Subsonic & HTTP BasicAuth: Test request prevents connexion

crazygolem · October 5, 2023, 7:36pm

Issue description:

When enabling Basic Authentication headers for a new subsonic provider, a dummy request with subsonic credentials test/test is sent to the server without the Authorization header.

If the server answers with a standard HTTP 401 response indicating the user is not authorized, then Symfonium just stops trying to connect.

I have observed that if other responses are sent back (e.g. HTTP 404, or HTTP 200 with a proper subsonic error), then Symfonium sends another request with the configured credentials (subsonic auth parameters AND basicauth).

Logs:

debug-20231005_195740.zip (1,1 Ko)

Proxy logs:

2023/10/05 17:57:25.425 ERROR http.log.access handled request {“request”: {“remote_ip”: “10.0.2.100”, “remote_port”: “45504”, “client_ip”: “10.0.2.100”, “proto”: “HTTP/1.1”, “method”: “GET”, “host”: “192.168.1.243:8080”, “uri”: “/rest/ping.view?u=test&p=test&v=1.13.1&c=Symfonium”, “headers”: {“User-Agent”: [“Symfonium/5.9.0 (Linux;Android 13)”], “Connection”: [“close”], “Accept-Encoding”: [“gzip”]}}, “bytes_read”: 0, “user_id”: “”, “duration”: 0.000068917, “size”: 16, “status”: 401, “resp_headers”: {“Server”: [“Caddy”], “Www-Authenticate”: [“Basic realm="restricted"”], “Content-Type”: [“text/plain; charset=utf-8”]}}

(Notice: there is no Authorization header)

Additional information:

From an integration perspective, it would be nice to know (maybe have it documented somewhere) if the intent behind this feature was

to extend the subsonic authentication scheme, in which case it can make some sense to expect a subsonic response for basicauth errors, but it doesn’t make a lot of sense to still provide the credentials with the subsonic query parameter, or to allow passing different credentials for the subsonic auth parameters and the basicauth header; or
support proxy authentication, in which case I think the test request without basicauth headers doesn’t make sense (esp. if failure at this step prevents subsequent requests), and Symfonium should also not expect a subsonic response in case of basicauth authentication failure (also there is an alternative Proxy-Authorization header that might be expected over the Authorization one by some proxies).

Tolriq · October 6, 2023, 5:41am

Symfonium should not send the proper credentials for 404 errors only for proper subsonic error.

This is done for security to not send credentials to the wrong endpoint if the user made a mistake since they are plain text.

But I forget to handle the added case of the auth headers. I’ll need to refine this and handle more cases.