From cc00f49bf9ddf2d7e204dc2cac7566a3030a667e Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Tue, 25 Feb 2025 16:29:02 +0800
Subject: [PATCH] feat(navidrome): basic auth authentik for Subsonic

---
 kube/deploy/apps/media/navidrome/app/hr.yaml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/kube/deploy/apps/media/navidrome/app/hr.yaml b/kube/deploy/apps/media/navidrome/app/hr.yaml
index d05b4a2c..9123d575 100644
--- a/kube/deploy/apps/media/navidrome/app/hr.yaml
+++ b/kube/deploy/apps/media/navidrome/app/hr.yaml
@@ -137,14 +137,19 @@ spec:
           nginx.ingress.kubernetes.io/auth-snippet: |
               proxy_set_header X-Forwarded-Host $http_host;
           nginx.ingress.kubernetes.io/configuration-snippet: | # authentik's 401 doesn't have this header, needed for at least iOS
-            error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 500 501 502 503 504 505 506 507 508 509 510 511 512 =200 @navidrome_subsonic_auth
             if ($http_authorization = "") {
+                return 200 '<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">\n<error code="40" message="Invalid credentials or unsupported client"></error>\n</subsonic-response>'
                 add_header 'WWW-Authenticate' 'Basic realm="fuck off"' always;
             }
-          nginx.ingress.kubernetes.io/server-snippet: | # authentik's 401 doesn't have this header, needed for at least iOS
-            location @navidrome_subsonic_auth {
-                return 200 '<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">\n<error code="40" message="Invalid credentials or unsupported client"></error>\n</subsonic-response>'
-            }
+          # nginx.ingress.kubernetes.io/configuration-snippet: | # authentik's 401 doesn't have this header, needed for at least iOS
+          #   error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 500 501 502 503 504 505 506 507 508 509 510 511 512 =200 @navidrome_subsonic_auth
+          #   if ($http_authorization = "") {
+          #       add_header 'WWW-Authenticate' 'Basic realm="fuck off"' always;
+          #   }
+          # nginx.ingress.kubernetes.io/server-snippet: | # authentik's 401 doesn't have this header, needed for at least iOS
+          #   location @navidrome_subsonic_auth {
+          #       return 200 '<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">\n<error code="40" message="Invalid credentials or unsupported client"></error>\n</subsonic-response>'
+          #   }
         hosts:
           - host: &host "${APP_DNS_NAVIDROME:=navidrome}"
             paths: