Fixup tests

CHANGELOG

@@ -1,145 +0,0 @@
-[0.1.0]
-* Initial version
-
-[0.2.0]
-* Updated to base image 0.10.0
-* Supporting extensions
-
-[0.3.0]
-* No longer overwriting all config changes
-* Using cli scripts
-* Using scheduler for periodic task
-* Removed update menu item
-
-[0.4.0]
-* Updated to FreshRSS 1.6.3
-* Removed most custom patches (FreshRSS includes those now)
-
-[0.4.1]
-* Add parameter to allow for encoded slashes (thanks @Richard)
-* Updated description (thanks @Girish)
-
-[0.5.0]
-* Not using mysql port as this causes an error
-* Storing sessions in /run
-* Storing api logs in /tmp
-* Set some php options
-
-[0.6.0]
-* Updated to FreshRSS 1.7.0
-
-[0.7.0]
-* Updated to FreshRSS 1.8.0
-
-[0.8.0]
-* Update to FreshRSS 1.9.0
-
-[0.9.0]
-* Update to FreshRSS 1.10.2
-
-[0.10.0]
-* Better apache configs
-* Update extensions
-
-[1.0.0]
-* Fix issue where static extension assets were not served
-
-[1.1.0]
-* Update FreshRSS to 1.11.0
-
-[1.1.1]
-* Update FreshRSS to to 1.11.1
-
-[1.1.2]
-* Update FreshRSS to 1.11.2
-
-[1.2.0]
-* Use latest base image
-
-[1.3.0]
-* Update FreshRSS to 1.12.0
-* Features
-  * Ability to add labels (custom tags) to articles #928
-  * Handle article tags containing spaces, as well as comma-separated tags #2023
-  * Handle authors containing spaces, as well as comma or semi-colon separated authors #2025
-  * Searches by tag, author, etc. accept Unicode characters #2025
-  * New option to disable cache for feeds with invalid HTTP caching #2052
-* UI
-  * New theme Swage #2069
-  * Click on authors to initiate a search by author #2025
-  * Fix CSS for button alignments in older Chrome versions #2020
-* Security
-  * Improved flow for password change (avoid error 403) #2056
-  * Allow dot . in username (best to avoid, though) #2061
-* Performance
-  * Remove some counterproductive preload / prefetch rules #2040
-  * Improved fast flush (earlier transfer, fetching of resources, and rendering) #2045
-
-[1.4.0]
-* Update FreshRSS to 1.13.0
-* [Full changelog](https://github.com/FreshRSS/FreshRSS/blob/1.13.0/CHANGELOG.md)
-* Improvements to the Google Reader API #2093
-* Support for Vienna RSS (client for Mac OS X) #2091
-* Ability to import XML files exported from Tiny-Tiny-RSS #2079
-* Ability to show all the feeds that have a warning #2146
-* Share with Pinboard #1972
-
-[1.5.0]
-* Fix security issue where root directory was exposed
-* Enable mod rewrite for mobile apps like FeedMe to work
-
-[1.5.1]
-* Update FreshRSS to 1.13.1
-
-[1.6.0]
-* Update FreshRSS to 1.14.0
-* Update extensions to 0812ee05c24c
-
-[1.6.1]
-* Update FreshRSS to 1.14.1
-* Fix load more articles when using ascending order #2314
-* Fix the use of arrow keyboard keys for shortcuts #2316
-* Fix control+click or middle-click for opening articles in a background tab #2310
-* Fix the naming of the option to unfold categories #2307
-* Fix shortcut problem when using unfolded articles #2328
-* Fix auto-hiding articles #2323
-* Fix scroll functions with Edge #2337
-* Fix drop-down menu warning #2353
-* Fix delay for individual mark-as-read actions #2332
-* Fix scroll functions in Edge #2337
-
-[1.6.2]
-* Update FreshRSS to 1.14.2
-* Fix minor code syntax warning in API #2362
-
-[1.6.3]
-* Update FreshRSS to 1.14.3
-* New configuration page for each category #2369
-* Update shortcut configuration page #2405
-* CSS style for printing #2149
-* Do not hide multiple <br /> tags #2437
-* Updated to jQuery 3.4.1 (only for statistics page) #2424
-
-[1.7.0]
-* Update FreshRSS to 1.15.0
-* New archiving method, including maximum number of articles per feed, and settings at feed, category, global levels #2335
-* New option to control category sort order #2592
-* New option to display article authors underneath the article title #2487
-* Add e-mail capability #2476, #2481
-* Ability to define default user settings in data/config-user.custom.php #2490
-* Including default feeds #2515
-* Allow recreating users if they still exist in database #2555
-* Add optional database connection URI parameters #2549, #2559
-* Allow longer articles with MySQL / MariaDB (up to 16MB compressed instead of 64kB) #2448
-* Add support for terms of service #2520
-* Add sharing with Lemmy #2510
-
-[1.7.1]
-* Update FreshRSS to 1.15.1
-
-[1.7.2]
-* Update FreshRSS to 1.15.2
-
-[1.7.3]
-* Update FreshRSS to 1.15.3
-

