ttrss: Allow apps to use /tt-rss URL instead of separate one

- When tt-rss is accessed via a smart device, authenticate the user with basic auth, otherwise authenticate with mod_auth_pubtkt. - I tested logging in with the official TT-RSS Android app and Fiery Feeds for iPhone. - Reload apache2 to apply the changes. Signed-off-by: nbenedek <contact@nbenedek.me> [sunil: Use Authorization header instead of user agent] [sunil: Update description to talk about both URLs] [sunil: Increment app version to reload apache] Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-01-21 07:55:00 +00:00 · 2023-02-25 23:05:32 +01:00 · 2023-02-25 23:05:32 +01:00 · 97d9174775
commit 97d9174775
parent 56b17ca41f
3 changed files with 22 additions and 6 deletions
--- a/plinth/modules/ttrss/init.py
+++ b/plinth/modules/ttrss/init.py
@ -27,7 +27,8 @@ _description = [
        users_url=reverse_lazy('users:index')),
    format_lazy(
        _('When using a mobile or desktop application for Tiny Tiny RSS, use '
-          'the URL <a href="/tt-rss-app/">/tt-rss-app</a> for connecting.'))
+          'the URL <a href="/tt-rss/">/tt-rss</a> or '
+          '<a href="/tt-rss-app/">/tt-rss-app</a> for connecting.'))
 ]


@ -36,7 +37,7 @@ class TTRSSApp(app_module.App):

    app_id = 'ttrss'

-    _version = 4
+    _version = 5

    def __init__(self):
        """Create components for the app."""
--- a/plinth/modules/ttrss/data/etc/apache2/conf-available/tt-rss-plinth.conf
+++ b/plinth/modules/ttrss/data/etc/apache2/conf-available/tt-rss-plinth.conf
@ -6,10 +6,21 @@ Alias /tt-rss /usr/share/tt-rss/www
 Alias /tt-rss-app /usr/share/tt-rss/www

 <Location /tt-rss>
-    Include includes/freedombox-single-sign-on.conf
-    <IfModule mod_auth_pubtkt.c>
-        TKTAuthToken "feed-reader" "admin"
-    </IfModule>
+    # If a client sends 'Authorization' HTTP Header, perform Basic authorization
+    # using LDAP, otherwise redirect to FreedomBox single sign-on. It is not
+    # mandatory for the server to return HTTP 401 with 'WWW-Authenticate'. See
+    # https://datatracker.ietf.org/doc/html/rfc2616#section-14.8
+    <If "-n %{HTTP:Authorization}">
+        Include includes/freedombox-auth-ldap.conf
+        Require ldap-group cn=admin,ou=groups,dc=thisbox
+        Require ldap-group cn=feed-reader,ou=groups,dc=thisbox
+    </If>
+    <Else>
+        Include includes/freedombox-single-sign-on.conf
+        <IfModule mod_auth_pubtkt.c>
+            TKTAuthToken "feed-reader" "admin"
+        </IfModule>
+    </Else>
 </Location>

 # URLs without further authentication. The URLs contain a unique key generated
@ -19,6 +30,8 @@ Alias /tt-rss-app /usr/share/tt-rss/www
    Require all granted
 </Location>

+# Legacy configuration for apps that expect a HTTP 401 response
+# 'WWW-Authenticate' header.
 <Location /tt-rss-app>
    Include includes/freedombox-auth-ldap.conf
    Require ldap-group cn=admin,ou=groups,dc=thisbox
--- a/plinth/modules/ttrss/privileged.py
+++ b/plinth/modules/ttrss/privileged.py
@ -81,6 +81,8 @@ def setup():

    if action_utils.service_is_enabled('tt-rss'):
        action_utils.service_restart('tt-rss')
+        # Accommodate changes in Apache configuration file.
+        action_utils.service_reload('apache2')


@privileged