can steal an unhashed password, then they can also steal whatever hash you send instead. If you try to fix this with some kind of ad-hoc challenge-response protocol, then the attacker can just steal your session cookie after login.
There shouldn't even be a question of using insecure HTTP for anything that requires authentication.