[Bug] Remote-User Header Not Being Passed Correctly

[darkpixelftw]

Describe the bug

Since version 1.26.2 and later, I recieve the error:

Error 403 - Forbidden

You don’t have permission to access this page [HTTP Remote-User= ; Remote IP address=172.20.0.6]

Note how there is only a space after 'Remote-User=', that's not me removing something for privacy, that's just what it shows.
Authelia OIDC functions with other servicies so I don't believe that the issue lies with that.

I have tested with versions 1.25.0 to 1.26.1 with everything else being the same, and it works fine and showed the remote user header being passed correctly so I believe there is some regression in 1.26.2

The docker logs give this error:

[warning] --- Multiple HTTP authentication headers!

To Reproduce

1. Enable FreshRSS version 1.26.2 or later
2. Attemp to login in
3. Authelia will ask if you want to give FreshRSS permission, accept
4. The error should occur

Expected behavior

Should seemlessly go to the feed page of the authelia user after login.

FreshRSS version

1.26.2 and later

System information

• Database version: SQLite
• PHP version: Sorry I don't know how to check or change this - the default for the image I assume
• Installation type: Docker
• Web server type: Whatever is default for the debian image - I don't know how to check this either.
• Device: PC
• OS: Windows 10
• Browser: both Firefox and Chrome

Additional context

No response

[Inverle]

Someone made the same issue before, but I can't find it anymore. it was a comment on #7528
Anyway, you should make sure that Authelia sends only one authentication header, for example just Remote-User and not also X-WebAuth-User
If you're certain that's what it is supposed to be doing, then make a phpinfo.php file:

echo "<?php phpinfo();" > phpinfo.php

after that, copy it into the container:

docker cp phpinfo.php freshrss:/var/www/FreshRSS/p

then navigate to <your_freshrss_instance>/phpinfo.php (the URL should be same as the one Authelia redirects you to) in the browser and show the contents of the Apache Environment / HTTP Headers Information sections

you should cleanup the phpinfo.php file later when you don't need it:

docker exec freshrss rm /var/www/FreshRSS/p/phpinfo.php

[darkpixelftw]

Hi, I did as asked
here's the page

I censored the sensitive stuff, but it's all correct.

[Inverle]

also the Apache Environment as mentioned earlier please

[darkpixelftw]

Woops sorry, missed that
here it is:

Seems there's a HTTP_REMOTE_USER and a REMOTE_USER which is maybe the issue?
I don't see why this would only be a problem in 1.26.2 and later, has the authentication code become more strict?

[Inverle]

Seems there's a HTTP_REMOTE_USER and a REMOTE_USER which is maybe the issue?

Indeed

I don't see why this would only be a problem in 1.26.2 and later, has the authentication code become more strict?

Yes, it had been done for security reasons, but the check seems too strict, as proven in this issue.

FreshRSS/lib/lib_rss.php

Lines 858 to 863 in 0bca0d8

	function httpAuthUser(bool $onlyTrusted = true): string {
	$auths = array_intersect_key($_SERVER, ['REMOTE_USER' => '', 'REDIRECT_REMOTE_USER' => '', 'HTTP_REMOTE_USER' => '', 'HTTP_X_WEBAUTH_USER' => '']);
	if (count($auths) > 1) {
	Minz_Log::warning('Multiple HTTP authentication headers!');
	return '';
	}

introduced in #7528

[Inverle]

#7703

[morgan-dgk]

Also seeing this issue with Authelia. AFAIK mod_oidc is actually responsible for setting the relevant headers, not the OIDC provider.