starred/ntfy
1
0
Fork 0
mirror of https://github.com/binwiederhier/ntfy.git synced 2026-05-09 16:35:53 +02:00
Code Issues 368 Projects Packages Wiki Activity

[GH-ISSUE #1529] Android: Attachment download not using User #1078

New issue
Closed
opened 2026-05-07 00:30:06 +02:00 by BreizhHardware · 14 comments
BreizhHardware commented 2026-05-07 00:30:06 +02:00
Owner
Copy link

Originally created by @ManInDark on GitHub (Dec 31, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1529

🐞 Describe the bug

For protected topics (or hosting ntfy behind a reverse proxy with basic auth in my case) you can set a username password pair by creating a user with those credentials.

The issue is that those credentials are not used when attempting to download attachments.

💻 Components impacted

Android App

💡 Screenshots and/or logs

Image

🔮 Additional context

I've already started looking into this, the solution is likely to change the DownloadAttachmentWorker.kt around the line 65 to have the Request.Builder() also use the credentials like they are in ApiService.kt in the requestBuilder function.

I am currently struggeling as I'm not quite familiar with how the live api works in Android and if I try to retrieve the users via said api I only get null.

Originally created by @ManInDark on GitHub (Dec 31, 2025). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1529 :lady_beetle: **Describe the bug** <!-- A clear and concise description of the problem. --> For protected topics (or hosting ntfy behind a reverse proxy with basic auth in my case) you can set a username password pair by creating a user with those credentials. The issue is that those credentials are not used when attempting to download attachments. :computer: **Components impacted** <!-- ntfy server, Android app, iOS app, web app --> Android App :bulb: **Screenshots and/or logs** <!-- If applicable, add screenshots or share logs help explain your problem. To get logs from the ... - ntfy server: Enable "log-level: trace" in your server.yml file - Android app: Go to "Settings" -> "Record logs", then eventually "Copy/upload logs" - web app: Press "F12" and find the "Console" window --> <img width="194" height="34" alt="Image" src="https://github.com/user-attachments/assets/fd7bcc7a-ef78-401d-bbbf-a9e5225862c3" /> :crystal_ball: **Additional context** <!-- Add any other context about the problem here. --> I've already started looking into this, the solution is likely to change the `DownloadAttachmentWorker.kt` around the line 65 to have the `Request.Builder()` also use the credentials like they are in `ApiService.kt` in the `requestBuilder` function. I am currently struggeling as I'm not quite familiar with how the live api works in Android and if I try to retrieve the users via said api I only get null.
BreizhHardware 2026-05-07 00:30:06 +02:00
  • closed this issue
  • added the
    🪲 bug
         label
BreizhHardware commented 2026-05-07 00:30:06 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Dec 31, 2025):

ntfy behind a reverse proxy with basic auth in my case

This is not a supported use case.

Typically, attachments do not need credentials. The message ID is the password. It cannot be guessed. You can exclude server.com/file/* from the basic auth requirement in your proxy.

Which version of the Android app are you on? It may be easy enough add that code, so I may still do it

<!-- gh-comment-id:3702574909 --> @binwiederhier commented on GitHub (Dec 31, 2025): > ntfy behind a reverse proxy with basic auth in my case This is not a supported use case. Typically, attachments do not need credentials. The message ID is the password. It cannot be guessed. You can exclude `server.com/file/*` from the basic auth requirement in your proxy. Which version of the Android app are you on? It may be easy enough add that code, so I may still do it
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@wunter8 commented on GitHub (Dec 31, 2025):

Making the attachment URLs require auth would be a pretty big breaking change, no?

<!-- gh-comment-id:3702851710 --> @wunter8 commented on GitHub (Dec 31, 2025): Making the attachment URLs require auth would be a pretty big breaking change, no?
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Dec 31, 2025):

I would just make the Android client send the credentials when downloading, so that his authenticated proxy would be happy.

