RSS/Atom feed of restricted boards

FlatBoard 5.2.0

Hi,

I'm using FlatBoard as an internal forum for a small club.
For security reasons all boards and discussions (with one exception) are only visible to the club members with valid credentials.

I want to subscribe to the boards RSS/Atom feed but can't access other boards than the public one.
Tested with RSS Guard, Thunderbird and Firefox (in the form https://username:password@forumsite.bar/feed/rss).

Password is using chars, numbers and special chars.

Any hints for a solution would be appreciated.

Regards
Michael

Hi DoneAgain,

There are really two separate issues here, and you may be running into both at once.

First, If you’re still on 5.2.x, upgrading to 5.3.0 is worth it anyway: that branch includes several RSS/Atom improvements, including feed auto-discovery and better category feed URLs. 5.4.x goes further with feed date formatting and slug-based category URLs. Neither release fixes the authentication issue you’re describing, but it’s easier to debug feed behavior on a current version.

On the actual problem: start with the easy check. Special characters in the password can break URL parsing. A plain @ in the password can be interpreted as the separator between credentials and hostname, which silently truncates the rest. Percent-encode them in the URL: @ becomes %40, # becomes %23, : becomes %3A, and % becomes %25. For example, p@ss#word should become p%40ss%23word.

If it still doesn’t work after encoding, you’ve probably hit the real limitation: Flatboard uses session cookies, not HTTP Basic Auth. The user:pass@url trick sends an Authorization: Basic ... header, which Flatboard ignores; it doesn’t recognize that as a login, so you’ll still appear as a guest.

What can actually work is using an RSS reader that can keep an authenticated session cookie. FreshRSS and Miniflux both support feeds behind a login, and Thunderbird may also keep a session cookie if you log into the forum first through its built-in browser. The idea is to authenticate normally first and let the reader reuse the cookie, with no credentials embedded in the feed URL.

Hi Fred,

thanks for your quick reply!

First, If you’re still on 5.2.x, upgrading to 5.3.0 is worth it anyway: that branch includes several RSS/Atom improvements, including feed auto-discovery and better category feed URLs. 5.4.x goes further with feed date formatting and slug-based category URLs. Neither release fixes the authentication issue you’re describing, but it’s easier to debug feed behavior on a current version.

Will do during the coming Easter holidays.

On the actual problem: start with the easy check. Special characters in the password can break URL parsing. A plain @ in the password can be interpreted as the separator between credentials and hostname, which silently truncates the rest. Percent-encode them in the URL: @ becomes %40, # becomes %23, : becomes %3A, and % becomes %25. For example, p@ss#word should become p%40ss%23word.

That solved an aspect of the problem.
With URL encoding the special chars the Firefox AddOn "Want my RSS" doesn't show URL constructor errors anymore ("...is not a valid URL").

But alas still no restricted boards with the encoded credentials... neither in FireFox, nor in Thunderbird or RSSGuard.

If it still doesn’t work after encoding, you’ve probably hit the real limitation: Flatboard uses session cookies, not HTTP Basic Auth.

Looks like RSSGuard uses HTTP Basic Auth functionality when entering the credentials.
So I will check some other RSS clients (like QuiteRSS or Liferea).

I proceed after the update.

Happy Easter to you and your loved ones!

Regards
Michael

Hi Fred,

sorry for the delay.

I updated to Flatboard 5.5.1.

As expected, RSS is still not working with HTTP Authentication, so RSSGuard, QuiteRSS, Liferea, Thunderbird etc. are no suitable RSS clients.

Using FreshRSS or MiniFlux is not an option for me.

It's not a showstopper for using Flatboard but I strongly suggest to implement HTTP Auth because without this maybe 90% of users interested in RSS can't and won't use it.

Update to 5.5.1 worked hassle-free and like a charm!
Really a nice piece of software!

Regards
Michael

DoneAgain

This was added in 5.4.0 as a Pro feature. You're on 5.5.1, so it's already there.
Go to Profile → Settings → Security → API Token and generate a token. Copy it immediately it's displayed once. Then add ?token=YOUR_TOKEN to any feed URL:

With a valid token, the feed includes restricted boards too anything your account can access based on group membership. Wrong or missing token? It just returns public
content, no error.
You can test right here on this forum: generate your token and open https://flatboard.org/rss?token=YOUR_TOKEN in your reader. Restricted discussions should appear.
One thing to check: this is Pro only. On Community, ?token= does nothing at all, which would explain why 5.5.1 didn't help if that's your edition.
RSS Guard, Thunderbird, anything that accepts a plain URL works fine. No special auth configuration the token is just in the URL.