Issue description:
When enabling Basic Authentication headers for a new subsonic provider, a dummy request with subsonic credentials test/test is sent to the server without the Authorization header.
If the server answers with a standard HTTP 401 response indicating the user is not authorized, then Symfonium just stops trying to connect.
I have observed that if other responses are sent back (e.g. HTTP 404, or HTTP 200 with a proper subsonic error), then Symfonium sends another request with the configured credentials (subsonic auth parameters AND basicauth).
Logs:
debug-20231005_195740.zip (1,1 Ko)
Proxy logs:
2023/10/05 17:57:25.425 ERROR http.log.access handled request {“request”: {“remote_ip”: “10.0.2.100”, “remote_port”: “45504”, “client_ip”: “10.0.2.100”, “proto”: “HTTP/1.1”, “method”: “GET”, “host”: “192.168.1.243:8080”, “uri”: “/rest/ping.view?u=test&p=test&v=1.13.1&c=Symfonium”, “headers”: {“User-Agent”: [“Symfonium/5.9.0 (Linux;Android 13)”], “Connection”: [“close”], “Accept-Encoding”: [“gzip”]}}, “bytes_read”: 0, “user_id”: “”, “duration”: 0.000068917, “size”: 16, “status”: 401, “resp_headers”: {“Server”: [“Caddy”], “Www-Authenticate”: [“Basic realm="restricted"”], “Content-Type”: [“text/plain; charset=utf-8”]}}
(Notice: there is no Authorization
header)
Additional information:
From an integration perspective, it would be nice to know (maybe have it documented somewhere) if the intent behind this feature was
- to extend the subsonic authentication scheme, in which case it can make some sense to expect a subsonic response for basicauth errors, but it doesn’t make a lot of sense to still provide the credentials with the subsonic query parameter, or to allow passing different credentials for the subsonic auth parameters and the basicauth header; or
- support proxy authentication, in which case I think the test request without basicauth headers doesn’t make sense (esp. if failure at this step prevents subsequent requests), and Symfonium should also not expect a subsonic response in case of basicauth authentication failure (also there is an alternative
Proxy-Authorization
header that might be expected over theAuthorization
one by some proxies).