Turns out that if you use the same basic auth in your proxy that you use for the ntfy user, it'll work apparently. At lease according to @ManInDark

<!-- gh-comment-id:3702859224 --> @binwiederhier commented on GitHub (Dec 31, 2025): I would just make the Android client send the credentials when downloading, so that his authenticated proxy would be happy. Turns out that if you use the same basic auth in your proxy that you use for the ntfy user, it'll work apparently. At lease according to @ManInDark
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@wunter8 commented on GitHub (Dec 31, 2025):

Wouldn't the "custom request headers" PR fix this scenario?

<!-- gh-comment-id:3702863051 --> @wunter8 commented on GitHub (Dec 31, 2025): Wouldn't the "custom request headers" PR fix this scenario?
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Dec 31, 2025):

ntfy behind a reverse proxy with basic auth in my case

This is not a supported use case.

Oh, good to know, I just put the whole app behind the proxy since I already had other apps with the same setup and naively assumed it would just work.

Which version of the Android app are you on? It may be easy enough add that code, so I may still do it

FDroid 1.19.4, I could also change the subpath access but that would be greatly appreciated.

<!-- gh-comment-id:3702947684 --> @ManInDark commented on GitHub (Dec 31, 2025): > > ntfy behind a reverse proxy with basic auth in my case > > This is not a supported use case. Oh, good to know, I just put the whole app behind the proxy since I already had other apps with the same setup and naively assumed it would just work. > Which version of the Android app are you on? It may be easy enough add that code, so I may still do it FDroid 1.19.4, I could also change the subpath access but that would be greatly appreciated.
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Dec 31, 2025):

Turns out that if you use the same basic auth in your proxy that you use for the ntfy user, it'll work apparently. At lease according to @ManInDark

I actually don't use the users feature since I already have access control using the proxy.

Though it could also be done twice, you just have to proxy the auth headers too.

<!-- gh-comment-id:3702957752 --> @ManInDark commented on GitHub (Dec 31, 2025): > Turns out that if you use the same basic auth in your proxy that you use for the ntfy user, it'll work apparently. At lease according to @ManInDark I actually don't use the users feature since I already have access control using the proxy. Though it could also be done twice, you just have to proxy the auth headers too.
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Jan 1, 2026):

diff --git a/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt b/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt
index f1cf32a9..edaec46d 100644
--- a/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt
+++ b/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt
@@ -15,10 +15,12 @@ import io.heckel.ntfy.app.Application
 import io.heckel.ntfy.db.*
 import io.heckel.ntfy.util.Log
 import io.heckel.ntfy.util.ensureSafeNewFile
+import okhttp3.Credentials
 import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.Response
 import java.io.File
+import java.nio.charset.StandardCharsets.UTF_8
 import java.util.concurrent.TimeUnit

 class DownloadAttachmentWorker(private val context: Context, params: WorkerParameters) : Worker(context, params) {
@@ -61,10 +63,14 @@ class DownloadAttachmentWorker(private val context: Context, params: WorkerParam
         Log.d(TAG, "Downloading attachment from ${attachment.url}")

         try {
-            val request = Request.Builder()
+            val user = repository.getUsersLiveData().value?.first { user -> attachment.url.contains(user.baseUrl) }
+            val requestBuilder = Request.Builder()
                 .url(attachment.url)
                 .addHeader("User-Agent", ApiService.USER_AGENT)
-                .build()
+            if (user != null) {
+                requestBuilder.addHeader("Authorization", Credentials.basic(user.username, user.password, UTF_8))
+            }
+            val request = requestBuilder.build()
             client.newCall(request).execute().use { response ->
                 Log.d(TAG, "Download: headers received: $response")
                 if (!response.isSuccessful) {

Something like this should theoretically work, but for some reason I can't quite figure out the repository.getUsersLiveData() returns just null instead of the user list.

So all in all it's probably a relatively small change without any differences for those not using proxy auth.

