epoupon
commented
1 year ago Hello, The subsonic backend does make use of the http headers to find/authenticate the user. What is the problem you are facing?
Open hotburger opened 1 year ago
epoupon
commented
1 year ago Hello, The subsonic backend does make use of the http headers to find/authenticate the user. What is the problem you are facing?
hotburger
commented
1 year ago With lms fully behind proxy auth, subsonic clients can't get through. With /rest/* allowed unauthenticated I get "Required parameter 'p' is missing". The problem is that the user doesn't have a password, and subsonic's auth is seemingly incompatible with my proxy's auth.
epoupon
commented
1 year ago Ah but I guess if you put whatever user/password in the subsonic client it should work? (using the info from http headers)
hotburger
commented
1 year ago I'm not sure what you mean. If a user is created using the proxy auth, there isn't a password (at least not user facing), since the only thing forwarded to lms is the username of the authenticated user.
epoupon
commented
1 year ago Yes indeed but in the Subsonic client I guess you can fill in whatever you want to make lms happy? (so that it puts u=foo&p=bar for example in the request).
I don't say it's the definitive answer for your issue, I just want to make sure I understand correctly.
hotburger
commented
1 year ago You're right, I didn't realize allowing /rest/* would allow subsonic access without valid credentials. I thought it worked like it does in navidrome, where header auth can be used to access to the web ui, but a password is still required for the subsonic api. The subsonic api needs to be secured when using header auth for this feature request to apply.
epoupon
commented
1 year ago Ok I understand your point, but I don't see why the Subsonic API would be always excluded from the http headers auth mechanism. For example one could use the subsonic API with a client certificate to authenticate on the reverse proxy server and make lms just pick the authentication result (as it is done today)
So I guess you want each available interface (Subsonic API or web interface) to be configurable with its own authentication backend (http headers, password, PAM).
helmut72
commented
10 months ago Would be great if there is an "app password"/local auth (no PAM) for /rest path, if http-header auth is used.
epoupon
commented
3 weeks ago Will be handled by #544
Using http headers for authentication seems to make the subsonic api unusable (unless I'm missing something). It would be great if there was a way to create an "app password" to use with subsonic clients. Then you could allow subsonic to bypass the proxy authentication and log in.