From 97d9174775fe375a22f73a01863c7816bf43b402 Mon Sep 17 00:00:00 2001
From: nbenedek <contact@nbenedek.me>
Date: Sat, 25 Feb 2023 23:05:32 +0100
Subject: [PATCH] ttrss: Allow apps to use /tt-rss URL instead of separate one

- When tt-rss is accessed via a smart device, authenticate the
user with basic auth, otherwise authenticate with mod_auth_pubtkt.

- I tested logging in with the official TT-RSS Android app and
Fiery Feeds for iPhone.

- Reload apache2 to apply the changes.

Signed-off-by: nbenedek <contact@nbenedek.me>
[sunil: Use Authorization header instead of user agent]
[sunil: Update description to talk about both URLs]
[sunil: Increment app version to reload apache]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 plinth/modules/ttrss/__init__.py              |  5 +++--
 .../apache2/conf-available/tt-rss-plinth.conf | 21 +++++++++++++++----
 plinth/modules/ttrss/privileged.py            |  2 ++
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/plinth/modules/ttrss/__init__.py b/plinth/modules/ttrss/__init__.py
index d6ec1327f..d58fc7512 100644
--- a/plinth/modules/ttrss/__init__.py
+++ b/plinth/modules/ttrss/__init__.py
@@ -27,7 +27,8 @@ _description = [
         users_url=reverse_lazy('users:index')),
     format_lazy(
         _('When using a mobile or desktop application for Tiny Tiny RSS, use '
-          'the URL <a href="/tt-rss-app/">/tt-rss-app</a> for connecting.'))
+          'the URL <a href="/tt-rss/">/tt-rss</a> or '
+          '<a href="/tt-rss-app/">/tt-rss-app</a> for connecting.'))
 ]
 
 
@@ -36,7 +37,7 @@ class TTRSSApp(app_module.App):
 
     app_id = 'ttrss'
 
-    _version = 4
+    _version = 5
 
     def __init__(self):
         """Create components for the app."""
diff --git a/plinth/modules/ttrss/data/etc/apache2/conf-available/tt-rss-plinth.conf b/plinth/modules/ttrss/data/etc/apache2/conf-available/tt-rss-plinth.conf
index b09d63c68..e5577eef5 100644
--- a/plinth/modules/ttrss/data/etc/apache2/conf-available/tt-rss-plinth.conf
+++ b/plinth/modules/ttrss/data/etc/apache2/conf-available/tt-rss-plinth.conf
@@ -6,10 +6,21 @@ Alias /tt-rss /usr/share/tt-rss/www
 Alias /tt-rss-app /usr/share/tt-rss/www
 
 <Location /tt-rss>
-    Include includes/freedombox-single-sign-on.conf
-    <IfModule mod_auth_pubtkt.c>
-        TKTAuthToken "feed-reader" "admin"
-    </IfModule>
+    # If a client sends 'Authorization' HTTP Header, perform Basic authorization
+    # using LDAP, otherwise redirect to FreedomBox single sign-on. It is not
+    # mandatory for the server to return HTTP 401 with 'WWW-Authenticate'. See
+    # https://datatracker.ietf.org/doc/html/rfc2616#section-14.8
+    <If "-n %{HTTP:Authorization}">
+        Include includes/freedombox-auth-ldap.conf
+        Require ldap-group cn=admin,ou=groups,dc=thisbox
+        Require ldap-group cn=feed-reader,ou=groups,dc=thisbox
+    </If>
+    <Else>
+        Include includes/freedombox-single-sign-on.conf
+        <IfModule mod_auth_pubtkt.c>
+            TKTAuthToken "feed-reader" "admin"
+        </IfModule>
+    </Else>
 </Location>
 
 # URLs without further authentication. The URLs contain a unique key generated
@@ -19,6 +30,8 @@ Alias /tt-rss-app /usr/share/tt-rss/www
     Require all granted
 </Location>
 
+# Legacy configuration for apps that expect a HTTP 401 response
+# 'WWW-Authenticate' header.
 <Location /tt-rss-app>
     Include includes/freedombox-auth-ldap.conf
     Require ldap-group cn=admin,ou=groups,dc=thisbox
diff --git a/plinth/modules/ttrss/privileged.py b/plinth/modules/ttrss/privileged.py
index 34778b596..abc2d7344 100644
--- a/plinth/modules/ttrss/privileged.py
+++ b/plinth/modules/ttrss/privileged.py
@@ -81,6 +81,8 @@ def setup():
 
     if action_utils.service_is_enabled('tt-rss'):
         action_utils.service_restart('tt-rss')
+        # Accommodate changes in Apache configuration file.
+        action_utils.service_reload('apache2')
 
 
 @privileged