[Feature request] Support for HTTP authentication

[Bishop341-B]

Please, add support for HTTP authentication feeds. At least, try to save the feed url as "http://user:password@feedurl" don't work in 1.10.0.

[Etuldan]

Do you have an example of a such website ?

[Bishop341-B]

If you have a gmail account you can read feeds with your gmail username (without @gmail.com) and password with the following url:

https://gmail.google.com/gmail/feed/atom

Another way to do tests is using these old, but seems functional, RSS feeds for testing purposes:

RSS with HTTP Auth, but no SSL -> http://labs.silverorange.com/local/solabs/rsstest/httpauth/rss_with_auth.xml
RSS with both SSL and HTTP Auth -> https://secure3.silverorange.com/rsstest/httpauth/rss_with_ssl_and_auth.xml

username/password for the HTTP auth-protected feeds is: testuser/testpass

This come from http://labs.silverorange.com/archive/2003/july/privaterss

Finally, if you make a an account in Ogame, (http://en.ogame.gameforge.com) and in-game play options activate RSS feed, you can get feeds to control game activities in your account (you can get them spying someone or doing buildings for example) , with the given url in that options page with your username and password. In this case feed is RSS with HTTP Auth, but no SSL.

Sparse RSS 1.7, seems to login on all of them giving user and password in the url, getting icons for each account and header texts, but dont't get new feeds of anyone.

spaRSS gives a conection error in all of them, but gets icons for each account.

Using thunderbird in desktop, all feeds are working.

[Etuldan]

Thanks for the multiple example and explanations.

[Jas2Ma]

+1 for solving this bug

[Etuldan]

According to this : "Sparse RSS 1.7, seems to login on all of them giving user and password in the url, getting icons for each account and header texts, but dont't get new feeds of anyone.", there is 2 possibles issues.
The first one is the ability to give credentials for the HTTP Authentication.
The second one, unrelated to HTTP Authentication, is about some feeds that may not work.

I'll be able to fix the 1rst one, you'll have to review it, if necessary, for the 2nd one (with links (I tried wit the silverorange on, I have issue, but may be related because the feed is 'older'.

[Bishop341-B]

Thanks for progress on this. I can do review doing tests with my gmail account. Sadly ogame has suspended RSS use.

Also note that, if possible, we should definitely not put credentials into the url, for security reasons. Can HTTP Authentication in SpaRSS work without credentials into the url?

[Etuldan]

It will works with a new login/pass field (with native android password field, like dots per characters.

[Etuldan]

About security concerning credentials:
The "login" will be visible in spaRSS in plaintext
The "password" will be hidden in spaRSS.
As spaRSS use a SQLite database, both of them will be stored in it, as plaintext. However, as soon as you don't give root permission to another app, only spaRSS will be able to read this database.

For the OPML export, it will not include this credentials.

[Bishop341-B]

What about just encrypting only the password field in database?

Something like this (look at the code answer):
http://stackoverflow.com/questions/30431400/how-can-i-encrypt-particular-column-data-in-android-sqlite-data-base-using-sqlci

or this:

http://stackoverflow.com/questions/8066173/how-to-query-an-encrypted-field-in-sqlite

Update. This looks even better:

https://crackstation.net/hashing-security.htm

[Etuldan]

In the new release :)
Thanks for the idea !