lms icon indicating copy to clipboard operation
lms copied to clipboard

Published 20 hours ago verified publisher icon epoupon

Feature Request: "App passwords" (for http-headers authentication)

Open hotburger opened this issue 2 years ago • 8 comments

Using http headers for authentication seems to make the subsonic api unusable (unless I'm missing something). It would be great if there was a way to create an "app password" to use with subsonic clients. Then you could allow subsonic to bypass the proxy authentication and log in.

hotburger avatar Dec 20 '22 07:12 hotburger

Hello, The subsonic backend does make use of the http headers to find/authenticate the user. What is the problem you are facing?

epoupon avatar Dec 20 '22 10:12 epoupon

With lms fully behind proxy auth, subsonic clients can't get through. With /rest/* allowed unauthenticated I get "Required parameter 'p' is missing". The problem is that the user doesn't have a password, and subsonic's auth is seemingly incompatible with my proxy's auth.

hotburger avatar Dec 20 '22 19:12 hotburger

Ah but I guess if you put whatever user/password in the subsonic client it should work? (using the info from http headers)

epoupon avatar Dec 20 '22 22:12 epoupon

I'm not sure what you mean. If a user is created using the proxy auth, there isn't a password (at least not user facing), since the only thing forwarded to lms is the username of the authenticated user.

hotburger avatar Dec 20 '22 22:12 hotburger

Yes indeed but in the Subsonic client I guess you can fill in whatever you want to make lms happy? (so that it puts u=foo&p=bar for example in the request). I don't say it's the definitive answer for your issue, I just want to make sure I understand correctly.

epoupon avatar Dec 20 '22 22:12 epoupon

You're right, I didn't realize allowing /rest/* would allow subsonic access without valid credentials. I thought it worked like it does in navidrome, where header auth can be used to access to the web ui, but a password is still required for the subsonic api. The subsonic api needs to be secured when using header auth for this feature request to apply.

hotburger avatar Dec 20 '22 23:12 hotburger

Ok I understand your point, but I don't see why the Subsonic API would be always excluded from the http headers auth mechanism. For example one could use the subsonic API with a client certificate to authenticate on the reverse proxy server and make lms just pick the authentication result (as it is done today)

So I guess you want each available interface (Subsonic API or web interface) to be configurable with its own authentication backend (http headers, password, PAM).

epoupon avatar Dec 21 '22 13:12 epoupon

Would be great if there is an "app password"/local auth (no PAM) for /rest path, if http-header auth is used.

helmut72 avatar Jan 24 '24 19:01 helmut72