CHANGELOG.md

@@ -0,0 +1,297 @@
+[0.1.0]
+* Initial version
+
+[0.2.0]
+* Updated to base image 0.10.0
+* Supporting extensions
+
+[0.3.0]
+* No longer overwriting all config changes
+* Using cli scripts
+* Using scheduler for periodic task
+* Removed update menu item
+
+[0.4.0]
+* Updated to FreshRSS 1.6.3
+* Removed most custom patches (FreshRSS includes those now)
+
+[0.4.1]
+* Add parameter to allow for encoded slashes (thanks @Richard)
+* Updated description (thanks @Girish)
+
+[0.5.0]
+* Not using mysql port as this causes an error
+* Storing sessions in /run
+* Storing api logs in /tmp
+* Set some php options
+
+[0.6.0]
+* Updated to FreshRSS 1.7.0
+
+[0.7.0]
+* Updated to FreshRSS 1.8.0
+
+[0.8.0]
+* Update to FreshRSS 1.9.0
+
+[0.9.0]
+* Update to FreshRSS 1.10.2
+
+[0.10.0]
+* Better apache configs
+* Update extensions
+
+[1.0.0]
+* Fix issue where static extension assets were not served
+
+[1.1.0]
+* Update FreshRSS to 1.11.0
+
+[1.1.1]
+* Update FreshRSS to to 1.11.1
+
+[1.1.2]
+* Update FreshRSS to 1.11.2
+
+[1.2.0]
+* Use latest base image
+
+[1.3.0]
+* Update FreshRSS to 1.12.0
+* Features
+  * Ability to add labels (custom tags) to articles #928
+  * Handle article tags containing spaces, as well as comma-separated tags #2023
+  * Handle authors containing spaces, as well as comma or semi-colon separated authors #2025
+  * Searches by tag, author, etc. accept Unicode characters #2025
+  * New option to disable cache for feeds with invalid HTTP caching #2052
+* UI
+  * New theme Swage #2069
+  * Click on authors to initiate a search by author #2025
+  * Fix CSS for button alignments in older Chrome versions #2020
+* Security
+  * Improved flow for password change (avoid error 403) #2056
+  * Allow dot . in username (best to avoid, though) #2061
+* Performance
+  * Remove some counterproductive preload / prefetch rules #2040
+  * Improved fast flush (earlier transfer, fetching of resources, and rendering) #2045
+
+[1.4.0]
+* Update FreshRSS to 1.13.0
+* [Full changelog](https://github.com/FreshRSS/FreshRSS/blob/1.13.0/CHANGELOG.md)
+* Improvements to the Google Reader API #2093
+* Support for Vienna RSS (client for Mac OS X) #2091
+* Ability to import XML files exported from Tiny-Tiny-RSS #2079
+* Ability to show all the feeds that have a warning #2146
+* Share with Pinboard #1972
+
+[1.5.0]
+* Fix security issue where root directory was exposed
+* Enable mod rewrite for mobile apps like FeedMe to work
+
+[1.5.1]
+* Update FreshRSS to 1.13.1
+
+[1.6.0]
+* Update FreshRSS to 1.14.0
+* Update extensions to 0812ee05c24c
+
+[1.6.1]
+* Update FreshRSS to 1.14.1
+* Fix load more articles when using ascending order #2314
+* Fix the use of arrow keyboard keys for shortcuts #2316
+* Fix control+click or middle-click for opening articles in a background tab #2310
+* Fix the naming of the option to unfold categories #2307
+* Fix shortcut problem when using unfolded articles #2328
+* Fix auto-hiding articles #2323
+* Fix scroll functions with Edge #2337
+* Fix drop-down menu warning #2353
+* Fix delay for individual mark-as-read actions #2332
+* Fix scroll functions in Edge #2337
+
+[1.6.2]
+* Update FreshRSS to 1.14.2
+* Fix minor code syntax warning in API #2362
+
+[1.6.3]
+* Update FreshRSS to 1.14.3
+* New configuration page for each category #2369
+* Update shortcut configuration page #2405
+* CSS style for printing #2149
+* Do not hide multiple <br /> tags #2437
+* Updated to jQuery 3.4.1 (only for statistics page) #2424
