selfoss icon indicating copy to clipboard operation
selfoss copied to clipboard
verified publisher icon fossar

is digest authentication supposed to work?

Open cmm opened this issue 1 year ago • 1 comments

I'm trying to get several Livejournal feeds to work properly (don't ask). So let's say there's a URL of the form https://<user>:<password>@<feed-name>.livejournal.com/data/rss/?auth=digest. It works (as in: fetches all recent entries, including protected ones, without an issue) when fed to wget.

Selfoss logs this for the same feed URL:

[2024-06-30 09:11:10] selfoss.ERROR: error loading feed content for <redacted> {"exception":"[object] (Exception(code: 0): Client error: `GET https://<user>:***@<feed-name>.livejournal.com/data/rss/?auth=digest` resulted in a `401 Unauthorized` response:
Digest authentication <b>FAILED</b>!
 at /var/lib/selfoss/src/helpers/FeedReader.php:58)
[stacktrace]
#0 /var/lib/selfoss/src/spouts/rss/feed.php(65): helpers\\FeedReader->load()
#1 /var/lib/selfoss/src/helpers/ContentLoader.php(132): spouts\^Mss\\feed->load()
#2 /var/lib/selfoss/src/helpers/ContentLoader.php(71): helpers\\ContentLoader->fetch()
#3 /var/lib/selfoss/src/controllers/Sources/Update.php(37): helpers\\ContentLoader->update()
#4 /var/lib/selfoss/index.php(40): controllers\\Sources\\Update->updateAll()
#5 [internal function]: {closure}()
#6 /var/lib/selfoss/vendor/bramus/router/src/Bramus/Router/Router.php(458): call_user_func_array()
#7 /var/lib/selfoss/vendor/bramus/router/src/Bramus/Router/Router.php(440): Bramus\\Router\\Router->invoke()
#8 /var/lib/selfoss/vendor/bramus/router/src/Bramus/Router/Router.php(287): Bramus\\Router\\Router->handle()
#9 /var/lib/selfoss/index.php(170): Bramus\\Router\\Router->run()
#10 {main}
"}

cmm avatar Jun 30 '24 09:06 cmm

Thanks for reporting. This is indeed currently not supported.

We use Guzzle with curl backend and it just defaults to using Basic authentication when credentials are given in the URL, just like curl.

We could set CURLAUTH_ANY flag unconditionally but that might break some sites that support Basic auth using the same URL as unauthenticated (public) feed.

Feel free to apply the following patch if that is not a problem for you: https://github.com/fossar/selfoss/pull/1487

In the long term, we will probably want to allow overriding Guzzle request options, which would allow stuff like setting per-feed proxy, adding extra headers or disabling certificate validation. It would require an user interface (depends on https://github.com/fossar/selfoss/pull/1461, and it would either have to be an exhaustive GUI or some kind of JSON+constants raw text input). I am also not sure how it should interact with spouts that do multiple requests (e.g. SimplePie using auto-discovery or Graby).

jtojnar avatar Jul 03 '24 09:07 jtojnar