Project

General

Profile

[SOLVED] Another authentication problem

Added by Bart Pstrok 4 months ago

I have Tvheadend version 4.3-1917~gecd05a21d installed on my Debian 10 machine. It works great, except for authentication.

I'm trying to generate playlists, which can be played by vlc without prompting for user and password. I created new user named "test" with password "test" and enabled persistent authentication:

I added that user in Access Entries section:

In settings General/Base I set Authentication type: Both plain and digest

When I enable Username "*" in Access Entries, then I can download playlist with command i.e.:
$ wget 'http://glosnik.lan:9981/playlist'
(glosnik.lan is my server name in my local network)
Which gets me a m3u playlist file, which I can feed to vlc just fine. But when I disable Username "*", then I can no longer download playlist, play any link from that playlist, even when I type user=test password=test in vlc :(

With '*' enabled I can play direct link from that playlist with vlc: 'http://glosnik.lan:9981/stream/channelid/1145755580'. When I disable '*' account and run the same command, vlc asks for username and password. I'm typing 'test' 'test' and it still fails. In tvheadend logs there is:

2020-12-11 16:39:32.036 [ DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /stream/channelid -- 401
2020-12-11 16:39:32.138 [ DEBUG]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 401
2020-12-11 16:39:35.807 [ ERROR]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 403

I tried command:

$ vlc 'http://test::9981/stream/channelid/1145755580'

in logs:

2020-12-11 16:42:34.405 [ ERROR]:http: 10.8.0.2: HTTP/1.1 GET (1) /stream/channelid -- 403
2020-12-11 16:42:34.485 [ ERROR]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 403

I tried also

$ vlc 'http://glosnik.lan:9981/stream/channelid/1145755580?auth=P4lan4KUh0CyIfKsZVKtRuE.edqg'

vlc asks for user,passwd...
tvheadend log:

2020-12-11 16:44:48.464 [ INFO]:http: 10.8.0.2: using auth P4lan4KUh0CyIfKsZVKtRuE.edqg for /stream/channelid/1145755580
2020-12-11 16:44:48.464 [ DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /stream/channelid -- 401
2020-12-11 16:44:48.560 [ INFO]:http: 10.8.0.2: using auth P4lan4KUh0CyIfKsZVKtRuE.edqg for /stream/channelid/1145755580
2020-12-11 16:44:48.560 [ DEBUG]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 401

I'm typing in vlc test:test -> fail
tvheadend log:

2020-12-11 16:46:33.214 [ INFO]:http: 10.8.0.2: using auth P4lan4KUh0CyIfKsZVKtRuE.edqg for /stream/channelid/1145755580
2020-12-11 16:46:33.214 [ ERROR]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 403

What's wrong?


Replies (16)

RE: Another authentication problem - Added by saen acro 4 months ago

Wrong url is you problem

wget -O playlist.m3u http://user:[email protected]:9981/playlist/auth/channels

RE: Another authentication problem - Added by Bart Pstrok 4 months ago

$ wget -O playlist.m3u http://test:[email protected]:9981/playlist/auth/channels
--2020-12-12 18:49:25--  http://test:*password*@glosnik.lan:9981/playlist/auth/channels
Resolving glosnik.lan (glosnik.lan)... 192.168.2.127
Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Digest realm="tvheadend", qop=auth, nonce="DWzkz3DuWL7qblviEB5/bNbwRKpoc3T909a+RnfQ2Zs=", opaque="j+XdE5ELCqqd1wzvmw4mp+DeKRervoGqgNMrxcuWIbA=" 
Reusing existing connection to glosnik.lan:9981.
HTTP request sent, awaiting response... 403 Forbidden
2020-12-12 18:49:25 ERROR 403: Forbidden.

tvheadend logfile:

2020-12-12 18:48:38.819 [  DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 401
2020-12-12 18:48:38.880 [  ERROR]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 403

