starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[Enhancement]: Authenticated RSS Feeds #973

New Issue
Open
opened 2026-04-24 23:28:00 +02:00 by adam · 3 comments
adam commented 2026-04-24 23:28:00 +02:00
Owner
Copy Link
Copy Source

Originally created by @wsguede on GitHub (Feb 22, 2023).

Describe the feature/enhancement

I would like to have my rss feeds protected by some sort of authentication;

I would like to expose ABS to the world to be able to listen to my podcasts from a generic podcast application (like podcast addict)
To do this, it would require me to use RSS feeds.

Right now rss feeds are exposed as publicly accessible, which does not fit my security needs

Generically speaking i can use a reverse proxy with basic auth to fix this, however now i have to maintain 2 sets of credentials
1 for the reverse proxy
1 for ABS.

Originally created by @wsguede on GitHub (Feb 22, 2023). ### Describe the feature/enhancement I would like to have my rss feeds protected by some sort of authentication; I would like to expose ABS to the world to be able to listen to my podcasts from a generic podcast application (like podcast addict) To do this, it would require me to use RSS feeds. Right now rss feeds are exposed as publicly accessible, which does not fit my security needs Generically speaking i can use a [reverse proxy](https://github.com/advplyr/audiobookshelf/issues/385) with basic auth to fix this, however now i have to maintain 2 sets of credentials 1 for the reverse proxy 1 for ABS.
adam added the enhancement label 2026-04-24 23:28:00 +02:00
adam commented 2026-04-24 23:28:01 +02:00
Author
Owner
Copy Link
Copy Source

@ChuckMac commented on GitHub (Mar 30, 2023):

Seconding thing one.

Using a reverse proxy for it you can basic auth the RSS feed url, but the RSS that is generated doesn't contain the credentials for the actual item audio files so with most podcast apps those can't be protected.

@ChuckMac commented on GitHub (Mar 30, 2023): Seconding thing one. Using a reverse proxy for it you can basic auth the RSS feed url, but the RSS that is generated doesn't contain the credentials for the actual item audio files so with most podcast apps those can't be protected.
adam commented 2026-04-24 23:28:01 +02:00
Author
Owner
Copy Link
Copy Source

@mdbell commented on GitHub (Jun 28, 2023):

Not a perfect solution, but if you use nginx you can have it use your ABS authentication instead. Mostly by taking advantage of the fact ABS lets you pass authentication tokens via GET params, and making use of some clever XML replacements.

I protect the feed on my server by using this config (with unneeded parts omitted):

server {
    ...

    location / {
        # your regular proxy setup
	...
    }
    # match feed URLS
    location ~/feed/(.*) {
        auth_request /auth;
        # only rewite the contents of XML files (the feed)
        sub_filter_types "text/xml";
        # rewite the covers in the XML to have the token
        sub_filter "/cover" "/cover?$args";
        # and rewite the media files to have the token
        sub_filter '" length="' '?$args" length="';
        sub_filter_once off;
        proxy_pass http://ABS_HOST:ABS_PORT/feed/$1;
    }
    # an internal only route, that only nginx can access, though you could probably do all this in one location config
    location ~/auth {
        internal;
        set $query '';
        # Extract the query params from the uri
        if ($request_uri ~* "[^\?]+\?(.*)$") {
                set $query $1;
        }
        proxy_pass_request_body off;
        # pass the token to ABS
        proxy_pass http://ABS_HOST:ABS_PORT/api/users/?$1;
    }
}

And a sample feed URL:

https://YOUR_DOMAIN/feed/li_sk5yrvwoiwio70h7o3?token=...

Not exactly secure as your storing your whole login token in the feed, but it's a decent workaround till there's a better solution.

@mdbell commented on GitHub (Jun 28, 2023): Not a perfect solution, but if you use nginx you can have it use your ABS authentication instead. Mostly by taking advantage of the fact ABS lets you pass authentication tokens via GET params, and making use of some clever XML replacements. I protect the feed on my server by using this config (with unneeded parts omitted): ``` server { ... location / { # your regular proxy setup ... } # match feed URLS location ~/feed/(.*) { auth_request /auth; # only rewite the contents of XML files (the feed) sub_filter_types "text/xml"; # rewite the covers in the XML to have the token sub_filter "/cover" "/cover?$args"; # and rewite the media files to have the token sub_filter '" length="' '?$args" length="'; sub_filter_once off; proxy_pass http://ABS_HOST:ABS_PORT/feed/$1; } # an internal only route, that only nginx can access, though you could probably do all this in one location config location ~/auth { internal; set $query ''; # Extract the query params from the uri if ($request_uri ~* "[^\?]+\?(.*)$") { set $query $1; } proxy_pass_request_body off; # pass the token to ABS proxy_pass http://ABS_HOST:ABS_PORT/api/users/?$1; } } ``` And a sample feed URL: ``` https://YOUR_DOMAIN/feed/li_sk5yrvwoiwio70h7o3?token=... ``` Not exactly _secure_ as your storing your whole login token in the feed, but it's a decent workaround till there's a better solution.
adam commented 2026-04-24 23:28:02 +02:00
Author
Owner
Copy Link
Copy Source

@Cartload4067 commented on GitHub (Nov 14, 2025):

For anyone else still wanting the ability to do this I built a solution for this using Caddy as the reverse proxy. Add the following to your Caddyfile above the reverse proxy command specified by the docs.

@feeds path_regexp feed ^/audiobookshelf/feed/[^/]+$
basicauth @feeds {
        username password_hash
    }

You can get the password hash caddy expects by running the command

caddy hash-password

Tested this worked and pulled down podcast metadata and cover images on 3 different iOS podcast apps, but if anyone as any issues with it let me know

@Cartload4067 commented on GitHub (Nov 14, 2025): For anyone else still wanting the ability to do this I built a solution for this using Caddy as the reverse proxy. Add the following to your Caddyfile above the reverse proxy command specified by the docs. ``` @feeds path_regexp feed ^/audiobookshelf/feed/[^/]+$ basicauth @feeds { username password_hash } ``` You can get the password hash caddy expects by running the command ``` caddy hash-password ``` Tested this worked and pulled down podcast metadata and cover images on 3 different iOS podcast apps, but if anyone as any issues with it let me know
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#973
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?