homelab/compose/services/FreshRSS/API-STATUS.md

# FreshRSS API Status & Next Steps

## Current Configuration

✅ API enabled in FreshRSS
✅ API password set in user profile
✅ Tinyauth SSO removed
✅ Nginx configured with PATH_INFO
✅ Nginx configured to pass Authorization header
✅ Traefik configured to pass host header

## Issue

The API compatibility check still fails: `FAIL get HTTP Authorization header!`

This means the HTTP Authorization header isn't reaching PHP's `$_SERVER['HTTP_AUTHORIZATION']` variable.

## What We've Tried

1. ✅ Removed Tinyauth middleware (was blocking API)
2. ✅ Added fastcgi_param HTTP_AUTHORIZATION to nginx
3. ✅ Added PATH_INFO support (required by FreshRSS API)
4. ✅ Set API password in web interface
5. ✅ Configured Traefik pass host header

## The Root Cause

The nginx → PHP-FPM authorization header passthrough isn't working correctly in the LinuxServer.io FreshRSS image.

## Solution: Try Reeder Now Anyway

Even though the compatibility check fails, **Reeder might still work**. The check uses a different method than actual client authentication.

### Test in Reeder:

1. **Delete** existing FreshRSS account in Reeder
2. **Add New Account** → FreshRSS or Self-hosted
3. Enter:
   - Server: `https://feeds.fig.systems`
   - Username: `eddie`
   - Password: `[YOUR API PASSWORD FROM WEB INTERFACE]`
4. **Try to sync**

The password should be the one you typed into the "API password" field in FreshRSS Profile settings.

## Alternative: Use Fever API Instead

Fever API uses different authentication and might work better.

### Your Fever Settings:

**Fever API URL:** `https://feeds.fig.systems/api/fever.php`
**Fever Key:** `b82fc4a3c3ff610ff270798ef6f93b13`

### In Reeder:

1. **Add Account** → **Fever**
2. Server: `https://feeds.fig.systems/api/fever.php`
3. Email: `eddie`
4. Password: `[YOUR WEB PASSWORD]` ← Uses web password, NOT API password!

Fever API doesn't require the Authorization header in the same way, so it might bypass this nginx issue.

## If Both Fail: Advanced Fix Required

If neither Google Reader API nor Fever API works, we need to:

1. **Switch to official FreshRSS Docker image** (not LinuxServer.io)
   - Official image: `freshrss/freshrss:latest`
   - Has proper nginx config out of the box

2. **Or: Use Apache instead of nginx** in LinuxServer image
   - LinuxServer allows switching web servers
   - Apache handles Authorization headers differently

3. **Or: Check Traefik logs** to see if header is being stripped there
   ```bash
   docker logs traefik | grep -i authorization
   ```

## Recommended Action Plan

1. **TRY REEDER NOW** - might work despite compatibility check failure
2. **TRY FEVER API** - different auth method
3. **If both fail:** Check logs while attempting:
   ```bash
   tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
   ```
   Look for the API requests and their response codes

## Debug Commands

### Check what Reeder sends:
```bash
# Watch access log while connecting from Reeder
tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
```

### Test API manually:
```bash
# Replace with your actual API password
curl -v -d "Email=eddie" -d "Passwd=YOUR_API_PASSWORD" \
  "https://feeds.fig.systems/api/greader.php/accounts/ClientLogin"
```

### Test Fever API:
```bash
curl -v -d "api_key=b82fc4a3c3ff610ff270798ef6f93b13" \
  "https://feeds.fig.systems/api/fever.php?api"
```

## Sources & References

- [FreshRSS Authorization Header Issue #2308](https://github.com/FreshRSS/FreshRSS/issues/2308)
- [FreshRSS Apache/Nginx Configuration](https://freshrss.github.io/FreshRSS/en/admins/10_ServerConfig.html)
- [FreshRSS Mobile Access Guide](https://freshrss.github.io/FreshRSS/en/users/06_Mobile_access.html)
- [Nginx API 401 Discussion #6183](https://github.com/FreshRSS/FreshRSS/discussions/6183)

---

**Bottom Line:** Try Reeder with the API password now. If it doesn't work, try Fever API. Both might work even though the compatibility check fails.