RE: Another authentication problem - Added by saen acro 4 months ago

read log ;)

no plain autentification

for digest use

wget -O playlist.m3u http://a.com/somefile.url --http-user=user --http-password=pass

curl --user="user:pass" http://a.com/somefile.url --digest -o playlist.m3u

RE: Another authentication problem - Added by Bart Pstrok 4 months ago

I tried with only Digest authentication:

$ wget -O playlist.m3u http://test:[email protected]:9981/playlist/auth/channels
--2020-12-12 20:14:06--  http://test:*password*@glosnik.lan:9981/playlist/auth/channels
Resolving glosnik.lan (glosnik.lan)... 192.168.2.127
Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Digest realm="tvheadend", qop=auth, nonce="GHeX4eXbVOY+v00/r3pdKKUx88XRuDHH9onD7WKI+wc=", opaque="GgYlHo7xdWGwu7P/KOoW2sAjBOToPD1sdPDX6hObz28=" 
Reusing existing connection to glosnik.lan:9981.
HTTP request sent, awaiting response... 403 Forbidden
2020-12-12 20:14:06 ERROR 403: Forbidden.

With only Plain (insecure) authentication:

$ wget -O playlist.m3u http://test:[email protected]:9981/playlist/auth/channels
--2020-12-12 20:14:06--  http://test:*password*@glosnik.lan:9981/playlist/auth/channels
Resolving glosnik.lan (glosnik.lan)... 192.168.2.127
Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Digest realm="tvheadend", qop=auth, nonce="GHeX4eXbVOY+v00/r3pdKKUx88XRuDHH9onD7WKI+wc=", opaque="GgYlHo7xdWGwu7P/KOoW2sAjBOToPD1sdPDX6hObz28=" 
Reusing existing connection to glosnik.lan:9981.
HTTP request sent, awaiting response... 403 Forbidden
2020-12-12 20:14:06 ERROR 403: Forbidden.

Each time in tvheadend log there are those lines:

2020-12-12 20:15:41.200 [  DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 401
2020-12-12 20:15:41.243 [  ERROR]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 403

RE: Another authentication problem - Added by saen acro 4 months ago

you use old vrsion
update

https://tvheadend.org/boards/4/topics/24116

currently version is
HTS Tvheadend 4.3-1917~gecd05a21d

RE: Another authentication problem - Added by Bart Pstrok 4 months ago

Authentication: Digest

$ wget -O playlist.m3u --http-user=test --http-password=test http://glosnik.lan:9981/playlist/auth/channels
--2020-12-12 20:22:14--  http://glosnik.lan:9981/playlist/auth/channels
Resolving glosnik.lan (glosnik.lan)... 192.168.2.127
Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Digest realm="tvheadend", qop=auth, nonce="/yVz8AsSTXvd1lGcuhNtSVK0lQOkrAdNP+Uz0ouE/bk=", opaque="DSZCBSxxtOPwAEXxzQLdG0IRR84xEjyxxLaOE3ILExU=" 
Reusing existing connection to glosnik.lan:9981.
HTTP request sent, awaiting response... 403 Forbidden
2020-12-12 20:22:14 ERROR 403: Forbidden.

$ curl --user "test:test" http://glosnik.lan:9981/playlist/auth/channels --digest -o playlist.m3u
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   432  100   432    0     0   4235      0 --:--:-- --:--:-- --:--:--  4235
100   151  100   151    0     0   1078      0 --:--:-- --:--:-- --:--:--     0
$ cat playlist.m3u 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>403 Forbidden</H1>
</BODY></HTML>

RE: Another authentication problem - Added by Bart Pstrok 4 months ago

saen acro wrote:

you use old vrsion
update

https://tvheadend.org/boards/4/topics/24116

currently version is
HTS Tvheadend 4.3-1917~gecd05a21d

$ tvheadend --version
tvheadend: version 4.3-1917~gecd05a21d

RE: Another authentication problem - Added by Flole Systems 4 months ago

You're only allowing HTSP Streaming, so you need to use a HTSP Client or allow other streaming types aswell.

RE: Another authentication problem - Added by Bart Pstrok 4 months ago

BINGO!
Playlist downloaded and played successful!
Thank you Flore Systems and saen acro for helping in troubleshooting!
Thank you!