+
+[1.7.0]
+* Update FreshRSS to 1.15.0
+* New archiving method, including maximum number of articles per feed, and settings at feed, category, global levels #2335
+* New option to control category sort order #2592
+* New option to display article authors underneath the article title #2487
+* Add e-mail capability #2476, #2481
+* Ability to define default user settings in data/config-user.custom.php #2490
+* Including default feeds #2515
+* Allow recreating users if they still exist in database #2555
+* Add optional database connection URI parameters #2549, #2559
+* Allow longer articles with MySQL / MariaDB (up to 16MB compressed instead of 64kB) #2448
+* Add support for terms of service #2520
+* Add sharing with Lemmy #2510
+
+[1.7.1]
+* Update FreshRSS to 1.15.1
+
+[1.7.2]
+* Update FreshRSS to 1.15.2
+
+[1.7.3]
+* Update FreshRSS to 1.15.3
+
+[1.8.0]
+* Update FreshRSS to 1.16.0
+* [Full changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.16.0)
+* Allow multiple users to have administration rights #2096
+* Preview the CSS rule to retrieve full article content #2778
+* Improve CSS selector ordering in the full-text retrieval (lib_phpQuery) #2874
+* New search option !date: allowing to exclude any date interval #2869
+* New option to show all articles in the favourites view #2434
+* Allow feed to be actualized just after being truncated #2862
+* Fallback to showing a GUID when an article title is empty #2813
+
+[1.9.0]
+* Use latest base image 2.0.0
+
+[1.9.1]
+* Update FreshRSS to 1.16.2
+* [Full changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.16.1)
+* Add the possibility to filter by feed IDs #2892
+  * like f:123 more-search or multiple feed IDs like f:123,234,345 more-search or an exclusion like !f:456,789 more-search
+* Show users last activity date #2936
+* Ability to follow HTML redirections when retrieving full article content #2985
+
+[1.10.0]
+* Add forum url and update screenshot links
+
+[1.11.0]
+* Update FreshRSS to 1.17.0
+* [Full changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.17.0)
+* New tag management page #3121
+* New page to add feeds and categories #3027
+* Add a way to disable/enable users #3056
+* Fix special characters in user queries #3037
+* Hide feed credentials when adding a new feed #3099
+* Trim whitespace for feed passwords #3158
+* Updated PHPMailer library to 6.1.6 #3024
+* Add blogger.com to the default list of forced HTTPS #3088
+
+[1.12.0]
+* Update base image to v3
+* Update PHP to 7.4
+
+[1.13.0]
+* Update FreshRSS to 1.18.0
+* [Full changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.18.0)
+* Allow parallel requests #3096 - Much faster manual feeds refresh
+* Reload full article content when an article has changed #3506
+* New share article link to clipboard #3330
+* Improved OPML import of feeds with multiple categories #3286
+* Add a content action parameter to work with CSS selector #3453
+* New cURL options per feed: proxy, cookie, user-agent #3367, #3494, #3516
+* Do not import feeds causing database errors (e.g. due to conflicting HTTP redirections) ##3347
+
+[1.13.1]
+* Fix apache config to log the client IP
+
+[1.13.2]
+* Update FreshRSS to 1.18.1
+* Support standard HTTP 410 Gone by disabling (muting) gone feeds #3561
+* Supported by Newsboat 2.24+ #3574
+* Supported by RSS Guard #3627
+* Allow Unicode for shortcuts #3548
+
+[1.14.0]
+* Update FreshRSS to 1.19.0
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.19.0)
