Trying to get the FreshAPI plugin to work, but can't switch to local auth

joseph

@odie the ttrss app does not have non-sso mode. Not sure about FreshAPI plugin but I can give it a try now.

joseph

In Cloudron, the plugins are stored outside in /app/data instead of alongside the ttrss code in /app/code . The plugin tries to include a file assuming it is in the repo i.e under /app/code and this makes it not work.

If you change the line on the top of api/greader.php like this:

$ttrss_root = '/app/code'; // dirname(__DIR__, 3);

then it works for me.

$ curl -X POST --data 'Email=xx&Passwd=CczdjnHZYaMPr2V0' https://ttrss.domain.com/plugins.local/freshapi/api/greader.php/accounts/ClientLogin/
SID=xx/4l33j00i8gu6brpr7ev9ed182q
LSID=
Auth=xx/4l33j00i8gu6brpr7ev9ed182q

The Password above is App Password (you can create one in user preferences)

odie

@joseph said in Trying to get the FreshAPI plugin to work, but can't switch to local auth:

In Cloudron, the plugins are stored outside in /app/data instead of alongside the ttrss code in /app/code . The plugin tries to include a file assuming it is in the repo i.e under /app/code and this makes it not work.

If you change the line on the top of api/greader.php like this:

$ttrss_root = '/app/code'; // dirname(__DIR__, 3);

then it works for me.

$ curl -X POST --data 'Email=xx&Passwd=CczdjnHZYaMPr2V0' https://ttrss.domain.com/plugins.local/freshapi/api/greader.php/accounts/ClientLogin/
SID=xx/4l33j00i8gu6brpr7ev9ed182q
LSID=
Auth=xx/4l33j00i8gu6brpr7ev9ed182q

The Password above is App Password (you can create one in user preferences)

Thank you. By changing the ttrss path in greader.php like you say, I can access the plugin. But I get "unautorized" errors, even though the app specific passwords I use are correct. I get the same error in my "production" ttrss as I do in a cleanly installed test version of ttrss I set up (to experiment on this). My log shows (In the loginfo below, I've changed the ipadress to [MyIP], the URL to ttrss.domain.com and the username to [username]) :