RE: [SOLVED] Another authentication problem - Added by Paul M 4 months ago

I wanted to be able to save the m3u files for later playback but the live stream URLs contain a ticket, not persistent auth.

I hacked up this script which fixes the m3u file and changes ticket= to AUTH=

#!/bin/bash

AUTH="?AUTH=Pxxxxxxxxxxxxxxxxxxxxxxxxxxx" 

TICKET="?ticket=" 

ORIGFILE="$1" 
OLDFILE="$1.old" 
NEWFILE="$1" 

# TVH produces m3u files with CR + LF for Windows players
tr '\r' '\n' < "$ORIGFILE" > "$OLDFILE" 
echo -n "# mangled by $0 on " > "$NEWFILE" 
date >> "$NEWFILE" 

while read m3u_line
do
    if [ "$m3u_line" != "" ] ; then
        #echo "read $m3u_line" 
        if echo "$m3u_line" | grep -q "^http" ; then
            m3u_line=$( echo "$m3u_line" | sed -e 's/?ticket=.*//g' )

            if echo "$m3u_line" | grep "?AUTH=" ; then
                echo "already got AUTH" 
                echo "$m3u_line" >> "$NEWFILE" 
            else
                echo "adding AUTH" 
                echo "$m3u_line$AUTH" >> "$NEWFILE" 
            fi

        else
            echo "nomatch" 
            echo "$m3u_line" >> "$NEWFILE" 
        fi
    fi

done < "$OLDFILE" 

rm "$OLDFILE" 

RE: [SOLVED] Another authentication problem - Added by saen acro 4 months ago

Paul M wrote:

I wanted to be able to save the m3u files for later playback but the live stream URLs contain a ticket, not persistent auth.

I hacked up this script which fixes the m3u file and changes ticket= to AUTH=

[...]

Just use curl in API to regenerate ticket.

It's really needed external authentication support for session ticket

RE: [SOLVED] Another authentication problem - Added by Paul M 4 months ago

interesting. you see I have a bunch of m3u files and I simply double-click on one, e.g. ClassicFM.m3u, and it fires up VLC and starts to play.

I'm sorry to be dumb, but can you point me to the bit of the API where I can generate a session ticket? I couldn't see anything too obvious here:
https://github.com/dave-p/TVH-API-docs/wiki

RE: [SOLVED] Another authentication problem - Added by saen acro 4 months ago

Paul M wrote:

interesting. you see I have a bunch of m3u files and I simply double-click on one, e.g. ClassicFM.m3u, and it fires up VLC and starts to play.

I'm sorry to be dumb, but can you point me to the bit of the API where I can generate a session ticket? I couldn't see anything too obvious here:
https://github.com/dave-p/TVH-API-docs/wiki

https://github.com/dave-p/TVH-API-docs/wiki/Access

RE: [SOLVED] Another authentication problem - Added by Dave Pickles 4 months ago

Actually there isn't any way in the API to create or work with session tickets.

As I understand it, session tickets work rather like logon cookies on web servers, they record the fact that you have logged-in and so avoid the need to re-authenticate every page request. However they only have a lifetime of five minutes. A web browser will re-authenticate automatically if the ticket has expired but that won't work with your m3u files and VLC.

RE: [SOLVED] Another authentication problem - Added by Paul M 4 months ago

thanks Dave Pickles I looked at the API referenced by Saen and I couldn't see how to generate a ticket.. however, the API appeared to show how to get the Persistent Auth token, so I can use that in my TVH EPG and thus generate m3u files for streams.

RE: [SOLVED] Another authentication problem - Added by Paul M 4 months ago

unfortunately the API call to /api/passwd/entry/grid doesn't return anything if you're logged in with a non-priv user, so I can't get the persistent auth token value for the non-priv account by using the non-priv account.

this means that my EPG and my radio app for TVH (https://github.com/speculatrix/ya_pi_radio) have to be manually configured with the username, password and the persistent auth token :-(

    (1-16/16)