Add support for conneting to Navidrome behind a reverse proxy with basic authentication

[e1pex]

As it's a bit of best practice to protect your Navidrome installation behind an reverse proxy, preferably with authentication when it's exposed to internet it would be great to have Feishin support basic authentication as an option to the native Navidrome authentication.

[jeffvli]

I'm having a bit of trouble with the implementation on this.

I set up basic auth on one of my navidrome instances, but it's returning a CORS error when trying to authenticate from the frontend. When testing with basic auth using a HTTP client (Insomnia), it works fine.

Can you test on your side if you experience the same issues? You can use the build on #23 to test once it finishes.

My error:

Access to fetch at 'https://demo.sonixd.com/auth/login' from origin 'http://localhost:4343' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[jeffvli]

@e1pex I removed your comment since you may have accidently put your credentials in your comment. (From the logs).
Recopied it here without the logs.

Hi Jeff

I just did a quick test and I can't get it to work either. I get a 401 error with the new feishin build with CORS disabled (and a new config directory) but it works with a Sonixd instance with same credentials and server.

From the logs it seems sonixd newer does a POST for the auth/login as feishin does, i dont now if that is any clue?

192.168.xxx.129 - - [06/Feb/2023:07:01:46 +0100] "GET / HTTP/2.0" 401 172 "-""Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0""-"
192.168.xxx.129 - - [06/Feb/2023:07:02:18 +0100] "POST /auth/login HTTP/2.0" 401 574 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36""-"
192.168.xxx.129 - - [06/Feb/2023:07:04:08 +0100] "POST /auth/login HTTP/2.0" 401 574 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36""-"
192.168.xxx.129 - - [06/Feb/2023:07:08:28 +0100] "GET /rest/getMusicFolders.view?u=redacted&s=redacted&t=redacted&v=1.13.0&c=sonixd&f=json HTTP/2.0" 200 164 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Sonixd/0.15.3 Chrome/91.0.4472.164 Electron/13.6.3 Safari/537.36""-"
192.168.xxx.129 - - [06/Feb/2023:07:08:28 +0100] "GET /rest/getPlaylists.view?u=redacted&s=redacted&t=redacted&v=1.13.0&c=sonixd&f=json HTTP/2.0" 200 543 "-""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Sonixd/0.15.3 Chrome/91.0.4472.164 Electron/13.6.3 Safari/537.36""-"

I'm of for work now but if needed I can do some more troubleshooting later this evening.

Regards
Torbjörn

[e1pex]

No worries about the credentials in the previous post, they where not real ones.

I did some more testing, when first adding the server with basic authentication checked I get this in the nginx log when clicking Add,

192.168.xxx.129 - redacted [06/Feb/2023:19:44:29 +0100] "POST /auth/login HTTP/2.0" 200 375 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" "-"
192.168.xxx.129 - - [06/Feb/2023:19:44:29 +0100] "GET /api/playlist?_end=100&_order=ASC&_sort=name&_start=0 HTTP/2.0" 401 574 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" "-"

So it seems Feishin manages to log in once, the config is accepted and then Feishin is reloaded?

But after the reload the server shows up as disconnected and any attempt to get it to reconnect by readding the password results in a 401 in the nginx logs

192.168.xxx.129 - - [06/Feb/2023:19:52:26 +0100] "POST /auth/login HTTP/2.0" 401 574 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) feishin/0.0.1-alpha4 Chrome/106.0.5249.199 Electron/21.4.0 Safari/537.36" "-"

In the server config view the basic auth config is missing after the reload, could it be that the basic auth config is lost after the application reload?

Is the CORS error you get from the reverse proxy or from Navidrome? Because I don't se that at all on my side.

[jeffvli]

Hmm, if you're not getting an error on the login, then it might just be an issue on my side.

I actually didn't pass-through the basic auth to all the API requests since I wanted to make sure that the login itself was working. Let me make some changes and then you can test again.

[jeffvli]

I did a bit more testing but unfortunately it's probably not going to be feasible to get basic auth working.

While browsing through your server works, the audio player that's being used (mpv) has trouble accessing the audio stream.
Even adding credentials in the URL does not seem to work (e.g. http://username:[email protected]).

There's a feature request that I saw regarding this but unfortunately not updates in some time. mpv-player/mpv#2689

[e1pex]

Ok I see, do you want to close this for now then? I might do some digging to see if its possible to find a solution but I can't make a promise on timeline for it.

[jeffvli]

Actually I was wrong, apparently basic auth can work with mpv, just that there's no dedicated parameters to insert them.

It wasn't working when I was testing it previously... but trying the URL directly from the mpv commandline seems to work.
I'll try to implement this again when I have time.