LOGIN_ERROR for API after upgrading

languitar · 2021-03-01T19:39:28.527Z

languitar:

Btw. is it intended that an error code uses HTTP status code 200?

Ah, that one remains. Is that a bug or a “feature”?

fox · 2021-03-01T19:54:46.552Z

languitar:

Ah, that one remains. Is that a bug or a “feature”?

am i supposed to also guess which status code you were expecting and why?

languitar · 2021-03-01T20:21:40.877Z

401 Unauthorized - HTTP | MDN UNAUTHORIZED would have been my expectation. At least anything larger than 299 to indicate an error.

fox · 2021-03-02T04:37:00.703Z

i guess this makes some amount of sense but that’s not how api returns its errors.

languitar · 2021-03-02T19:21:52.703Z

Alright, in case of some future work on the API this might be a nice change to introduce.

MiF · 2021-03-06T16:52:42.025Z

tt-rss accepted base64 encoded password for at least 9 years. Why would the feature be just dropped?

fox · 2021-03-06T17:06:27.387Z

because it’s stupid and pointless? i don’t remember why was it even there in the first place but my guess would be an incompetent client developer, most likely of this very app you’re using.

i’m normally not one to shit on other foss projects (except samba and xorg) but this “ttrss-reader” was so absolutely fucking terrible at everything that i literally taught myself android development from fucking scratch to make my own client that didn’t suck just so much.

MiF · 2021-03-06T17:47:32.116Z

Your own app states - TRIAL. Does it mean it will work for a limited amount of time or some features are disabled?

fox · 2021-03-06T17:49:12.761Z

go be an idiot somewhere else, thx

Jeremy11one · 2021-03-12T16:57:38.743Z

I noticed this error today when trying to use ios app Fiery Feeds 2.4.12 Build 308. Fiery Feeds has worked well for months or years but today fails to log in. I tried setting a new password in ttrss and fiery feeds, but that didn’t help. TT-RSS runs in docker, v21.03-fcce1c4. TT-RSS has this in its log:

Failed login attempt for admin (service: _api) from 172.24.0.10

Forwarded For: [my ip]
Forwarded Protocol: https
Remote IP: 172.24.0.10
Request URI: /tt-rss/api/
User agent: Fiery Feeds/2.4.12 (iPhone; iOS 14.4; Scale/2.00)

Jeremy11one · 2021-03-12T17:08:44.851Z

MiF:

tt-rss accepted base64 encoded password for at least 9 years. Why would the feature be just dropped?

I agree with MiF that removing a feature like this should at least be mentioned somewhere, preferably well in advance, since it is a potentially breaking change. Thanks for cleaning up the clutter though and making things more secure.

fox · 2021-03-12T17:19:26.765Z

what, again with the base64?

Jeremy11one:

least be mentioned somewhere, preferably well in advance, since it is a potentially breaking change

https://git.tt-rss.org/fox/tt-rss/wiki/ApiReference#login

can you please point me where base64-encoded passwords are mentioned on this page?

Jeremy11one · 2021-03-12T17:36:49.334Z

fox:

what, again with the base64?

I don’t know what the cause of the login failure is with Fiery Feeds, whether it’s a base64 issue or not. I just wanted to point out that it’s not just the TT-RSS Reader app that’s suddenly having login failures.

fox · 2021-03-12T17:39:39.770Z

most likely the same thing. i don’t know who copypasted who but i’m fairly certain that actual api documentation never mentioned this, it was a thing specifically done for Nils because he asked for whatever reason. and it was there for 10 years, yes. until it suddenly wasn’t.

API discussion - Tiny Tiny RSS here’s the actual discussion

e: that part of login code has bothered me for years until i refactored the whole thing this spring (is it spring yet? its snowing outside). so sue me, etc.

klempin · 2021-03-12T17:43:39.357Z

I am using the same version of Fiery Feeds and have not had any login issues. Apparently, this only happens when using the account password. I am using an app password and Fiery Feeds works fine. The specific commit that breaks Fiery Feeds sync with the account password is 580eccd3da. I’m pretty sure base64 encoding has nothing to do with this.

fox · 2021-03-12T17:44:30.570Z

that’s interesting, does it rapidly login multiple times? well, you always disable this check altogether or use an app password which is excluded from it (for the time being).

klempin:

I am using an app password and Fiery Feeds works fine.

see, you’re doing the right thing already.

klempin · 2021-03-12T17:57:54.219Z

Yeah, I generally use 2fa when available. Even with last night’s security issue OTP on its own wasn’t really less secure than just password auth.

Looking at nginx access logs I saw about 13 POST requests for a single refresh of all articles within about two seconds and multiple “Too many authentication attempts for test, throttled” log entries, so that’s most likely the cause.

fox · 2021-03-12T18:02:53.404Z

you’re (well, not you specifically, an api consumer) is supposed to login as necessary and otherwise maintain a single login session. not only logging in for every request bloats up tt-rss sessions database, it’s simply terrible application design.

Jeremy11one · 2021-03-12T18:04:04.381Z

klempin:

I am using an app password and Fiery Feeds works fine.

TT-RSS has app passwords?! I just hunted it down, implemented that, and it fixed the problem with my Fiery Feeds. Thank you.

fox · 2021-03-12T18:05:37.767Z

Jeremy11one:

TT-RSS has app passwords?!

...