##
## On all sites, provide Tiny Tiny RSS on a default path: /tt-rss
## Allow all valid LDAP users.
##
Alias /tt-rss /usr/share/tt-rss/www
Alias /tt-rss-app /usr/share/tt-rss/www

<Location /tt-rss>
    # If a client sends 'Authorization' HTTP Header, perform Basic authorization
    # using LDAP, otherwise redirect to FreedomBox single sign-on. It is not
    # mandatory for the server to return HTTP 401 with 'WWW-Authenticate'. See
    # https://datatracker.ietf.org/doc/html/rfc2616#section-14.8
    <If "-n %{HTTP:Authorization}">
        Include includes/freedombox-auth-ldap.conf
        Require ldap-group cn=admin,ou=groups,dc=thisbox
        Require ldap-group cn=feed-reader,ou=groups,dc=thisbox
    </If>
    <Else>
        Include includes/freedombox-single-sign-on.conf
        <IfModule mod_auth_pubtkt.c>
            TKTAuthToken "feed-reader" "admin"
        </IfModule>
    </Else>
</Location>

# URLs without further authentication. The URLs contain a unique key generated
# and managed by tt-rss. This includes articles marked public or even other
# categories.
<Location /tt-rss/public.php>
    Require all granted
</Location>

# Legacy configuration for apps that expect a HTTP 401 response
# 'WWW-Authenticate' header.
<Location /tt-rss-app>
    Include includes/freedombox-auth-ldap.conf
    Require ldap-group cn=admin,ou=groups,dc=thisbox
    Require ldap-group cn=feed-reader,ou=groups,dc=thisbox
</Location>