+
+[1.14.1]
+* Update FreshRSS to 1.19.1
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.19.1)
+
+[1.14.2]
+* Update apache configs
+
+[1.14.3]
+* Update FreshRSS to 1.19.2
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.19.2)
+* Improve dropdown menus on mobile view #4141, #4128
+* Fix regression regarding keeping read state after seeing favourites / labels #4178
+* Lots of code improvements, including improved support of PHP 8.1
+
+[1.15.0]
+* Update FreshRSS to 1.20.0
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.0)
+* New Web scraping feature HTML+XPath for Web pages without any RSS/ATOM feed #4220
+* Add support for Dynamic OPML #4407
+* New search engine supporting (nested) parentheses, also with negation #4378
+* Allow many (50k+) feeds #4347 and other performance improvements
+* New option to exclude some DOM elements with a CSS Selector when retrieving an article full content #4501
+* New option to automatically mark as read gone articles #4426
+* 2 new themes and plenty of UI improvements
+* Supported by Fluent Reader Lite client on Android and iOS #4595
+* Several bug fixes
+
+[1.15.1]
+* Update FreshRSS to 1.20.1
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.1)
+* Add support for custom XPath date/time format #4703
+* Add default redirect when authenticating #4778
+* Force default user before rendering login page #4620
+
+[1.15.2]
+* Update FreshRSS to 1.20.2
+* Update Cloudron base image to 4.0.0
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.20.2)
+* Fix security vulnerability in ext.php #4928 reported by @c3l3si4n
+
+[1.15.3]
+* Update FreshRSS extensions repo to f66efcf5f
+
+[1.16.0]
+* Update FreshRSS to 1.21.1
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.21.0)
+* New XML+XPath mode for fetching XML documents when there is no RSS/ATOM feed #5076
+* Better support of feed enclosures (image / audio / video attachments) #4944
+* User-defined time-zone #4906
+* New CLI script cli/sensitive-log.sh to help e.g. Apache clear logs for sensitive information such as credentials #5001
+* Mark some themes as tentatively deprecated: BlueLagoon, Flat, Screwdriver #4807
+* Many UI improvements
+
+[1.17.0]
+* Update base image to 4.2.0
+
+[1.18.0]
+* Update FreshRSS to 1.22.0
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.22.0)
+* Rework trusted proxies
+* Improve scaling with many feeds and long processes, reduce database locks
+* Fix many bugs and regressions
+* Improve themes Origine (also with automatic dark mode), Nord, etc.
+* Several UI / UX improvements
+* New languages Hungarian, Latvian, Persian
+
+[1.19.0]
+* Implement OIDC login
+
+[1.19.1]
+* Update FreshRSS to 1.22.1
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.22.1)
+* Fix regression in extensions translations (i18n)
+* Better identification of proxied client IP
+
+[1.20.0]
+* Update FreshRSS to 1.23.0
+* [Full Changelog](https://github.com/FreshRSS/FreshRSS/releases/tag/1.23.0)
+* New Important feeds group in the main view, with corresponding new priority level for feeds #5782
+* Entries from important feeds are not marked as read during scroll, during focus, nor during Mark all as read
+* Add filter actions (auto mark as read) at category level and at global levels #5942
+* Increase SQL fields length to maximum possible #5788, #5570
+* Many bug fixes
+* Soft require Apache 2.4+ (but repair minimal compatibility with Apache 2.2)
+* Upgraded extensions require FreshRSS 1.23.0+ Extensions#181
+

