#1
Ok so I thought I understood the idea behind user:pass@host format, but I am skeptical now. Lets say I am exposing SABnzbd externally, it has basic http auth enabled. In other words for me to login via a browser I have to input my login and password. I am using built in SABnzbd http auth, I don't have it somehow running behind IIS or any other server.

When I setup nzb360, I am putting in API key of SABnzbd as well as the IP. I always assumed that API does not require the login/password information to be presented to access it, even if it's enabled for actual login to the site. In fact I've never supplied the user:password in nzb360 configuration, only the IP and API key and it has been sufficient for all applications. So this begs the question then, when is the user:password used? My only guess would be is if your application somehow sits behind some other server/proxy that would require the user/password information to even access the API.
#2
Http Basic Auth is to authenticate yourself to the web server (which is built in sabnzbd).

After that you need an API key to perform actions like adding nzbs. The API key acts as authorization key.

Authentication: Confirm you are who you say you are.
Authorization: Confirm you have the rights to access..... ehh.. 'something'

That said, I just VPN in.
#3
f3bruary wrote:Http Basic Auth is to authenticate yourself to the web server (which is built in sabnzbd).

After that you need an API key to perform actions like adding nzbs. The API key acts as authorization key.

Authentication: Confirm you are who you say you are.
Authorization: Confirm you have the rights to access..... ehh.. 'something'

That said, I just VPN in.
If this is in fact true, then how come it works and has always worked for me without putting in user/password information? Something doesn't add up.
#4
I might have misunderstood. Are you saying you have basic authentication enabled, but sab only requires an API key to perform actions and ignores any credentials ?
#5
f3bruary wrote:I might have misunderstood. Are you saying you have basic authentication enabled, but sab only requires an API key to perform actions and ignores any credentials ?
Yes exactly. The credentials are in fact not needed at all, even if you have basic authentication enabled.

In other words pretty much everyone who exposes SABnzbd (and other apps) externally probably sets a user name and password (basic auth) right? I mean no one wants to leave their apps completely open to the public. Having done that they go to set it up in nzb360 and under IP/HOST Address it clearly states:

"For HTTP Auth support, simply user the user:pass@host format."

This doesn't seem to be a requirements at all, the API key is sufficient regardless of basic auth on whatever application. In fact I just checked this by running:
https://IP:PORT/api?mode=qstatus&output=xml&apikey=APIKEY
And for confirmation of this hypothesis: http://wiki.sabnzbd.org/api#toc1
Authentication

The preferred way is to use the API key parameter.
If for some reason the API key is disabled and a UI username/password is set, then you must use the ma_* parameters.
#6
Then Basic Auth is only needed to access the web interface. The /api route doesn't. It only requires the actual key. I don't use it, so I can't test. One could put basic auth on the /api route too though.
#7
f3bruary wrote:Then Basic Auth is only needed to access the web interface. The /api route doesn't. It only requires the actual key. I don't use it, so I can't test. One could put basic auth on the /api route too though.
Agreed. My only point is that this is confusing from nzb360 perspective. If one is using standard installation of these applications they don't need to specify the user/password information in nzb360.
#8
Some folks use their own custom http auth in front of all their services. This is to support those setups. It is not needed for the vast majority of setups.