[SOLVED] Another authentication problem
[SOLVED] Another authentication problem
I have Tvheadend version 4.3-1917~gecd05a21d installed on my Debian 10 machine. It works great, except for authentication.
I'm trying to generate playlists, which can be played by vlc without prompting for user and password. I created new user named "test" with password "test" and enabled persistent authentication:
I added that user in Access Entries section:
In settings General/Base I set Authentication type: Both plain and digest
When I enable Username "*" in Access Entries, then I can download playlist with command i.e.:$ wget 'http://glosnik.lan:9981/playlist'
(glosnik.lan is my server name in my local network)
Which gets me a m3u playlist file, which I can feed to vlc just fine. But when I disable Username "*", then I can no longer download playlist, play any link from that playlist, even when I type user=test password=test in vlc 
With '*' enabled I can play direct link from that playlist with vlc: 'http://glosnik.lan:9981/stream/channelid/1145755580'. When I disable '*' account and run the same command, vlc asks for username and password. I'm typing 'test' 'test' and it still fails. In tvheadend logs there is:
2020-12-11 16:39:32.036 [ DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /stream/channelid -- 401
2020-12-11 16:39:32.138 [ DEBUG]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 401
2020-12-11 16:39:35.807 [ ERROR]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 403
I tried command:
$ vlc 'http://test:[email protected]:9981/stream/channelid/1145755580'
in logs:
2020-12-11 16:42:34.405 [ ERROR]:http: 10.8.0.2: HTTP/1.1 GET (1) /stream/channelid -- 403
2020-12-11 16:42:34.485 [ ERROR]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 403
I tried also
$ vlc 'http://glosnik.lan:9981/stream/channelid/1145755580?auth=P4lan4KUh0CyIfKsZVKtRuE.edqg'
vlc asks for user,passwd...
tvheadend log:
2020-12-11 16:44:48.464 [ INFO]:http: 10.8.0.2: using auth P4lan4KUh0CyIfKsZVKtRuE.edqg for /stream/channelid/1145755580
2020-12-11 16:44:48.464 [ DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /stream/channelid -- 401
2020-12-11 16:44:48.560 [ INFO]:http: 10.8.0.2: using auth P4lan4KUh0CyIfKsZVKtRuE.edqg for /stream/channelid/1145755580
2020-12-11 16:44:48.560 [ DEBUG]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 401
I'm typing in vlc test:test -> fail
tvheadend log:
2020-12-11 16:46:33.214 [ INFO]:http: 10.8.0.2: using auth P4lan4KUh0CyIfKsZVKtRuE.edqg for /stream/channelid/1145755580
2020-12-11 16:46:33.214 [ ERROR]:http: 10.8.0.2: HTTP/1.0 GET (1) /stream/channelid -- 403
What's wrong?
Replies (16)
RE: Another authentication problem
-
Added by saen acro almost 4 years ago
Wrong url is you problem
wget -O playlist.m3u http://user:[email protected]:9981/playlist/auth/channels
RE: Another authentication problem
-
Added by Bart Pstrok almost 4 years ago
$ wget -O playlist.m3u http://test:[email protected]:9981/playlist/auth/channels --2020-12-12 18:49:25-- http://test:*password*@glosnik.lan:9981/playlist/auth/channels Resolving glosnik.lan (glosnik.lan)... 192.168.2.127 Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Digest realm="tvheadend", qop=auth, nonce="DWzkz3DuWL7qblviEB5/bNbwRKpoc3T909a+RnfQ2Zs=", opaque="j+XdE5ELCqqd1wzvmw4mp+DeKRervoGqgNMrxcuWIbA=" Reusing existing connection to glosnik.lan:9981. HTTP request sent, awaiting response... 403 Forbidden 2020-12-12 18:49:25 ERROR 403: Forbidden.
