Login fails with a SSO (Authelia) protected Navidrome server

[linuxundich]

Describe the bug

I run Navidrome 0.51.0 behind NGINX Proxy Manager with Authelia for authorization. The login works on a webbrowser, as well als on Symfonium on my android phone. To make this happen, I had to bypass the API from Authelia.

access_control:
  default_policy: deny
  rules:
    ## bypass rules
    - domain: 'auth.mydomain.tld'
      policy: bypass
    - domain: 'music.mydomain.tld'
      policy: bypass
      resources:
      - '^/rest([/?].*)?$'
      - '^/share([/?].*)?$'
[...]
    - domain: "music.mydomain.tld"
      policy: one_factor
[...]

But it looks like that Tempo can't handle the login this way. I get the following error: "40 - wrong username or password"

Expected behavior

Login should be possible.

To Reproduce

1. Install navidrome
2. Set up a reverse proxy
3. Setup SSO with e.g. authelia
4. Try to log into navidrome with Tempo

Environment

• Android device: Pixel 4 and 7
• Android OS version: Android 12 and 13
• App version: Tempo 3.6.0

Logs or Screenshots

[cstby]

Have you tried other regexes like one for api? Seems like all we need here is to the api path so we can tell Authelia to bypass auth for everything on that path. Is this not available in the source code?

[cstby]

@linuxundich I was able to connect through Authelia by adding the regex ^/rest.*. My Authelia authentication and SSO is still working as expected. My api bypass rule looks like this:

    - domain:
        - "navidrome.domain.tld"
      policy: bypass
      resources:
      - '^/api([/?].*)?$'
      - '^/rest([/?].*)?$'
      - '^/rest.*'

If the above is too permissive, we might be able to narrow down the regex. Try it out and let me know if it works on your end?