Oct 01 09:37:49 [MyIP] - - [01/Oct/2024:07:37:49 +0000] "POST /plugins.local/freshapi/api/greader.php/accounts/ClientLogin HTTP/1.1" 200 70 "-" "Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0"
Oct 01 09:37:49 [Tue Oct 01 07:37:49.733865 2024] [php:notice] [pid 30] [client 172.18.0.1:53690] FreshGReaderAPI::unauthorized
Oct 01 09:37:49 [Tue Oct 01 07:37:49.734022 2024] [php:notice] [pid 30] [client 172.18.0.1:53690] FreshGReaderAPI::unauthorized Array\n(\n [date] => 2024-10-01T07:37:49+00:00\n [headers] => Array\n (\n [Host] => ttrss.domain.com\n [X-Real-IP] => [MyIP]\n [X-Forwarded-For] => [MyIP]\n [X-Forwarded-Host] => ttrss.domain.com\n [X-Forwarded-Port] => 443\n [X-Forwarded-Proto] => https\n [X-Forwarded-Ssl] => on\n [Connection] => close\n [accept] => */*\n [accept-encoding] => gzip, deflate, br\n [user-agent] => Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0\n [accept-language] => en-GB,en;q=0.9\n [authorization] => GoogleLogin auth=[username]/vdhuqfgl36jo3okkehfrtkqk56\n )\n\n [_SERVER] => Array\n (\n [HTTP_HOST] => ttrss.domain.com\n [HTTP_X_REAL_IP] => [MyIP]\n [HTTP_X_FORWARDED_FOR] => [MyIP]\n [HTTP_X_FORWARDED_HOST] => ttrss.domain.com\n [HTTP_X_FORWARDED_PORT] => 443\n [HTTP_X_FORWARDED_PROTO] => https\n [HTTP_X_FORWARDED_SSL] => on\n [HTTP_CONNECTION] => close\n [HTTP_ACCEPT] => */*\n [HTTP_ACCEPT_ENCODING] => gzip, deflate, br\n [HTTP_USER_AGENT] => Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0\n [HTTP_ACCEPT_LANGUAGE] => en-GB,en;q=0.9\n [PATH] => /usr/local/node-18.18.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n [SERVER_SIGNATURE] => <address>Apache/2.4.52 (Ubuntu) Server at ttrss.domain.com Port 8000</address>\n\n [SERVER_SOFTWARE] => Apache/2.4.52 (Ubuntu)\n [SERVER_NAME] => ttrss.domain.com\n [SERVER_ADDR] => 172.18.20.78\n [SERVER_PORT] => 8000\n [REMOTE_ADDR] => 172.18.0.1\n [DOCUMENT_ROOT] => /app/code\n [REQUEST_SCHEME] => http\n [CONTEXT_PREFIX] => \n [CONTEXT_DOCUMENT_ROOT] => /app/code\n [SERVER_ADMIN] => [no address given]\n [SCRIPT_FILENAME] => /app/code/plugins.local/freshapi/api/greader.php\n [REMOTE_PORT] => 53690\n [GATEWAY_INTERFACE] => CGI/1.1\n [SERVER_PROTOCOL] => HTTP/1.1\n [REQUEST_METHOD] => GET\n [QUERY_STRING] => output=json\n [REQUEST_URI] => /plugins.local/freshapi/api/greader.php/reader/api/0/user-info?output=json\n [SCRIPT_NAME] => /plugins.local/freshapi/api/greader.php\n [PATH_INFO] => /reader/api/0/user-info\n [PATH_TRANSLATED] => /app/code/reader/api/0/user-info\n [PHP_SELF] => /plugins.local/freshapi/api/greader.php/reader/api/0/user-info\n [REQUEST_TIME_FLOAT] => 1727768269.7281\n [REQUEST_TIME] => 1727768269\n )\n\n [_GET] => Array\n (\n [output] => json\n )\n\n [_POST] => Array\n (\n )\n\n [_COOKIE] => Array\n (\n )\n\n [INPUT] => \n)\n
Oct 01 09:37:49 [MyIP] - - [01/Oct/2024:07:37:49 +0000] "GET /plugins.local/freshapi/api/greader.php/reader/api/0/user-info?output=json HTTP/1.1" 401 13 "-" "Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0"

When I do the curl you showed, I get the same error message:

$ curl -X POST --data 'Email=xx&Passwd=CczdjnHZYaMPr2V0' https://ttrss.domain.com/plugins.local/freshapi/api/greader.php/accounts/ClientLogin/
Unauthorized!root@e6d40bd9-472b-46c9-9ab6-82794a764ebb:/app/code/plugins.local/freshapi#

I use my own app generated passwords, and in the preferences window for ttrss app passwords, I see that the password has been referenced correctly. But I still get the error.

Any idea what might be wrong? Thank you!

odie

Quoting myself to follow up my previous post. Today's update of TTRSS (to [2.17.4]: Update Tiny Tiny RSS to df489df), in my test installation of TTRSS, the API now returns the same output as Joseph in Post #3 above:

$ curl -X POST --data 'Email=xx&Passwd=CczdjnHZYaMPr2V0' https://ttrss.domain.com/plugins.local/freshapi/api/greader.php/accounts/ClientLogin/
SID=xx/4l33j00i8gu6brpr7ev9ed182q
LSID=
Auth=xx/4l33j00i8gu6brpr7ev9ed182q

However, my newsreader (Reeder) still don't authenticate (The Reeder error message is: Login failed. The data couldn't be read because it isn't in the correct format.)

Further, when I follow the instructions in the plugin repo to call the API directly (Step 2 under Chapter Using the API, I still get an "Unauthorized!" error message in the terminal like below (I follow the instruction by first posting the auth (Step 1) and use the provided info from this step as values in this step (Step 2)):

$ curl -X POST --header 'Authorization: GoogleLogin auth=xx/4l33j00i8gu6brpr7ev9ed182q' https://example.com/tt-rss/plugins.local/freshapi/api/greader.php/reader/api/0/subscription/export
Unauthorized!

