Fixing CORS Problems in the Lastest Release Build

[kobayashi90]

Since Feishin is just an WebApp wrapped in Electron its not an actual client like SoniXD was. Because of that your supposed client needs to disable cors/ssl checks in order to work. Further Details below:

Since disabling that Server Side makes it vulnerable to XSS Attacks. An idea of how to fix this might be on this Link.

I hope someone find an Solution to this because as long this isnt fixed people are stuck on using SoniXD Have a Great Day

[BlackDragon-B]

Sonixd is just as much of a webapp in electron as Feishin is.

[kobayashi90]

Sonixd is just as much of a webapp in electron as Feishin is.

It must be different if it works fine on SoniXD and not on Feishin.

TL;DR: "The Bug is not that its an WebApp, its an "electron app that has cors enabled" as linked above.

[BlackDragon-B]

You can ignore CORS and SSL in the Manage Servers menu.

[kobayashi90]

You can ignore CORS and SSL in the Manage Servers menu.

Its enabled but it still fails as shown below:

Similar behavior got reported here as well.

Further Info: This Screenshot shows the WebApp on the Webpage. Similar happens on the Desktop Version just that throws an similar error just u= variable missing instead of e= missing.

[kobayashi90]

Further Investigations showed that other Web Clients seem to have no problems with cors nor ssl. You can try it for yourself below:

https://jamstash.com/ Server Url: https://www.squidify.org Username: Guest Password: Guest

[kobayashi90]

@jeffvli I dont want to be that person getting on your nervs but any idea what causes this? And no disabling cors (aka whitelisting everything with "*") server side is not the solution. But it works fine on SoniXD as described above. Thanks for your reply.

[kgarner7]

A couple of things:

1. When I test it out on Jamstash, I absolutely do see Access-Control-Allow-Origin: * on your domain. It is using subsonic-only APIs and not Navidrome. This is the reason why Sonixd doesn't run into any issues, as it only uses the subsonic API.
2. If you want to use the Webapp, you have two solutions:
   1. Allow CORS on Navidrome endpoint as well. No modern browser will allow the requests otherwise
   2. Self-host the webapp on a subpath of your Navidrome instance (I do this myself, and I have reverse proxy authentication enabled). This means that the flow would be authenticate -> load feishin web -> login (as guest)
3. Since you appear to have special auth around the Navidrome API, the desktop app will not work for you (unless you add exclusions to the auth by certain IP addesses). Maybe in the long term there can be something that detects authentication portal and tries to deal with that, but it is not a trivial problem to solve.

[kobayashi90]

A couple of things:

1. When I test it out on Jamstash, I absolutely do see `Access-Control-Allow-Origin: *` on your domain. It is using subsonic-only APIs and not Navidrome. This is the reason why Sonixd doesn't run into any issues, as it only uses the subsonic API.

2. If you want to use the Webapp, you have two solutions:

   1. Allow CORS on Navidrome endpoint as well. No modern browser will allow the requests otherwise
   2. Self-host the webapp on a subpath of your Navidrome instance (I do this myself, and I have reverse proxy authentication enabled). This means that the flow would be authenticate -> load feishin web -> login (as guest)

3. Since you appear to have special auth around the Navidrome API, the desktop app will not work for you (unless you add exclusions to the auth by certain IP addesses). Maybe in the long term there can be something that detects authentication portal and tries to deal with that, but it is not a trivial problem to solve.

Ive linked you an possible solution above which you ignored..

Anyways, is there an way to hardcode feishin web to use only one server?

[BlackDragon-B]

Like I have noted before, the web version of feishin does not use electron.

[kobayashi90]

Well you didnt answer this one: "Anyways, is there an way to hardcode feishin web to use only one server?"

[BlackDragon-B]

Well you didnt answer this one: "Anyways, is there an way to hardcode feishin web to use only one server?"

Nope, authentication and all is done on the client. I also fail to see how hardcoding feishin to only use one server would help fix your current issue.

[kobayashi90]

I also fail to see how hardcoding feishin to only use one server would help fix your current issue.