tvheadend logfile:
2020-12-12 18:48:38.819 [ DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 401 2020-12-12 18:48:38.880 [ ERROR]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 403
RE: Another authentication problem
-
Added by saen acro almost 4 years ago
read log 
no plain autentification
for digest use
wget -O playlist.m3u http://a.com/somefile.url --http-user=user --http-password=pass curl --user="user:pass" http://a.com/somefile.url --digest -o playlist.m3u
RE: Another authentication problem
-
Added by Bart Pstrok almost 4 years ago
I tried with only Digest authentication:
$ wget -O playlist.m3u http://test:[email protected]:9981/playlist/auth/channels --2020-12-12 20:14:06-- http://test:*password*@glosnik.lan:9981/playlist/auth/channels Resolving glosnik.lan (glosnik.lan)... 192.168.2.127 Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Digest realm="tvheadend", qop=auth, nonce="GHeX4eXbVOY+v00/r3pdKKUx88XRuDHH9onD7WKI+wc=", opaque="GgYlHo7xdWGwu7P/KOoW2sAjBOToPD1sdPDX6hObz28=" Reusing existing connection to glosnik.lan:9981. HTTP request sent, awaiting response... 403 Forbidden 2020-12-12 20:14:06 ERROR 403: Forbidden.
With only Plain (insecure) authentication:
$ wget -O playlist.m3u http://test:[email protected]:9981/playlist/auth/channels --2020-12-12 20:14:06-- http://test:*password*@glosnik.lan:9981/playlist/auth/channels Resolving glosnik.lan (glosnik.lan)... 192.168.2.127 Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Digest realm="tvheadend", qop=auth, nonce="GHeX4eXbVOY+v00/r3pdKKUx88XRuDHH9onD7WKI+wc=", opaque="GgYlHo7xdWGwu7P/KOoW2sAjBOToPD1sdPDX6hObz28=" Reusing existing connection to glosnik.lan:9981. HTTP request sent, awaiting response... 403 Forbidden 2020-12-12 20:14:06 ERROR 403: Forbidden.
Each time in tvheadend log there are those lines:
2020-12-12 20:15:41.200 [ DEBUG]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 401 2020-12-12 20:15:41.243 [ ERROR]:http: 10.8.0.2: HTTP/1.1 GET (1) /playlist/auth/channels -- 403
RE: Another authentication problem
-
Added by saen acro almost 4 years ago
you use old vrsion
update
https://tvheadend.org/boards/4/topics/24116
currently version is
HTS Tvheadend 4.3-1917~gecd05a21d
RE: Another authentication problem
-
Added by Bart Pstrok almost 4 years ago
Authentication: Digest
$ wget -O playlist.m3u --http-user=test --http-password=test http://glosnik.lan:9981/playlist/auth/channels --2020-12-12 20:22:14-- http://glosnik.lan:9981/playlist/auth/channels Resolving glosnik.lan (glosnik.lan)... 192.168.2.127 Connecting to glosnik.lan (glosnik.lan)|192.168.2.127|:9981... connected. HTTP request sent, awaiting response... 401 Unauthorized Authentication selected: Digest realm="tvheadend", qop=auth, nonce="/yVz8AsSTXvd1lGcuhNtSVK0lQOkrAdNP+Uz0ouE/bk=", opaque="DSZCBSxxtOPwAEXxzQLdG0IRR84xEjyxxLaOE3ILExU=" Reusing existing connection to glosnik.lan:9981. HTTP request sent, awaiting response... 403 Forbidden 2020-12-12 20:22:14 ERROR 403: Forbidden.
$ curl --user "test:test" http://glosnik.lan:9981/playlist/auth/channels --digest -o playlist.m3u
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 432 100 432 0 0 4235 0 --:--:-- --:--:-- --:--:-- 4235
100 151 100 151 0 0 1078 0 --:--:-- --:--:-- --:--:-- 0
$ cat playlist.m3u
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>403 Forbidden</H1>
</BODY></HTML>
RE: Another authentication problem
-
Added by Bart Pstrok almost 4 years ago
saen acro wrote:
you use old vrsion
updatehttps://tvheadend.org/boards/4/topics/24116
currently version is
HTS Tvheadend 4.3-1917~gecd05a21d
$ tvheadend --version tvheadend: version 4.3-1917~gecd05a21d
RE: Another authentication problem
-
Added by Flole Systems almost 4 years ago
You're only allowing HTSP Streaming, so you need to use a HTSP Client or allow other streaming types aswell.
