Auth_remote last_login_update array warning

Tiny Tiny RSS Themes and Plugins
1

Don’t know if this a bug and should be in the support section but I’ve possibly configured something wrong as I couldn’t really find any documentation on configuring the auth header for use in the auth_remote plugin. Other than this warning on login it was fairly simple to setup.

  • [x] I’m using docker compose setup, with modifications (modified .yml files, third party plugins/themes, etc.) - if so, describe your modifications in your post. Before reporting, see if your issue can be reproduced on the unmodified setup.

I am using the SSO provider Authentik to set the remote-user in an nginx proxy for the auth_remote plugin

Other plugins used are feediron and a some custom css modifications. Disabling these dosn’t change anything.

On login for any user I recieve a Undefined array key "last_login_update" warning in the event log

E_WARNING (2) 
classes/feeds.php:520

Undefined array key "last_login_update"
1. classes/feeds.php(520): ttrss_error_handler(Undefined array key "last_login_update", classes/feeds.php)
2. backend.php(136): view()

Real IP: xxx.xxx.xxx.xxx
Forwarded For: xxx.xxx.xxx.xxx
Forwarded Protocol: https
Remote IP: 172.90.126.1
Request URI: /tt-rss/backend.php
User agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
  • Tiny Tiny RSS version (including git commit id): v22.03-385da287d
  • Platform (i.e. Linux distro, Docker, PHP, PostgreSQL, etc) versions: docker-compose
TT-RSS .env 
TTRSS_DB_USER=postgres
TTRSS_DB_NAME=postgres
TTRSS_DB_PASS=[xxx]
TTRSS_SELF_URL_PATH=https://example.tld/tt-rss

TTRSS_PLUGINS=auth_remote, auth_internal, note
AUTH_AUTO_CREATE=true
TTRSS_AUTH_REMOTE_POST_LOGOUT_URL=https://example.tld/outpost.goauthentik.io/sign_out

TTRSS_ENABLE_GZIP_OUTPUT=true

TTRSS_SMTP_FROM_NAME=Tiny Tiny RSS
[email protected]
TTRSS_SMTP_SERVER=mail.example.tld
TTRSS_SMTP_LOGIN=ttrss
TTRSS_SMTP_PASSWORD=[xxx]
TTRSS_SMTP_SECURE=tls
TTRSS_SMTP_SKIP_CERT_CHECKS=false

HTTP_PORT=127.0.0.1:8280
Nginx proxy config 
upstream ttrss_app {
  server 127.0.0.1:8280;

  keepalive 32;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name example.tld;

  ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  # intermediate configuration
  ssl_protocols TLSv1.2;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /etc/letsencrypt/live/example.tld/fullchain.pem;

  # replace with the IP address of your resolver
  resolver 10.1.1.1;

  # Block all bots
  if ($http_user_agent ~ ".*bot.*") {
    return 403;
  }

[...]

  location ^~ /tt-rss/ {
    proxy_http_version 1.1;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Remote-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    proxy_cache off;
    
    proxy_buffering off;
    proxy_pass_request_body on;
    proxy_request_buffering off;
    
    proxy_connect_timeout 7d;
    proxy_read_timeout 7d;
    proxy_send_timeout 7d;

    proxy_pass http://ttrss_app/tt-rss/;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;

    proxy_set_header remote-user $authentik_username;
  }

    # all requests to /outpost.goauthentik.io must be accessible without authentication
    location /outpost.goauthentik.io {
        proxy_pass          https://127.0.0.1:9443/outpost.goauthentik.io;
        # ensure the host of this vserver matches your external URL you've configured
        # in authentik
        proxy_set_header    Host $host;
        proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
        add_header          Set-Cookie $auth_cookie;
        auth_request_set    $auth_cookie $upstream_http_set_cookie;
    }

    # Special location for when the /auth endpoint returns a 401,
    # redirect to the /start URL which initiates SSO
    location @goauthentik_proxy_signin {
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    }

}
2

i’ll try to take a look tomorrow. kind of busy here.

3

does this help? set last_login_update session variable immediately when logging in · 4250386ba5 - tt-rss - Tiny Tiny RSS

4

Yep that did the trick. Thanks fox