Wow, took me long to find an answer for this, first of all what do you think i would like to use it for? As alternative UI that would interact with the internal navidrome instance which is hosted on the same server. Not sure how you couldnt deduct this by my answer.

Anyways, going to make an new issue about feishin needs to focus on the basic feature that is the subsonic api support. I actually feel trolled throughout the whole issue.

[iiPythonx]

Feishin doesn't support subsonic yet.

[kobayashi90]

Feishin doesn't support subsonic yet.

Yet somehow navidrome relys on subsonic, how wasnt this one of the first goals to fix? I see no other Application using navidrome's api or do you?

I hope you agree with me after you have seen the list of clients that Navidrome themselfs put up there. I am not here to hate on Feishin, i am using it with an workaround via Tailscale for personal use but that sure doesnt work for the rest of people that use it.

[iiPythonx]

Well out of curiosity (if you haven't already tried it / are willing to), does the desktop app work for you? My personal server has CORS enabled on it and the desktop app connected to it just fine without me even needing to enable the "Ignore CORS" option.

[kobayashi90]

Well out of curiosity (if you haven't already tried it / are willing to), does the desktop app work for you? My personal server has CORS enabled on it and the desktop app connected to it just fine without me even needing to enable the "Ignore CORS" option.

Yes i have installed the Windows Desktop App of Feishin on my Machine with both Ignore CORS / Ignore SSL options enabled with puts out the errors which ive described above. Posted an GIF below also.

[iiPythonx]

Not much else I can think of then besides following kgarner's advice:

If you want to use the Webapp, you have two solutions: i. Allow CORS on Navidrome endpoint as well. No modern browser will allow the requests otherwise ii. Self-host the webapp on a subpath of your Navidrome instance (I do this myself, and I have reverse proxy authentication enabled). This means that the flow would be authenticate -> load feishin web -> login (as guest)

or getting input from @jeffvli about the CORS switch (possibly?) being broken from the looks of it.

[kobayashi90]

or getting input from @jeffvli about the CORS switch (possibly?) being broken from the looks of it.

Can confirm that if it is broken its not an Windows only thing, confirmed that its the same on Linux. Not sure about Mac OS tho.

[kgarner7]

The CORS switch shouldn't exist in the Web version, as the client cannot instruct the browser to ignore CORS. The proper fix for that would be to remove it from the web interface (EDIT: this is also the case for the ignore SSL switch. Those are both things up to the browser itself)

[kgarner7]

I'm reviewing this again, and the problem is 1: your server, and 2: Feishin for not complaining about your server. You /auth/login page hits a bot protection (xbone), which prevents properly logging in from Navidrome. Unfortunately it looks like Feishin doesn't also recognize this problem so it sort of allows access. The second part can be added by doing some better validation, but the former (at least using Navidrome API) cannot

[kobayashi90]

I'm reviewing this again, and the problem is 1: your server, and 2: Feishin for not complaining about your server. You /auth/login page hits a bot protection (xbone), which prevents properly logging in from Navidrome. Unfortunately it looks like Feishin doesn't also recognize this problem so it sort of allows access. The second part can be added by doing some better validation, but the former (at least using Navidrome API) cannot

Again its not an problem on our site because it works on SoniXD, i am waiting until Subsonic API Support is fully done.

[kobayashi90]

I'm reviewing this again, and the problem is 1: your server, and 2: Feishin for not complaining about your server. You /auth/login page hits a bot protection (xbone), which prevents properly logging in from Navidrome. Unfortunately it looks like Feishin doesn't also recognize this problem so it sort of allows access. The second part can be added by doing some better validation, but the former (at least using Navidrome API) cannot

Proof that it works comes from this related issue: [Essential] Subsonic API Support

[kgarner7]

I am closing this, as it is a problem with your Navidrome endpoint, not Subsonic. Further progress can be tracked on the subsonic request.

[kobayashi90]

Coding 101, you dont close an issue if the error still exsists even if its unrated, even tho its related to the subsonic api being missing. The error isnt magically away until the api exsists.. You can close this now.