jellyfin / jellyfin-plugin-opds

GNU General Public License v3.0
32 stars 4 forks source link

Authentication #4

Closed adamshand closed 2 years ago

adamshand commented 2 years ago

Hey,

Thanks for this great plugin! I see that there's an option in the settings to allow Anonymous access, however if I don't want to allow anonymous access how does a client authenticate?

When I've used Calibre-web I can authenticate with https://user:pass@host/ but that doesn't appear to work with this plugin?

Many thanks for any pointers. Adam.

crobibero commented 2 years ago

It really depends on the client you’re trying to connect with. In some that I’ve tried there’s an option to add a username and password

adamshand commented 2 years ago

I'm on iOS and have tried using Aldiko and MapleRead. The format above doesn't seem to work for either of them?

Do you have any suggestions for clients which support authenticate the way Jellyfin does it?

Many thanks.

tbyt2000 commented 2 years ago

Hi. I have the same question too. I am using Moon+ Reader Pro on Android - which lets you put in username/password but doesn't work with Jellyfin authentication (works fine on Jellyfin anonymously). If anyone can suggest a working client for Android or iOS I will be happy to switch. Thanks folks.

crobibero commented 2 years ago

@tbyt2000 - I tried Moon+ Reader- it never sends the username and password- so I think it might have a bug. I also tried a few other Android clients; none of which supported authentication properly. All I can say for sure is that the feed works great on my Kobo with KOReader.

@adamshand - I no longer have access to iOS devices, but I suspect the app story is the same as Android.

adamshand commented 2 years ago

Thanks for the reply. I can successfully authenticate to Calibre-Web using both Aldiko and MapleRead, so I think auth is working client side.

Can you see what format Kobo or KOReader is sending the authentication information to Jellyfin? I'm trying this and it's not working:

https://user:pass@host/

crobibero commented 2 years ago

KOReader sends basic auth

Authorization: Basic $(base64($username:$password))

adamshand commented 2 years ago

(Sorry for the spam, I created a couple comments and then deleted them as I learned more.)

Thanks for the additional information, I've done some more testing.

I've verified that both my iOS clients (Aldiko and MapleRead) can authenticate via basic auth to the Calibre-web OPDS feed, but cannot authenticate via basic auth to the Jellyfin OPDS feed. The only way to provide access from iOS clients to the Jellyfin OPDS feed is to enable anonymous access in the plugin settings.

I also note that if I go to the Calibre-web OPDS URL (ie. https://calibre.domain.nz/opds) I get an HTTP basic auth prompt to login. If I go to the Jellyfin OPDS URL I just get a blank screen and no authentication prompt. If I enable anonymous access then I get the OPDS feed as expected.

Confusingly I can authenticate via basic auth successfully from the commandline to Jellyfin OPDS.

I'm not sure what's going on but my best guess is that it has to do with the way Jellyfin OPDS is telling the client that basic auth is required.

Here's the response I get when trying to authenticate to Calibre-web with an incorrect user/pass (or no user/pass):

❯ https https://adam:badpass@calibre.domain.nz/opds
HTTP/1.1 401 Unauthorized
Content-Length: 90
Content-Security-Policy: default-src 'self'  'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self' data:
Content-Type: text/html; charset=utf-8
Date: Sun, 27 Feb 2022 02:33:07 GMT
Server: Caddy
Strict-Transport-Security: max-age=31536000;
Www-Authenticate: Basic realm="Login Required"
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

Could not verify your access level for that URL.
You have to login with proper credentials

However if I try to authenticate to Jellyfin OPDS with an incorrect user/pass, I get this (I've tried bypassing Caddy and talking directly to Jellyfin and it doesn't make a difference):

❯ https https://adam:badpass@jellyfin.domain.nz/opds
HTTP/1.1 401 Unauthorized
Content-Length: 25
Content-Type: text/plain
Date: Sun, 27 Feb 2022 01:58:14 GMT
Server: Caddy, Kestrel
X-Response-Time-Ms: 160

Error processing request.

I'm wondering if the lack of a Www-Authenticate: Basic realm="Login Required" is confusing the browser into not providing basic auth credentials to the server?

All of this is with the version 1 of the OPDS Jellyfin plugin. I see that version 3 is now available so I'll try that and see if it makes any difference.

crobibero commented 2 years ago

There is a PR that adds the WWW-Authenticate response header, but I didnt think to add realm. I will add that and test tomorrow

crobibero commented 2 years ago

I can confirm adding realm to the response allows MoonReader+ to browse the feed... ~but it doesn't send auth when trying to get the book cover or when downloading the book...~

Ignore the second part- debugging oddities

adamshand commented 2 years ago

Can confirm that v4 now works as expected on iOS using MapleRead and Aldiko. Found a bug with Aldiko which I'll report separately.

Thanks!