Page MenuHomeGitPull.it

Fix unintended HTTP Auth for LibreTime widgets
Closed, ResolvedPublic1 Points

Description

In T594 we have protected LibreTime with an HTTP Auth using an Apache frontend but this caused the unintentionally protection of all LibreTime widgets under the /embed base URL.

This is a nasty behavior because now a widget is embedded in the website causing the OAuth popup to visitors and consequent failure:

image.png (347×702 px, 112 KB)

We have not noticed this until today because this is what I was seeing. You know, "it works on my computer" because I'm already authenticated:

image.png (2×1 px, 1 MB)

Event Timeline

valerio.bozzolan triaged this task as High priority.

This was not resolved for strange reasons.

We was forgetting the internal resources:

	# Allow everyone to see LibreTime widgets
	# https://gitpull.it/T619
	<Location "/embed/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# Allow everyone to see LibreTime widgets and its resources
	# https://gitpull.it/T619
	<Location "/js/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# Allow everyone to see LibreTime widgets and its resources
	# https://gitpull.it/T619
	<Location "/widgets/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# Allow everyone to see LibreTime widgets and its resources
	# https://gitpull.it/T619
	<Location "/css/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>