Would love to hear someone else's experiences with this. Maybe someone could offer their assistance, if they manage to get it working?

Thank you!

@odie said in Trying to get the FreshAPI plugin to work, but can't switch to local auth:

@joseph said in Trying to get the FreshAPI plugin to work, but can't switch to local auth:

In Cloudron, the plugins are stored outside in /app/data instead of alongside the ttrss code in /app/code . The plugin tries to include a file assuming it is in the repo i.e under /app/code and this makes it not work.

If you change the line on the top of api/greader.php like this:

$ttrss_root = '/app/code'; // dirname(__DIR__, 3);

then it works for me.

$ curl -X POST --data 'Email=xx&Passwd=CczdjnHZYaMPr2V0' https://ttrss.domain.com/plugins.local/freshapi/api/greader.php/accounts/ClientLogin/
SID=xx/4l33j00i8gu6brpr7ev9ed182q
LSID=
Auth=xx/4l33j00i8gu6brpr7ev9ed182q

The Password above is App Password (you can create one in user preferences)

Thank you. By changing the ttrss path in greader.php like you say, I can access the plugin. But I get "unautorized" errors, even though the app specific passwords I use are correct. I get the same error in my "production" ttrss as I do in a cleanly installed test version of ttrss I set up (to experiment on this). My log shows (In the loginfo below, I've changed the ipadress to [MyIP], the URL to ttrss.domain.com and the username to [username]) :

Oct 01 09:37:49 [MyIP] - - [01/Oct/2024:07:37:49 +0000] "POST /plugins.local/freshapi/api/greader.php/accounts/ClientLogin HTTP/1.1" 200 70 "-" "Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0"
Oct 01 09:37:49 [Tue Oct 01 07:37:49.733865 2024] [php:notice] [pid 30] [client 172.18.0.1:53690] FreshGReaderAPI::unauthorized
Oct 01 09:37:49 [Tue Oct 01 07:37:49.734022 2024] [php:notice] [pid 30] [client 172.18.0.1:53690] FreshGReaderAPI::unauthorized Array\n(\n [date] => 2024-10-01T07:37:49+00:00\n [headers] => Array\n (\n [Host] => ttrss.domain.com\n [X-Real-IP] => [MyIP]\n [X-Forwarded-For] => [MyIP]\n [X-Forwarded-Host] => ttrss.domain.com\n [X-Forwarded-Port] => 443\n [X-Forwarded-Proto] => https\n [X-Forwarded-Ssl] => on\n [Connection] => close\n [accept] => */*\n [accept-encoding] => gzip, deflate, br\n [user-agent] => Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0\n [accept-language] => en-GB,en;q=0.9\n [authorization] => GoogleLogin auth=[username]/vdhuqfgl36jo3okkehfrtkqk56\n )\n\n [_SERVER] => Array\n (\n [HTTP_HOST] => ttrss.domain.com\n [HTTP_X_REAL_IP] => [MyIP]\n [HTTP_X_FORWARDED_FOR] => [MyIP]\n [HTTP_X_FORWARDED_HOST] => ttrss.domain.com\n [HTTP_X_FORWARDED_PORT] => 443\n [HTTP_X_FORWARDED_PROTO] => https\n [HTTP_X_FORWARDED_SSL] => on\n [HTTP_CONNECTION] => close\n [HTTP_ACCEPT] => */*\n [HTTP_ACCEPT_ENCODING] => gzip, deflate, br\n [HTTP_USER_AGENT] => Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0\n [HTTP_ACCEPT_LANGUAGE] => en-GB,en;q=0.9\n [PATH] => /usr/local/node-18.18.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n [SERVER_SIGNATURE] => <address>Apache/2.4.52 (Ubuntu) Server at ttrss.domain.com Port 8000</address>\n\n [SERVER_SOFTWARE] => Apache/2.4.52 (Ubuntu)\n [SERVER_NAME] => ttrss.domain.com\n [SERVER_ADDR] => 172.18.20.78\n [SERVER_PORT] => 8000\n [REMOTE_ADDR] => 172.18.0.1\n [DOCUMENT_ROOT] => /app/code\n [REQUEST_SCHEME] => http\n [CONTEXT_PREFIX] => \n [CONTEXT_DOCUMENT_ROOT] => /app/code\n [SERVER_ADMIN] => [no address given]\n [SCRIPT_FILENAME] => /app/code/plugins.local/freshapi/api/greader.php\n [REMOTE_PORT] => 53690\n [GATEWAY_INTERFACE] => CGI/1.1\n [SERVER_PROTOCOL] => HTTP/1.1\n [REQUEST_METHOD] => GET\n [QUERY_STRING] => output=json\n [REQUEST_URI] => /plugins.local/freshapi/api/greader.php/reader/api/0/user-info?output=json\n [SCRIPT_NAME] => /plugins.local/freshapi/api/greader.php\n [PATH_INFO] => /reader/api/0/user-info\n [PATH_TRANSLATED] => /app/code/reader/api/0/user-info\n [PHP_SELF] => /plugins.local/freshapi/api/greader.php/reader/api/0/user-info\n [REQUEST_TIME_FLOAT] => 1727768269.7281\n [REQUEST_TIME] => 1727768269\n )\n\n [_GET] => Array\n (\n [output] => json\n )\n\n [_POST] => Array\n (\n )\n\n [_COOKIE] => Array\n (\n )\n\n [INPUT] => \n)\n
Oct 01 09:37:49 [MyIP] - - [01/Oct/2024:07:37:49 +0000] "GET /plugins.local/freshapi/api/greader.php/reader/api/0/user-info?output=json HTTP/1.1" 401 13 "-" "Reeder/5040601 CFNetwork/1498.700.2 Darwin/23.6.0"

