[Question] Error when connecting without legacyauthentication using py-sonic

[GioF71]

Hello, thank you for your great software. I am running it using docker with the following compose file:

---
version: "2.4"

services:
  lms:
    image: epoupon/lms:latest
    container_name: lms-lightweight-music-server
    user: 1000:1000
    environment:
      - TZ
    ports:
      - 5082:5082
    volumes:
      - /var/cache/docker-data/lms-lightweight-music-server/data:/var/lms
      - /mnt/local/mydisk/music/exported:/music:ro

The web application works well as expected. I just created a user "giovanni". However, with reference to this python example (adapted from py-sonic):

#!/usr/bin/env python

from pprint import pprint
import libsonic

conn = libsonic.Connection(
    baseUrl = 'http://192.168.1.174', 
    port=5082, 
    username='giovanni', 
    password='my-password', 
    legacyAuth = False)
# Let's get 2 completely random songs
songs = conn.getRandomSongs(size=2)
# We'll just pretty print the results we got to the terminal
pprint(songs)

I get this error:

libsonic.errors.SonicError: Token authentication not supported for LDAP users.

Instead it works if I set legacyAuth to True. I'd rather avoid enabling legacyAuthentication, also considering that it is not needed when connecting to a Navidrome and a Gonic instance. I cannot figure out what am I doing wrong, it seems to me that the authenication mode is not LDAP as I did not change anything in that direction and I don't even run any LDAP server.

Thank you for your help!

[epoupon]

Hello! Lms does not store password in clear text, it has then no way to handle the hash-based authentication. This is not such a big deal if you ensure your connection is secure and if you take care of your server's access logs. The returned error is the same one as if you forward authentication to an external service, this is the legacy subsonic error code. Note that lms is part of opensubsonic, and we hope to provide a new secure scheme soon.

[GioF71]

Hello, thank you for the quick reply. Yes I am aware of the OpenSubsonic project, I am looking forward to implement its features in my project which is the upmpdcli client for subsonic (see here)

About the password, it's ok, my only concern is that I send stream url to Music Player Daemon, and in the case of lms, a url will look like this:

http://192.168.1.173:49139/subsonic/track/version/1/trackId/tr-105699] media_url [http://gruesome04.homelab.local:5082/rest/stream?id=tr-105699&format=flac&u=giovanni&p=enc:12345555555555555555555555&c=upmpdcli&v=1.16.1

I have replaced the actual value or p with 12345555555555555555555555. But is this encoding reversible? if so, the password could be exposed. Isn't that true, or am I missing something?

Thank you again

[epoupon]

Yes it is completely reversible unfortunately. It is just hex encoded

[GioF71]

Ok thank you, I believe we can close this.