CloudronManifest.json

@@ -3,37 +3,34 @@
   "title": "FreshRSS",
   "author": "FreshRSS Developers",
   "description": "file://DESCRIPTION.md",
-  "changelog": "file://CHANGELOG",
+  "changelog": "file://CHANGELOG.md",
   "tagline": "RSS feed reader",
-  "version": "1.7.3",
+  "version": "1.20.0",
+  "upstreamVersion": "1.23.0",
   "healthCheckPath": "/",
   "httpPort": 8000,
   "addons": {
     "localstorage": {},
     "mysql": {},
+    "oidc": { "loginRedirectUri": "/i/oidc/" },
     "scheduler": {
       "update_feeds": {
         "schedule": "*/1 * * * *",
-        "command": "/usr/local/bin/gosu www-data:www-data php /app/code/app/actualize_script.php"
+        "command": "echo '==> Run actualize script' && /usr/local/bin/gosu www-data:www-data php /app/code/app/actualize_script.php"
       }
     }
   },
-  "manifestVersion": 1,
+  "manifestVersion": 2,
   "website": "http://www.freshrss.org",
   "contactEmail": "support@cloudron.io",
   "icon": "logo.png",
-  "tags": [
-    "rss",
-    "atom",
-    "greader",
-    "reader",
-    "news",
-    "feeds"
-  ],
+  "tags": [ "rss", "atom", "greader", "reader", "news", "feeds", "feedly" ],
   "mediaLinks": [
-    "https://s3.amazonaws.com/cloudron-app-screenshots/org.freshrss.cloudronapp/7d731e71a6faa3791e19b7d7daf468a9486349cc/1.png"
+    "https://screenshots.cloudron.io/org.freshrss.cloudronapp/1.png"
   ],
   "postInstallMessage": "file://POSTINSTALL.md",
-  "minBoxVersion": "2.0.0",
-  "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/"
+  "minBoxVersion": "7.5.1",
+  "forumUrl": "https://forum.cloudron.io/category/27/freshrss",
+  "documentationUrl": "https://cloudron.io/documentation/apps/freshrss/",
+  "optionalSso": true
 }

DESCRIPTION.md

@@ -1,4 +1,4 @@
-This app packages FreshRSS <upstream>1.15.3</upstream>.
+## About
 
 FreshRSS is a self-hosted RSS feed aggregator such as Leed or Kriss Feed.
 
@@ -6,12 +6,13 @@ It is at the same time lightweight, easy to work with, powerful and customizable
 
 It is a multi-user application with an anonymous reading mode. It supports PubSubHubbub for instant notifications from compatible Web sites. There is an API for (mobile) clients, and a Command-Line Interface. Finally, it supports extensions for further tuning.
 
-### Extensions
+## Extensions
+
 FreshRSS supports further customizations by adding extensions on top of its core functionality.
 See the [repository dedicated to those extensions](https://github.com/FreshRSS/Extensions).
 
