https Libre.fm/api/auth?stuff Redirects To http Libre.fm/api/auth/?stuff

Introduction

Libre.fm is a free and open-source music streaming service that allows users to scrobble their music listening history to various platforms. However, a recent issue has been discovered where the Libre.fm API redirects from HTTPS to HTTP, causing problems for Android apps that use a webview for login and existing versions of Pano Scrobbler and WebScrobbler.

The Problem

The issue arises when a user attempts to log in to Libre.fm using a webview in an Android app. The app sends a request to the Libre.fm API using the HTTPS protocol, but the API redirects the request to the HTTP protocol. This causes the Android app to throw a NET::ERR_CLEARTEXT_NOT_PERMITTED error, as cleartext is not allowed by default.

Example Request

To demonstrate the issue, a request was sent to the Libre.fm API using the following command:

curl "https://libre.fm/api/auth?api_key=test&cb=test://auth/librefm"

The response from the API was a 301 Moved Permanently redirect, which included the following HTML:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://libre.fm/api/auth/?api_key=test&amp;cb=test://auth/librefm">here</a>.</p>
<hr>
<address>Apache/2.4.59 (Debian) Server at libre.fm Port 80</address>
</body></html>

Impact on Android Apps

The HTTPS to HTTP redirect issue has a significant impact on Android apps that use a webview for login. These apps are unable to authenticate with the Libre.fm API, resulting in a NET::ERR_CLEARTEXT_NOT_PERMITTED error. This error is thrown because cleartext is not allowed by default in Android apps, and the API redirect is causing the app to attempt to communicate with the API using cleartext.

Impact on Pano Scrobbler and WebScrobbler

Existing versions of Pano Scrobbler and WebScrobbler also use a URL with the www prefix for login, which is equivalent to the last.fm URL. However, this URL currently returns a 404 error. The www prefix is likely to be removed in a future release of Pano, but the Libre.fm login is currently broken in these two apps.

Conclusion

The HTTPS to HTTP redirect issue on the Libre.fm API is causing problems for Android apps that use a webview for login and existing versions of Pano Scrobbler and WebScrobbler. The issue arises when the API redirects the request from HTTPS to HTTP, causing the Android app to throw a NET::ERR_CLEARTEXT_NOT_PERMITTED error. To resolve this issue, the Libre.fm API should be updated to not redirect from HTTPS to HTTP, or the Android app should be updated to handle the redirect correctly.

Recommendations

To resolve the issue, the following recommendations can be made:

1. Update the Libre.fm API to not redirect from HTTPS to HTTP.
2. Update the Android app to handle the redirect correctly.
3. Remove the www prefix from the Libre.fm login URL in Pano Scrobbler and WebScrobbler.

Introduction

In our previous article, we discussed the HTTPS to HTTP redirect issue on the Libre.fm API and its impact on Android apps that use a webview for login and existing versions of Pano Scrobbler and WebScrobbler. In this article, we will provide a Q&A section to address some of the frequently asked questions related to this issue.

Q: What is the HTTPS to HTTP redirect issue on the Libre.fm API?

A: The HTTPS to HTTP redirect issue on the Libre.fm API occurs when a user attempts to log in to Libre.fm using a webview in an Android app. The app sends a request to the Libre.fm API using the HTTPS protocol, but the API redirects the request to the HTTP protocol. This causes the Android app to throw a NET::ERR_CLEARTEXT_NOT_PERMITTED error, as cleartext is not allowed by default.

Q: Why is the HTTPS to HTTP redirect issue a problem?

A: The HTTPS to HTTP redirect issue is a problem because it causes Android apps that use a webview for login to throw a NET::ERR_CLEARTEXT_NOT_PERMITTED error. This error is thrown because cleartext is not allowed by default in Android apps, and the API redirect is causing the app to attempt to communicate with the API using cleartext.

Q: What is the impact of the HTTPS to HTTP redirect issue on Pano Scrobbler and WebScrobbler?

A: The HTTPS to HTTP redirect issue has a significant impact on Pano Scrobbler and WebScrobbler. Existing versions of these apps use a URL with the www prefix for login, which is equivalent to the last.fm URL. However, this URL currently returns a 404 error. The www prefix is likely to be removed in a future release of Pano, but the Libre.fm login is currently broken in these two apps.

Q: How can the HTTPS to HTTP redirect issue be resolved?

A: The HTTPS to HTTP redirect issue can be resolved by updating the Libre.fm API to not redirect from HTTPS to HTTP, or by updating the Android app to handle the redirect correctly. Additionally, the www prefix can be removed from the Libre.fm login URL in Pano Scrobbler and WebScrobbler.

Q: What are the recommendations for resolving the HTTPS to HTTP redirect issue?

A: The following recommendations can be made to resolve the HTTPS to HTTP redirect issue:

1. Update the Libre.fm API to not redirect from HTTPS to HTTP.
2. Update the Android app to handle the redirect correctly.
3. Remove the www prefix from the Libre.fm login URL in Pano Scrobbler and WebScrobbler.

Q: What is the current status of the Libre.fm API?

A: The current status of the Libre.fm API is that it is redirecting from HTTPS to HTTP, causing problems for Android apps that use a webview for login and existing versions of Pano Scrobbler and WebScrobbler. However, the Libre.fm team is working to resolve this issue and update the API to not redirect from HTTPS to HTTP.

Q: How can users help resolve the HTTPS to HTTP redirect issue?

A: Users can help resolve the HTTPS to HTTP redirect issue by reporting the issue to the Libre.fm team and providing feedback on how to resolve it. Additionally, users can update their Android apps to handle the redirect correctly and remove the www prefix from the Libre.fm login URL in Pano Scrobbler and WebScrobbler.

Conclusion

The HTTPS to HTTP redirect issue on the Libre.fm API is a significant problem that affects Android apps that use a webview for login and existing versions of Pano Scrobbler and WebScrobbler. By understanding the issue and its impact, users can help resolve it by reporting the issue to the Libre.fm team and providing feedback on how to resolve it.