When I do the curl you showed, I get the same error message:

$ curl -X POST --data 'Email=xx&Passwd=CczdjnHZYaMPr2V0' https://ttrss.domain.com/plugins.local/freshapi/api/greader.php/accounts/ClientLogin/
Unauthorized!root@e6d40bd9-472b-46c9-9ab6-82794a764ebb:/app/code/plugins.local/freshapi#

I use my own app generated passwords, and in the preferences window for ttrss app passwords, I see that the password has been referenced correctly. But I still get the error.

Any idea what might be wrong? Thank you!

odie

I've been trying to get this plugin to work, since (in my opinion), it will increase TTRSS' long-term viability (since the Fever plugin is considered deprecated and the TTRSS API not widely supported at all).

Adding to my previous post (and from @joseph with reference to using curl to test), I have struggled to make headway. I finally came over this post from last week on the author's GIT: https://github.com/eric-pierce/freshapi/issues/7

When viewing TTRSS' default config (and nginx config files), it seems Cloudron don't have PATH_INFO enabled on the webserver. The plugin apparently requires this, and this is supposedly "as simple as modifying your nginx.conf file to enable PATH_INFO for plugins with "api" in the path".

The two steps to enable PATH_INFO are (source: this post:

1. re-enable it by enabling cgi.fix_pathinfo=1 in the php.ini file (on my test installation, I find this php.ini file under "/etc/php/8.1/cli/php.ini", and here I can see that the cgi.fix_pathinfo=1 is commented out)
2. Update the .conf file (on my cloudron box, the path to my test install of ttrss is: /home/yellowtent/platformdata/nginx/applications/e6d40bd9-472b-46c9-9ab6-82794a764ebb/ttrsstest.example.com.conf) to include support for PATH_INFO. This is a selective enabling of PATH_INFO, and only tells nginx to use PATH_INFO parameters for php files in the plugins.local folder with "/api/" somewhere in the URL (like freshapi). Here is the example code given on the author's page:

