feishin icon indicating copy to clipboard operation
feishin copied to clipboard

Published 20 hours ago verified publisher icon jeffvli

Add support for conneting to Navidrome behind a reverse proxy with basic authentication

Open e1pex opened this issue 2 years ago • 8 comments

As it's a bit of best practice to protect your Navidrome installation behind an reverse proxy, preferably with authentication when it's exposed to internet it would be great to have Feishin support basic authentication as an option to the native Navidrome authentication.

e1pex avatar Jan 29 '23 20:01 e1pex

I'm having a bit of trouble with the implementation on this.

I set up basic auth on one of my navidrome instances, but it's returning a CORS error when trying to authenticate from the frontend. When testing with basic auth using a HTTP client (Insomnia), it works fine.

Can you test on your side if you experience the same issues? You can use the build on #23 to test once it finishes.

My error:

Access to fetch at 'https://demo.sonixd.com/auth/login' from origin 'http://localhost:4343' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

image

jeffvli avatar Feb 05 '23 23:02 jeffvli

@e1pex I removed your comment since you may have accidently put your credentials in your comment. (From the logs). Recopied it here without the logs.

Hi Jeff

I just did a quick test and I can't get it to work either. I get a 401 error with the new feishin build with CORS disabled (and a new config directory) but it works with a Sonixd instance with same credentials and server.

From the logs it seems sonixd newer does a POST for the auth/login as feishin does, i dont now if that is any clue?

192.168.xxx.129 - - [06/Feb/2023:07:01:46 +0100] "GET / HTTP/2.0" 401 172 "-""Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0""-"
192.168.xxx.129 - - [06/Feb/2023:07:02:18 +0100] "POST /auth/login HTTP/2.0" 401 574 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36""-"
192.168.xxx.129 - - [06/Feb/2023:07:04:08 +0100] "POST /auth/login HTTP/2.0" 401 574 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36""-"
192.168.xxx.129 - - [06/Feb/2023:07:08:28 +0100] "GET /rest/getMusicFolders.view?u=redacted&s=redacted&t=redacted&v=1.13.0&c=sonixd&f=json HTTP/2.0" 200 164 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Sonixd/0.15.3 Chrome/91.0.4472.164 Electron/13.6.3 Safari/537.36""-"
192.168.xxx.129 - - [06/Feb/2023:07:08:28 +0100] "GET /rest/getPlaylists.view?u=redacted&s=redacted&t=redacted&v=1.13.0&c=sonixd&f=json HTTP/2.0" 200 543 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Sonixd/0.15.3 Chrome/91.0.4472.164 Electron/13.6.3 Safari/537.36""-"

I'm of for work now but if needed I can do some more troubleshooting later this evening.

Regards Torbjörn

jeffvli avatar Feb 06 '23 06:02 jeffvli

No worries about the credentials in the previous post, they where not real ones.

I did some more testing, when first adding the server with basic authentication checked I get this in the nginx log when clicking Add,

192.168.xxx.129 - redacted [06/Feb/2023:19:44:29 +0100] "POST /auth/login HTTP/2.0" 200 375 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" "-"
192.168.xxx.129 - - [06/Feb/2023:19:44:29 +0100] "GET /api/playlist?_end=100&_order=ASC&_sort=name&_start=0 HTTP/2.0" 401 574 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" "-"

So it seems Feishin manages to log in once, the config is accepted and then Feishin is reloaded?

But after the reload the server shows up as disconnected and any attempt to get it to reconnect by readding the password results in a 401 in the nginx logs

Screenshot from 2023-02-06 19-57-04

192.168.xxx.129 - - [06/Feb/2023:19:52:26 +0100] "POST /auth/login HTTP/2.0" 401 574 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" "-"

In the server config view the basic auth config is missing after the reload, could it be that the basic auth config is lost after the application reload?

Screenshot from 2023-02-06 19-57-50

Is the CORS error you get from the reverse proxy or from Navidrome? Because I don't se that at all on my side.

e1pex avatar Feb 06 '23 19:02 e1pex

Hmm, if you're not getting an error on the login, then it might just be an issue on my side.

I actually didn't pass-through the basic auth to all the API requests since I wanted to make sure that the login itself was working. Let me make some changes and then you can test again.

jeffvli avatar Feb 06 '23 19:02 jeffvli

I did a bit more testing but unfortunately it's probably not going to be feasible to get basic auth working.

While browsing through your server works, the audio player that's being used (mpv) has trouble accessing the audio stream. Even adding credentials in the URL does not seem to work (e.g. http://username:[email protected]).

There's a feature request that I saw regarding this but unfortunately not updates in some time. https://github.com/mpv-player/mpv/issues/2689

jeffvli avatar Feb 06 '23 22:02 jeffvli

Ok I see, do you want to close this for now then? I might do some digging to see if its possible to find a solution but I can't make a promise on timeline for it.

e1pex avatar Feb 08 '23 18:02 e1pex

Actually I was wrong, apparently basic auth can work with mpv, just that there's no dedicated parameters to insert them.

It wasn't working when I was testing it previously... but trying the URL directly from the mpv commandline seems to work. I'll try to implement this again when I have time.

jeffvli avatar Feb 08 '23 18:02 jeffvli

I am not sure if this would be of any help, but the Android client Symfonium has a working basic auth implementation. If it could help, I can share logs from when it tries to connect to my Navidrome instance that sits behind Authelia.

tannisroot avatar Jan 28 '25 12:01 tannisroot

Pinging for this as well, i am in the same situation...

gardiol avatar Apr 16 '25 10:04 gardiol

There are a lot of subsonic clients that support this as "legacy" login, using username and password for basic authentication. Some examples:

Almost all Android and iOS subsonic clients support this login model.

alceasan avatar Oct 07 '25 14:10 alceasan