Skip to content

fix: Tag RSS feed ignores security token when password protection is enabled#4235

Merged
dgtlmoon merged 1 commit into
dgtlmoon:masterfrom
medzin:fix-rss-tag-token-auth
Jun 28, 2026
Merged

fix: Tag RSS feed ignores security token when password protection is enabled#4235
dgtlmoon merged 1 commit into
dgtlmoon:masterfrom
medzin:fix-rss-tag-token-auth

Conversation

@medzin

@medzin medzin commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Fixes #4234

Description:
When password protection is enabled on changedetection.io, accessing the tag-specific RSS feed (/rss/tag/[tag_name]?token=...) failed and returned a 302 redirect to the /login page. The issue occurred because the check_authentication() handler in flask_app.py explicitly checked for 'rss.feed' in the endpoint, inadvertently excluding the tag RSS endpoint (rss.rss_tag_feed).

Fix:
This PR updates the auth bypass check to request.blueprint == 'rss', ensuring all RSS endpoints can correctly bypass global authentication and handle URL-based token validation internally.

Testing:

  • Added a new reproduction test test_rss_tag_feed_ignores_security_token in tests/test_rss_tag_token.py to ensure this functionality stays intact.
  • Verified that all existing RSS tests continue to pass.

When password protection is enabled on changedetection.io, accessing the tag-specific RSS feed (`/rss/tag/[tag_name]?token=...`) failed and returned a 302 redirect to the `/login` page.

The bug was located in `changedetectionio/flask_app.py` in the `check_authentication()` before-request handler, which incorrectly checked `request.endpoint and 'rss.feed' in request.endpoint`. This logic worked for the main feed (`rss.feed`) but failed for other endpoints like the tag feed (`rss.rss_tag_feed`).

This commit updates the auth bypass to check if `request.blueprint == 'rss'` instead, allowing all RSS endpoints to handle token validation themselves via `validate_rss_token()`. A reproduction test `test_rss_tag_feed_ignores_security_token` has been added to verify the fix.
@dgtlmoon dgtlmoon merged commit 3f0d944 into dgtlmoon:master Jun 28, 2026
34 checks passed
@dgtlmoon

Copy link
Copy Markdown
Owner

Amazing! thanks so much!

@medzin medzin deleted the fix-rss-tag-token-auth branch June 28, 2026 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Tag RSS feed ignores security token when password protection is enabled

2 participants