# vi:syntax=nginx

server {
        listen 80;
        listen [::]:80;
        server_name ttrss.mydomain.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        #include snippets/ssl-mydomain.com.conf;
        #include snippets/ssl-params.conf;
        server_name ttrss.mydomain.com;

        root /usr/share/nginx/ttrss;

        index index.html index.htm index.php;

        access_log /var/log/nginx/ttrss_access.log;
        error_log /var/log/nginx/ttrss_error.log info;

        # Enable SSL verification by certbot/webroot
        location ~ /.well-known {
                allow all;
        }

        location / {
                index index.php;
        }

        location ~ \.php$ {
                try_files $uri =404; #Prevents autofixing of path which could be used for exploit
                fastcgi_pass unix:/run/php/php8.2-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
        }

        location ~ /plugins\.local/.*/api/.*\.php(/|$) {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                set $path_info $fastcgi_path_info;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_pass unix:/run/php/php8.2-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

It seems to me that these changes need to be done on the Cloudron side. Any chance of having someone from staff look into it?

Sorry for the bother, and thanks for the help!

necrevistonnezr

@girish Can you look into this, please? A long-term reliable API would be of great value.

odie

@necrevistonnezr @girish Any chance of having this looked at? It would be an incredible addon to TTRSS. Not only would this offer a robust and maintained API, the API has a lot of useful functionality. You can basically maintain all feeds and folders via the API, allowing you to use TTRSS' powerful filtering system as a pure backend and use whatever client you prefer to maintain feeds and folders.

Sorry again for the trouble

odie

Hello

This is a follow-up of the post in this topic: Trying to get FreshAPI plugin to work, but can't switch to local auth

The FreshAPI plugin looks like a really useful addon for TTRSS, and I hope it's possible to use this plugin on Cloudron. I post this request in case it was "forgotten" in the preivous topic. Apologies if this has been considered impossible or unviable to implement on Cloudron.

PATH_INFO is a requirement to have this plugin working. There's an instruction set posted here on how to implement: Non-Official Docker based Installs
Here's a link to the plugin repository: FreshAPI

Thank you very much.

nebulon

The ttrss package on Cloudron is using apache, so not using fastcgi for the moment. Not too sure what this PATH_INFO does and how to enable that with apache. Otherwise we may have to repackage it using nginx I think.

odie

@nebulon said in Trying to get the FreshAPI plugin to work, but can't switch to local auth:

PATH_INFO

Thanks for following up. Does this help? Apache Core Features on apache.org - specifically under the headline "AcceptPathInfo Directive"?

nebulon

not a tinytinyrss expert, but I tried to find a way to use the API in the first place and with an app password set in ttrss I was able to use at least the default API as mentioned in https://tt-rss.org/ApiReference/#testing-api-calls-using-curl

However I didn't succeed to call any API route in a way which is mentioned for that plugin. If anyone gets one of those endpoints to even succeed auth wise, then we can further see if PATH_INFO is helping that freshapi plugin.

odie

@nebulon I'm no programmer, so I'm not 100 % sure I understand you correctly, but it seems like you managed to do what I referred to in this post? :Post #5 on this topic

If so, the way I understand it, is that the on first auth (the one that succeeds), the app pw verifies ok, but on the second auth, the post cannot find the link to the auth part of the plugin (which is referenced in the PATH_INFO part), and thus returns unauthorized. But I might be completely mistanken on this.

Thanks for looking into this. This plugin would be worth a lot, as it basically lets you manage your entire TTRSS installation with remote clients.

nebulon

I added the path info directive to test this, but the result is the same. Can't get past any auth there using the Authorization header. The path info is shown (I think correctly) in the debug logs though:

[PATH_INFO] => /accounts/ClientLogin/

I am also no php developer but it seems the auth part of the plugin would be unrelated to that at https://github.com/eric-pierce/freshapi/blob/master/api/greader.php#L39

odie

@nebulon This is probably a meaningless response, but I have no ideas for this. I'll post back if I think of something, but it seems to me that there's very little I can do about this as an end user. Thanks anyway for looking into this.