Can't login to LMS

Issue description:

When logging in to my LMS Subsonic server, the Symfonium client sends two requests in rapid succession, one with user test and one with the correct user. The server then throttles the second request with the correct login details, and the login fails.


Additional information:

  • LMS 3.35.0
  • Symfonium 3.2.0

Logs (1.0 KB)

Hum that’s strange and the error code is non standard to react to that :frowning:

@itm LMS Author is present maybe he have some insight or we can discuss this :frowning:

The thing is that until I know what is on the other side I do not send the credential, because Subsonic API does not support anything secure (Specially with legacy mode) and I do not want to leak them if the user made a typo.

Do you know the necessary time to wait between attemps in case ITM does not answer soon?
Since this server advertise it’s name I can add a special tempo for it but need to know how long.

The logic for throttling in LMS is here. I’m no programmer, seems to me like it might be 3 seconds.

Great to see that Emeric is here. :slight_smile:

Ok thanks, 3 seconds is an eternity for a wizard and not loosing user attention.

Will wait for LMS answer first to see if we can improve that a little before adding such a long delay.

1 Like

I agree that it’s an eternity for proper UX, I’ve created a ticket on the LMS bug tracker as well: Symfonium unable to log in · Issue #302 · epoupon/lms · GitHub

1 Like

Yes indeed that’s something I noticed before but this is weird as it did not prevent my Symfonium instance from connecting.

The login throttler is global (shared with the embedded LMS’s UI), and really basic: it does not have a failure counter per address before starting to throttle. Looks like it would be the only option to support this server side?

I don’t really have looked into the code. After how many attempts do you block? And for how long globally?

Basically for Symfonium use case it would be at most 4 attempts due to the fact that you do not support the new auth system.

Or maybe I can pass a dummy parameter to indicate that it’s a test login and you do not counter it as a failure ?

In all cases waiting 3 seconds if the user make a typo in his password sounds odd no?

Yes that is a naive but very conservative implementation, as it blocks for each bad attempt for 3 seconds.
I will add a counter before throttling.

Why up to 4 attempts by the way?

I could optimize but never did.

The process when testing is send a request to ensure it’s a Subsonic and identify certificate issues then do the real auth. So 2 queries.

Then detect it’s LMS switch to the other auth mode but still use the same verification scheme so another 2 requests.

If you ignore test/test as the block and do not count the new auth attempt as an auth then it works without other changes.

Maybe the new auth system is already not counted as wrong log and in that case it’s just 2 bad attempt before the proper one in most cases.

So seems all was updated on LMS side, no change needed on my side.

@abdulocracy Since you can now test, would appreciate a feedback about the app.

1 Like

I’ve been using the app since yesterday, and it does many things I’ve been looking for very well. Supporting the embedded lyrics and Replaygain tags in files, fine-grained quality settings for mobile, WiFi and downloads, AutoEQ integration and hardware decoder offloading, these are all very nice features.

Regarding Replaygain support, what exactly are the fallback settings? Is it simply falling back when one type of RG tag doesn’t exist? This type of implementation is questionable…

Well I would not use that mode either, but since many other apps propose that option I supposed it was useful to some.

But yes it’s a fallback, if one is not present use the other. I guess some users have either one of the other depending on the albums and it would work for them.

Most people either have no RG tags, or have both, I couldn’t imagine a scenario where you’d have only album or track tags.

I would recommend having an “auto” setting. If playing an album, use the album RG tags, but if playing a queue of singles, use the track RG tags.

Please open a feature request for that to discuss side effects like what happen when you queue a song after starting via an album and other possible cases.

1 Like