search

YunoHost-Apps / shaarli_ynh

Shaarli package for YunoHost
GNU General Public License v3.0
20 stars 13 forks source link

Not working with ShaarliOS client (and maybe other apps ?) #39

Closed mro closed 5 years ago

mro commented 5 years ago

A user of my https://github.com/mro/ShaarliOS just has reported the same issue.

How's the situation with other clients like e.g. https://github.com/dimtion/Shaarlier ?

mro commented 5 years ago

13

lapineige commented 5 years ago

(sorry, misclick)

Please give the issue a proper name next time, this one isn't very eloquent :)

lapineige commented 5 years ago

I don't know about Shaarlier.

How is you app working ? Where is it searching the API ? Do you know precisely what's not working ?

mro commented 5 years ago

I don't know about Shaarlier.

that's the client software mentioned in #13

How is you app working ?

Login fails because it can't find the login form inside the html (and needs it for CSRF tokens).

Where is it searching the API ?

/shaarli and is being redirected to /yunohost/sso/?r=...

Tomorrow I will ask my user who has the issue, if you may know the endpoint FQDN.

Do you know precisely what's not working ?

If both the https://github.com/mro/Shaarli-API-test/blob/master/tests/test-login-ok.sh and https://github.com/mro/Shaarli-API-test/blob/master/tests/test-post.sh complete successfully we're ok with the sunshine case.

Does that make sense?

Currently I'm redesigning the access and shall add a API facade that hides the shaarli peculiarities and exposes the pinboard/delicious API. https://github.com/mro/Shaarli-API-test/blob/develop/openapi.yaml – but this may take months to complete.

Essentially the yunohost SSO login seems to get in the way.

lapineige commented 5 years ago

Is that shaarli instance public ? (accessible without the SSO)

mro commented 5 years ago

No. This may be the issue, I ask the bugreporter to make shaarli public.

lapineige commented 5 years ago

Well, I suppose it has to be public to use the API. Or you could implement the SSO login support. Or maybe just the API URL can be made accessible publicly - but I don't know what are the security issues. In particular, does it add a risk to compromise the password ? (as fail2ban is not activated right now for shaarli)

anmol26s commented 5 years ago

The app needs to be public. Otherwise you have to add the api link to public manually in /etc/ssowat/conf.json.persistent by adding this line. "skipped_urls": ["shaarli.domain.tld/api_link/"]

anmol26s commented 5 years ago

@lapineige Fail2Ban support is there. Have you tested it? Is it failing?

lapineige commented 5 years ago

As replied in #40, sorry, my bad, indeed it's implemented. I did a basic test (trying wrong passwords using web interface), it works.

mro commented 5 years ago

Thank you very much @lapineige and @anmol26s !