<!-- gh-comment-id:3703096466 --> @ManInDark commented on GitHub (Jan 1, 2026): ```diff diff --git a/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt b/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt index f1cf32a9..edaec46d 100644 --- a/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt +++ b/app/src/main/java/io/heckel/ntfy/msg/DownloadAttachmentWorker.kt @@ -15,10 +15,12 @@ import io.heckel.ntfy.app.Application import io.heckel.ntfy.db.* import io.heckel.ntfy.util.Log import io.heckel.ntfy.util.ensureSafeNewFile +import okhttp3.Credentials import okhttp3.OkHttpClient import okhttp3.Request import okhttp3.Response import java.io.File +import java.nio.charset.StandardCharsets.UTF_8 import java.util.concurrent.TimeUnit class DownloadAttachmentWorker(private val context: Context, params: WorkerParameters) : Worker(context, params) { @@ -61,10 +63,14 @@ class DownloadAttachmentWorker(private val context: Context, params: WorkerParam Log.d(TAG, "Downloading attachment from ${attachment.url}") try { - val request = Request.Builder() + val user = repository.getUsersLiveData().value?.first { user -> attachment.url.contains(user.baseUrl) } + val requestBuilder = Request.Builder() .url(attachment.url) .addHeader("User-Agent", ApiService.USER_AGENT) - .build() + if (user != null) { + requestBuilder.addHeader("Authorization", Credentials.basic(user.username, user.password, UTF_8)) + } + val request = requestBuilder.build() client.newCall(request).execute().use { response -> Log.d(TAG, "Download: headers received: $response") if (!response.isSuccessful) { ``` Something like this _should_ theoretically work, but for some reason I can't quite figure out the `repository.getUsersLiveData()` returns just null instead of the user list. So all in all it's probably a relatively small change without any differences for those not using proxy auth.
BreizhHardware commented 2026-05-07 00:30:07 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Jan 5, 2026):

This is solved in https://github.com/binwiederhier/ntfy-android/pull/149

<!-- gh-comment-id:3710704331 --> @binwiederhier commented on GitHub (Jan 5, 2026): This is solved in https://github.com/binwiederhier/ntfy-android/pull/149
BreizhHardware commented 2026-05-07 00:30:08 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Jan 6, 2026):

I've tested it with 45c36b8f (HEAD -> mtls, origin/mtls) Review as the last commit (git log -1 --oneline), it didn't work.

I assume that the user object isn't passed correctly, but not sure on that, I'll do some more detailed debugging later.

<!-- gh-comment-id:3715298542 --> @ManInDark commented on GitHub (Jan 6, 2026): I've tested it with `45c36b8f (HEAD -> mtls, origin/mtls) Review` as the last commit (`git log -1 --oneline`), it didn't work. I assume that the user object isn't passed correctly, but not sure on that, I'll do some more detailed debugging later.
BreizhHardware commented 2026-05-07 00:30:08 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Jan 6, 2026):

Apparently my assumption was correct, in DownloadAttachmentWorker.kt:65 no user is passed to the requestBuilder function:

val request = HttpUtil.requestBuilder(attachment.url).build()

This function only needs the second parameter to be set to the user: (HttpUtil.kt:59)

fun requestBuilder(url: String, user: User? = null, customHeaders: List<CustomHeader> = emptyList()): Request.Builder

I still have no idea how to get an instance of the user list at this point in the code, so sorry that I can't help further than that.

<!-- gh-comment-id:3715359550 --> @ManInDark commented on GitHub (Jan 6, 2026): Apparently my assumption was correct, in `DownloadAttachmentWorker.kt:65` no user is passed to the `requestBuilder` function: ```kt val request = HttpUtil.requestBuilder(attachment.url).build() ``` This function only needs the second parameter to be set to the user: (`HttpUtil.kt:59`) ```kt fun requestBuilder(url: String, user: User? = null, customHeaders: List<CustomHeader> = emptyList()): Request.Builder ``` I still have no idea how to get an instance of the user list at this point in the code, so sorry that I can't help further than that.
BreizhHardware commented 2026-05-07 00:30:08 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Jan 6, 2026):

You are a hero. Thanks for testing. Fixed in a latest commit (untested)

<!-- gh-comment-id:3715555949 --> @binwiederhier commented on GitHub (Jan 6, 2026): You are a hero. Thanks for testing. Fixed in a latest commit (untested)
BreizhHardware commented 2026-05-07 00:30:08 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Jan 6, 2026):

I've tested this commit:

$ git log --oneline -1
eb11eec9 (HEAD -> mtls, origin/mtls) Fixed download worker

And it works! Thank you very much for implementing this feature!

