Authentication failed (wrong username/password)

[pinusc]

Hi! This program is currently completely unusable for me as it does not let me log-in in my server. At the login screen, I input server URL, username, password, and after "Trying connection" I get "Authentication failed (wrong username/password)".

I have tried with "Use legacy authentication" as well, to no avail. Running it through a terminal also doesn't show any relevant output (which stops printing after the app is running).

I decided to dig a little into the issue and checked my server logs. It seems like (on legacy auth, at least) supersonic is sending two requests in quick succession, the first of which malformed (empty password field).

Here's the log from LMS (lightweight music server, subsonic-compatible and it does work with other clients):

10.0.0.7 - - [2023-Oct-29 15:12:59.111] "GET /rest/ping?c=supersonic&f=xml&p=&u=myusername&v=1.8.0 HTTP/1.0" 200 178
10.0.0.7 - - [2023-Oct-29 15:12:59.915] "GET /rest/ping?c=supersonic&f=xml&p=the+password&u=myusername&v=1.8.0 HTTP/1.0" 200 184

and in error.log

[2023-Oct-29 15:12:59.110] 27868 - [error] - [API_SUBSONIC] Error while processing request '/ping', params = [{c=supersonic}, {f=xml}, {p=*REDACTED*}, {u=myusername}, {v=1.8.0}, ], code = 40, msg = 'Wrong username or password.'
[2023-Oct-29 15:12:59.915] 27868 - [error] - [API_SUBSONIC] Error while processing request '/ping', params = [{c=supersonic}, {f=xml}, {p=*REDACTED*}, {u=myusername}, {v=1.8.0}, ], code = 0, msg = 'Login throttled, too many attempts'

So it looks like in the first request the password is empty, and it gets rejected by the server. Then it immediately gets throttled for a few seconds following the "incorrect" login, and the second request gets denied. I suppose other servers do not implement such an immediate throttling and will happily respond to the second request, which is correctly formed.

[dweymouth]

I can connect to the LMS demo server on my end, so I'm not sure what's going on here. Did you fill in the alternate hostname field by any chance? The way that works is if you've supplied both a primary and alternate hostname, Supersonic will ping both and go with whichever returns first. So maybe try again without setting the alternate hostname? Also I don't think LMS should be logging wrong user/password for the ping endpoint since that endpoint is supposed to be able to be called unauthenticated, to check if the server is up. @epoupon any ideas?

[epoupon]

LMS throttles the IP for 3s once 5 consecutive attempts are hit. Then each next bad attempt makes the IP throttled for 3s. So it looks like this algorithm makes you definitely stuck (restarting lms, or just log in the web interface, would help). I think I could relax this a bit to give the user 5 more attempts each time throttling is over. That being said, the doc tells all endpoints are authenticated, and the ping endpoint can also be used to test the login/password validity.

[pinusc]

Huh. Even after restarting lms (a few hours after the initial attempt), I got the same pattern of two pings, first with empty password and second throttled. Successful logins from the web interface (or other devices) also didn't seem to help.

Out of curiosity, I updated my lms server (I was on 3.32.0) and I can log in fine; the issue disappeared. Still not really sure what the problem was!

Thanks for the support and sorry for wasting your time due to out-of-date installation.

[epoupon]

Because this was more strict in 3.32.0, see https://github.com/epoupon/lms/issues/302