Authentication plugins and API access

acn128 · 2023-06-13T10:35:56.005Z

Hi,

I have a general question before I dive deeper into authentication modules.

I’m using TTRSS for quite some years now together with auth_ldap, but I would like to switch to another authentication system.
That could be either auth_remote or auth_oidc, which I would use together with LemonLDAP::NG.

My question is:
How does API access, eg. using the TTRSS android app, work together with this?

I’ve seen the “app passwords” section in Settings, so I guess, when switching to auth_remote, I can use these?

Thank you!

Regards,
Anna

fox · 2023-06-13T15:12:16.908Z

app passwords are needed because of 2fa which api has no support for. if you don’t have 2fa, you should be able to use your ldap (or whatever) user/password.

auth_remote might work, it’s http basic auth which tt-rss app should support.

acn128 · 2023-06-13T18:54:47.525Z

Hallo,

I configured auth_remote to work together with LemonLDAP::NG (LLNG) and it’s working

But as LLNG is not “just” HTTP basic auth, the Android app isn’t working any longer, as all API calls get redirected to the LLNG login page.
I then configured LLNG to NOT redirect all calls to /api/, but allow access to /api/, even if not logged in to LLNG.

So I tried app passwords and configured one. But they don’t work, as I don’t use the tt-rss OTP function and I don’t have another compatible auth module enabled.

My question (or ‘feature wish’) would be: Could it be made possible to enable app passwords independantly of the OTP function?
Maybe by using a new configuration flag like “ENABLE_API_KEYS” or “ENABLE_APP_PASSWORDS”?

Thank you!

Regards,
Anna

fox · 2023-06-13T19:39:34.044Z

you should be able to use app passwords regardless of otp being used, if not its a bug.

acn128 · 2023-06-13T20:16:56.695Z

Hallo,
at least here in my case, app passwords don’t seem to work.

I also tried using curl to check the API login:
$ curl -d ‘{“op”:“login”,“user”:“”,“password”:“<app password”}’ https://reader./api/

The response is:
{“seq”:0,“status”:1,“content”:{“error”:“LOGIN_ERROR”}}

I’m only using auth_remote, no other auth plugins…

My version is fairly new, I updated to the latest git master some days ago.
Do you need more information?

Regards,
Anna

fox · 2023-06-14T17:04:37.078Z

acn128:

Do you need more information?

probably not, i made a note to take a look at this.

fox · 2023-06-14T17:14:10.104Z

i’ve just tried and i had no trouble authenticating with app password with OTP disabled.

curl -s -d '{"op":"login","user":"'$TTRSS_LOGIN'","password":"'$TTRSS_PASS'"}' $TTRSS_HOST

you should have auth_internal enabled in TTRSS_PLUGINS because it handles app passwords. i.e.

TTRSS_PLUGINS=auth_whatever,auth_internal,other_plugin

other than that, it should just work.

fox · 2023-06-14T17:19:59.160Z

https://gitlab.tt-rss.org/tt-rss/tt-rss/-/commit/dc25a9cf6816b756cb38490eab93f02589c44a10

this should make this requirement easier to discover.

acn128 · 2023-06-14T17:24:57.686Z

Hallo,
ah okay, thank you!
After enabling auth_internal, it indeed is working again.

When using TTRSS this way, I can just set the passwords of my users to some random value (via Settings > Users), right?
So that login is only possible via auth_remote or API key.

Thank you!

Regards,
Anna

fox · 2023-06-14T17:52:02.978Z

yes, you can just use a random long password, a guid or something.