[SOLVED] Tt-rss upgrade woes--cannot authenticate

Nate · October 27, 2021, 8:20pm

Back on October 22, I did an upgrade using apt since the FB had crashed some ten or twelve days prior (first time that had happened). In the process tt-rss was upgraded to the current version in Debian 11 (from 18.12+dfsg-1.1 to 21~git20210204.b4cbc79+dfsg-1).

At the same time I had removed the postgresql-11 package since it was shown as “obsolete”, well that definitely broke tt-rss, but I have installed those packages again and apparently tt-rss is able to access its database again. Now I have a new problem, and that is that tt-rss will not accept my login from the Web browser.

Using the psql utility I can look at the ttrss database and specifically perform a SELECT * FROM ttrss_users; and see my user name in the list with the pwd_hash, so I know the values are there. I have only ever used a single password with this user name, so I am at a loss to understand why it is not authenticating me.

All ideas appreciated!

sunil · October 28, 2021, 3:18am

Authentication for tt-rss is performed by FreedomBox and tt-rss password database should not matter. /tt-rss/ URL is configured to use the single-sign on that you use for FreedomBox login. tt-rss should not even ask for a login/password. Once logged in to FreedomBox, FreedomBox passes information about the logged in user via REMOTE_USER header to tt-rss (there is a setting in tt-rss that FreedomBox enables for this)

There is another URL /tt-rss-app/ that is meant to be used by the mobile app. This one asks for a HTTP authentication (browser dialog) for login. This login is also FreedomBox login and again tt-rss database should not matter.

Have you been using the correct URL that is /tt-rss/
Have you been using the correct password (that is FreedomBox login and password).
Do you get anything different from what I have described?

Nate · October 28, 2021, 10:16am

Yes, I have used the same URL as always, not the one for the apps.

Yes, I can log into plinth and cockpit with the same combination.

Regarding the REMOTE_USER header I see the following has changed in the new /etc/tt-rss/config.php file. Originally it was:

define('PLUGINS', 'auth_remote, note');

and is now:

define('PLUGINS', 'auth_internal, note');

does this need to be reverted?

Also, at the bottom of the original file is this line:

define('_SKIP_SELF_URL_PATH_CHECKS', true);

it is not present in the new version, should it be added. Perhaps related, in the old version is this line:

define('SELF_URL_PATH', 'http://localhost/tt-rss/');

Since the upgrade tt-rss has demanded that this be set to the FQDN that is externally accessible. Could this be part of the problem?

I suppose I can revert these settings and see what happens.

Nate · October 28, 2021, 10:31am

Success!

Reverting those settings did fix it and I am back to using tt-rss again, though with the Bullseye version.

Thanks much for the tip, sunil.

Nate · October 30, 2021, 1:12pm

I just discovered a bug with the above settings, SELF_URL_PATH needs to be set to a host name that is accessible either from your LAN or the Internet. If left to localhost, then clicking on a article link will result in the browser trying to open localhost/tt-rss/backend.php which will quite likely fail since the machine the browser is running on probably isn’t the one tt-rss is running on.