RE: Another authentication problem
-
Added by Bart Pstrok almost 4 years ago
BINGO!
Playlist downloaded and played successful!
Thank you Flore Systems and saen acro for helping in troubleshooting!
Thank you!
RE: [SOLVED] Another authentication problem
-
Added by Paul M almost 4 years ago
I wanted to be able to save the m3u files for later playback but the live stream URLs contain a ticket, not persistent auth.
I hacked up this script which fixes the m3u file and changes ticket= to AUTH=
#!/bin/bash
AUTH="?AUTH=Pxxxxxxxxxxxxxxxxxxxxxxxxxxx"
TICKET="?ticket="
ORIGFILE="$1"
OLDFILE="$1.old"
NEWFILE="$1"
# TVH produces m3u files with CR + LF for Windows players
tr '\r' '\n' < "$ORIGFILE" > "$OLDFILE"
echo -n "# mangled by $0 on " > "$NEWFILE"
date >> "$NEWFILE"
while read m3u_line
do
if [ "$m3u_line" != "" ] ; then
#echo "read $m3u_line"
if echo "$m3u_line" | grep -q "^http" ; then
m3u_line=$( echo "$m3u_line" | sed -e 's/?ticket=.*//g' )
if echo "$m3u_line" | grep "?AUTH=" ; then
echo "already got AUTH"
echo "$m3u_line" >> "$NEWFILE"
else
echo "adding AUTH"
echo "$m3u_line$AUTH" >> "$NEWFILE"
fi
else
echo "nomatch"
echo "$m3u_line" >> "$NEWFILE"
fi
fi
done < "$OLDFILE"
rm "$OLDFILE"
RE: [SOLVED] Another authentication problem
-
Added by saen acro almost 4 years ago
Paul M wrote:
I wanted to be able to save the m3u files for later playback but the live stream URLs contain a ticket, not persistent auth.
I hacked up this script which fixes the m3u file and changes ticket= to AUTH=
[...]
Just use curl in API to regenerate ticket.
It's really needed external authentication support for session ticket
RE: [SOLVED] Another authentication problem
-
Added by Paul M almost 4 years ago
interesting. you see I have a bunch of m3u files and I simply double-click on one, e.g. ClassicFM.m3u, and it fires up VLC and starts to play.
I'm sorry to be dumb, but can you point me to the bit of the API where I can generate a session ticket? I couldn't see anything too obvious here:
https://github.com/dave-p/TVH-API-docs/wiki
RE: [SOLVED] Another authentication problem
-
Added by saen acro almost 4 years ago
Paul M wrote:
interesting. you see I have a bunch of m3u files and I simply double-click on one, e.g. ClassicFM.m3u, and it fires up VLC and starts to play.
I'm sorry to be dumb, but can you point me to the bit of the API where I can generate a session ticket? I couldn't see anything too obvious here:
https://github.com/dave-p/TVH-API-docs/wiki
RE: [SOLVED] Another authentication problem
-
Added by Dave Pickles almost 4 years ago
Actually there isn't any way in the API to create or work with session tickets.
As I understand it, session tickets work rather like logon cookies on web servers, they record the fact that you have logged-in and so avoid the need to re-authenticate every page request. However they only have a lifetime of five minutes. A web browser will re-authenticate automatically if the ticket has expired but that won't work with your m3u files and VLC.
RE: [SOLVED] Another authentication problem
-
Added by Paul M almost 4 years ago
thanks Dave Pickles I looked at the API referenced by Saen and I couldn't see how to generate a ticket.. however, the API appeared to show how to get the Persistent Auth token, so I can use that in my TVH EPG and thus generate m3u files for streams.
RE: [SOLVED] Another authentication problem
-
Added by Paul M almost 4 years ago
unfortunately the API call to /api/passwd/entry/grid doesn't return anything if you're logged in with a non-priv user, so I can't get the persistent auth token value for the non-priv account by using the non-priv account.
this means that my EPG and my radio app for TVH (https://github.com/speculatrix/ya_pi_radio) have to be manually configured with the username, password and the persistent auth token :-(