[x] I’m not using docker on my primary instance, but my issue can be reproduced on the aforementioned docker setup and/or official demo.
Issue
TinyTiny RSS fetches RSS feeds behind authentication, but even with the af_proxy_http plugin set to proxy all images, authentication is not used for fetching media attachments, breaking embedded media.
This is public information, see Context below for details
Subscribe to the feed
Navigate to the Fox / @hourlyFox feed
Try to view the photos attached to posts
Note: The demo instance does not have af_proxy_http installed. Testing with a local (non-Docker) instance with af_http_proxy installed and set to proxy all requests doesn’t address the issue.
Expected
TinyTiny RSS either provides a way to proxy media attachments for authenticated RSS feeds (via a new plugin or a setting in af_http_proxy to proxy authenticated media attachments from the same domain), or provides a way to forward/embed authentication requests from the server to the browser/mobile client (e.g. rewriting media attachments served from the same domain with https://<username>:<password>@example.com/…).
I’m not sure how difficult this would be - it’s fine to say this is a known issue/no fix will be provided.
Actual
Images fail to load, requiring viewing the original article (including launching the browser app on Android).
Version details
Tiny Tiny RSS version (including git commit id):
Official demo: Tiny Tiny RSS v22.04-b17b4a4
Local install: Tiny Tiny RSS v22.06-59b0ae8af (Unsupported)
Platform (i.e. Linux distro, Docker, PHP, PostgreSQL, etc) versions:
Ubuntu 20.04
Direct/legacy git install
PHP: 7.4.3
PostgreSQL: 12.11 (Ubuntu 12.11-0ubuntu0.20.04.1)
Context
The public NixNet Nitter instance is behind username nitter and password nitter due to misinformed automated abuse reports (Nitter is a Twitter proxy, not a host):
I’m able to use the Authentication tab in Tiny Tiny RSS to access the RSS feed, but this does not help with accessing media attachments.
It is possible to get Firefox to fetch the media by rewriting the URL.
cache_media_url(…) could check if the requested $url belongs to the same domain as the RSS feed itself ($site_url?), and if so, forward on the feed’s authentication username/password.
It’s also possible to unconditionally apply the username/password, but that seems like it risks leaking authentication credentials. Limiting it to the same domain (maybe including subdomains?) seems reasonable.
The favicon I can easily deal with, the media inside the feeds not so much. However, I agree that this is an uncommon problem. If I find the time, I may look at how difficult it’d be to add another setting to Options (e.g. Use authentication for caching media as a sub-setting of Cache media), or trying a custom plugin to intercept media fetches for this domain.
tbh now that you made me think about it, i’m not sure if requesting anything but the actual feed URL
with stored credentials is a good idea.
i’m not going to bother checking how this works now, but i don’t remember implementing any domain-based controls, so its possible that those are leaked already to any media domains included by the feed. not that limiting this to an actual domain would be any better, a higher-level domain for example could belong to a different organization entirely.
we could keep previous behavior behind a global config tunable something like TTRSS_I_DONT_CARE_ABOUT_MY_FEED_PASSWORDS or w/e although i’d rather not.