From 6d8a73930d49eafbe0acdda8e5fab37fea300526 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= <felix@piedallu.me>
Date: Fri, 8 Dec 2023 11:08:08 +0100
Subject: [PATCH] Add a workaround in Nginx to make RPC work with basic auth,
 and return 401 instead of 302. We need to do that *only* on the RPC location
 to keep redirect to SSO working.

---
 conf/nginx.conf | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 9b35405..2bdaf1b 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,9 +1,24 @@
-location __PATH__/transmission {
-  proxy_pass http://127.0.0.1:__PORT____PATH__/transmission;
+location __PATH__/transmission/rpc {
+  proxy_pass http://127.0.0.1:__PORT____PATH__/transmission/rpc;
   more_clear_input_headers 'Accept-Encoding';
 
   client_max_body_size 8M;
 
+  # This is a fix up for RPC login. Client is either a browser
+  # (SSOwAuthUser cookie) or a transmission-remote client (Basic Auth)
+  # If none is present, return a 401.
+  set $rpcauth 0;
+  if ($http_authorization ~ "Basic .*") {
+    set $rpcauth 1;
+  }
+  if ($cookie_SSOwAuthUser != "") {
+    set $rpcauth 1;
+  }
+  if ($rpcauth = 0) {
+    more_set_headers "WWW-Authenticate: Basic";
+    return 401;
+  }
+
   # Include SSOWAT user panel.
   include conf.d/yunohost_panel.conf.inc;
 }