<!-- gh-comment-id:3716576789 --> @ManInDark commented on GitHub (Jan 6, 2026): I've tested this commit: ```sh $ git log --oneline -1 eb11eec9 (HEAD -> mtls, origin/mtls) Fixed download worker ``` And it works! Thank you very much for implementing this feature!
BreizhHardware commented 2026-05-07 00:30:08 +02:00
Author
Owner
Copy link

@binwiederhier commented on GitHub (Jan 16, 2026):

Will be part of 1.22.x

<!-- gh-comment-id:3757762734 --> @binwiederhier commented on GitHub (Jan 16, 2026): Will be part of 1.22.x
BreizhHardware commented 2026-05-07 00:30:08 +02:00
Author
Owner
Copy link

@ManInDark commented on GitHub (Feb 1, 2026):

I've just confirmed that it works perfectly with the version 1.22.2

Thank you very much!

Should I add an example with basic auth to tje documentation or do you want to keep this as an unsupported setup?

<!-- gh-comment-id:3830695457 --> @ManInDark commented on GitHub (Feb 1, 2026): I've just confirmed that it works perfectly with the version 1.22.2 Thank you very much! Should I add an example with basic auth to tje documentation or do you want to keep this as an unsupported setup?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/web/fast-uri-3.1.2
email-verification
attachment-no-http2
attachment-fixes
attachment-s3
config-generator
postgres-replica
dockers-v2
postgres-support
postgres-webpush+user+message
postgres-webpush+user
postgres-webpush
1364-copy-action
crashfix
user-header
scalar-api-docs
cancel-scheduled
update-available
windows-server
303-update-notifications
postgres
admin-ui
require-login
http-clipboard
message-cache-lock
debian-stripe
predefined-users
busy-timeout
template-dir
ipv6
client-ip-header
apns-fix
feat_optional_require_login
security-updates
pg-message-cache
templating-disallow
templating-3
templating-2
message-size-limit+delay-limit
remove-rate-topics
html-emails
cf-priority
acl-underscores
auth-user-header
markdown
img-attach
web-improvements
utf8-headers
matrix-507-reject
http-response-writer
new-homepage-design
e2e
canary
windows
electron
update-messages
webhook-templating
v2.22.0
v2.21.0
v2.20.1
v2.20.0
v2.19.2
v2.19.1
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.14.0
v2.13.0
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.31.0
v1.30.1
v1.29.1
v1.29.0
v1.28.0
v1.27.2
v1.27.1
v1.26.0
v1.25.2
v1.25.1
v1.25.0
v1.24.0
v1.23.0
v1.22.0
v1.21.2
v1.21.1
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.0
v1.14.1
v1.14.0
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.2
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.3
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
ai-generated

   
android-app

   
android-app

   
android-app

   
🪲 bug

   
build

   
build

   
dependencies

   
docs

   
enhancement

   
enhancement

   
🔥 HOT

   
in-progress 🏃

   
ios

   
prio:low

   
prio:low

   
pull-request
Mirrored from GitHub Pull Request

  
question

   
🔒 security

   
server

   
server

   
unified-push

   
web-app

   
website
No labels
ai-generated
android-app
android-app
android-app
🪲 bug
build
build
dependencies
docs
enhancement
enhancement
🔥 HOT
in-progress 🏃
ios
prio:low
prio:low
pull-request
question
🔒 security
server
server
unified-push
web-app
website
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ntfy#1078
No description provided.