Trying to get the FreshAPI plugin to work, but can't switch to local auth

odie

I've been trying to get this plugin to work, since (in my opinion), it will increase TTRSS' long-term viability (since the Fever plugin is considered deprecated and the TTRSS API not widely supported at all).

Adding to my previous post (and from @joseph with reference to using curl to test), I have struggled to make headway. I finally came over this post from last week on the author's GIT: https://github.com/eric-pierce/freshapi/issues/7

When viewing TTRSS' default config (and nginx config files), it seems Cloudron don't have PATH_INFO enabled on the webserver. The plugin apparently requires this, and this is supposedly "as simple as modifying your nginx.conf file to enable PATH_INFO for plugins with "api" in the path".

The two steps to enable PATH_INFO are (source: this post:

1. re-enable it by enabling cgi.fix_pathinfo=1 in the php.ini file (on my test installation, I find this php.ini file under "/etc/php/8.1/cli/php.ini", and here I can see that the cgi.fix_pathinfo=1 is commented out)
2. Update the .conf file (on my cloudron box, the path to my test install of ttrss is: /home/yellowtent/platformdata/nginx/applications/e6d40bd9-472b-46c9-9ab6-82794a764ebb/ttrsstest.example.com.conf) to include support for PATH_INFO. This is a selective enabling of PATH_INFO, and only tells nginx to use PATH_INFO parameters for php files in the plugins.local folder with "/api/" somewhere in the URL (like freshapi). Here is the example code given on the author's page:

# vi:syntax=nginx

server {
        listen 80;
        listen [::]:80;
        server_name ttrss.mydomain.com;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;
        #include snippets/ssl-mydomain.com.conf;
        #include snippets/ssl-params.conf;
        server_name ttrss.mydomain.com;

        root /usr/share/nginx/ttrss;

        index index.html index.htm index.php;

        access_log /var/log/nginx/ttrss_access.log;
        error_log /var/log/nginx/ttrss_error.log info;

        # Enable SSL verification by certbot/webroot
        location ~ /.well-known {
                allow all;
        }

        location / {
                index index.php;
        }

        location ~ \.php$ {
                try_files $uri =404; #Prevents autofixing of path which could be used for exploit
                fastcgi_pass unix:/run/php/php8.2-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
        }

        location ~ /plugins\.local/.*/api/.*\.php(/|$) {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                set $path_info $fastcgi_path_info;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_pass unix:/run/php/php8.2-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_index index.php;
                include fastcgi_params;
        }
}

It seems to me that these changes need to be done on the Cloudron side. Any chance of having someone from staff look into it?

Sorry for the bother, and thanks for the help!

necrevistonnezr

@girish Can you look into this, please? A long-term reliable API would be of great value.

odie

@necrevistonnezr @girish Any chance of having this looked at? It would be an incredible addon to TTRSS. Not only would this offer a robust and maintained API, the API has a lot of useful functionality. You can basically maintain all feeds and folders via the API, allowing you to use TTRSS' powerful filtering system as a pure backend and use whatever client you prefer to maintain feeds and folders.

Sorry again for the trouble

odie

Hello

This is a follow-up of the post in this topic: Trying to get FreshAPI plugin to work, but can't switch to local auth

The FreshAPI plugin looks like a really useful addon for TTRSS, and I hope it's possible to use this plugin on Cloudron. I post this request in case it was "forgotten" in the preivous topic. Apologies if this has been considered impossible or unviable to implement on Cloudron.

PATH_INFO is a requirement to have this plugin working. There's an instruction set posted here on how to implement: Non-Official Docker based Installs
Here's a link to the plugin repository: FreshAPI

Thank you very much.

nebulon

The ttrss package on Cloudron is using apache, so not using fastcgi for the moment. Not too sure what this PATH_INFO does and how to enable that with apache. Otherwise we may have to repackage it using nginx I think.

odie

@nebulon said in Trying to get the FreshAPI plugin to work, but can't switch to local auth:

PATH_INFO

Thanks for following up. Does this help? Apache Core Features on apache.org - specifically under the headline "AcceptPathInfo Directive"?

nebulon

not a tinytinyrss expert, but I tried to find a way to use the API in the first place and with an app password set in ttrss I was able to use at least the default API as mentioned in https://tt-rss.org/ApiReference/#testing-api-calls-using-curl

However I didn't succeed to call any API route in a way which is mentioned for that plugin. If anyone gets one of those endpoints to even succeed auth wise, then we can further see if PATH_INFO is helping that freshapi plugin.

odie

@nebulon I'm no programmer, so I'm not 100 % sure I understand you correctly, but it seems like you managed to do what I referred to in this post? :Post #5 on this topic

If so, the way I understand it, is that the on first auth (the one that succeeds), the app pw verifies ok, but on the second auth, the post cannot find the link to the auth part of the plugin (which is referenced in the PATH_INFO part), and thus returns unauthorized. But I might be completely mistanken on this.

Thanks for looking into this. This plugin would be worth a lot, as it basically lets you manage your entire TTRSS installation with remote clients.

nebulon

I added the path info directive to test this, but the result is the same. Can't get past any auth there using the Authorization header. The path info is shown (I think correctly) in the debug logs though:

[PATH_INFO] => /accounts/ClientLogin/

I am also no php developer but it seems the auth part of the plugin would be unrelated to that at https://github.com/eric-pierce/freshapi/blob/master/api/greader.php#L39

odie

@nebulon This is probably a meaningless response, but I have no ideas for this. I'll post back if I think of something, but it seems to me that there's very little I can do about this as an end user. Thanks anyway for looking into this.