 
-### Compatible clients
+## Compatible clients
 Any client supporting a Google Reader-like API. Selection:
 
 * Android
@@ -19,3 +20,6 @@ Any client supporting a Google Reader-like API. Selection:
 	* [EasyRSS](https://github.com/Alkarex/EasyRSS) (Open source, F-Droid)
 * Linux
 	* [FeedReader 2.0+](https://jangernert.github.io/FeedReader/) (Open source)
+* Mac/iOS
+    * [Reeder](https://reederapp.com/)
+

Dockerfile

@@ -1,15 +1,16 @@
-FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
+
+RUN apt-get update && apt-get install --no-install-recommends -y libapache2-mod-auth-openidc && rm -rf /var/cache/apt /var/lib/apt/lists
 
 RUN mkdir -p /app/code
 WORKDIR /app/code
 
-ARG VERSION=1.15.3
-RUN curl -L https://github.com/FreshRSS/FreshRSS/archive/${VERSION}.tar.gz | tar -zxvf - --strip-components=1
+ARG VERSION=1.22.1
+RUN curl -L https://github.com/FreshRSS/FreshRSS/archive/${VERSION}.tar.gz | tar -zxvf - --strip-components=1 && \
+    mv data data-orig && ln -s /app/data data
 
-RUN mv data data-orig && ln -s /app/data data
-
-# official extensions
-RUN wget https://github.com/FreshRSS/Extensions/archive/cd390eb8d1c950bbefacc986da700959c2bddd37.tar.gz -O - | tar -xz --strip-components=1 -C /app/code/extensions && \
+# official extensions (https://github.com/FreshRSS/Extensions/commits/master)
+RUN wget https://github.com/FreshRSS/Extensions/archive/8af0d55265ffa03de22ee62b2ae175b3cb038a3c.tar.gz -O - | tar -xz --strip-components=1 -C /app/code/extensions && \
     mv /app/code/extensions /app/code/extensions-orig && \
     ln -s /app/data/extensions /app/code/extensions
 
@@ -22,16 +23,19 @@ RUN a2disconf other-vhosts-access-log
 ADD apache/freshrss.conf /etc/apache2/sites-enabled/freshrss.conf
 RUN echo "Listen 8000" > /etc/apache2/ports.conf
 
-RUN a2enmod headers expires deflate mime dir rewrite setenvif
+RUN a2enmod headers expires deflate mime dir rewrite setenvif auth_openidc
 
 RUN rm -rf /var/lib/php && ln -s /run/php /var/lib/php
 
-RUN crudini --set /etc/php/7.2/apache2/php.ini PHP upload_max_filesize 64M && \
-    crudini --set /etc/php/7.2/apache2/php.ini PHP post_max_size 64M && \
-    crudini --set /etc/php/7.2/apache2/php.ini PHP memory_limit 64M && \
-    crudini --set /etc/php/7.2/apache2/php.ini Session session.save_path /run/php/session && \
-    crudini --set /etc/php/7.2/apache2/php.ini Session session.gc_probability 1 && \
-    crudini --set /etc/php/7.2/apache2/php.ini Session session.gc_divisor 100
+RUN crudini --set /etc/php/8.1/apache2/php.ini PHP upload_max_filesize 64M && \
+    crudini --set /etc/php/8.1/apache2/php.ini PHP post_max_size 64M && \
+    crudini --set /etc/php/8.1/apache2/php.ini PHP memory_limit 64M && \
+    crudini --set /etc/php/8.1/apache2/php.ini Session session.save_path /run/php/session && \
+    crudini --set /etc/php/8.1/apache2/php.ini Session session.gc_probability 1 && \
+    crudini --set /etc/php/8.1/apache2/php.ini Session session.gc_divisor 100
+
+RUN ln -s /app/data/php.ini /etc/php/8.1/apache2/conf.d/99-cloudron.ini && \
+    ln -s /app/data/php.ini /etc/php/8.1/cli/conf.d/99-cloudron.ini
 
 ADD start.sh /app/code/start.sh
 

POSTINSTALL.md

@@ -1,10 +1,16 @@
-This application does not integrate with Cloudron authentication.
+<sso>
+On first visit, sign in using the built-in Cloudron authentication and then make the user administrator
+by running:
+```
+php cli/reconfigure.php --default_user YOUR_USERNAME
+```
+</sso>
 
-There is a preconfigured administrator account with the following credentials:
+<nosso>
+This app is pre-setup with an admin account. The initial credentials are:
   
-* Username: `admin`
-* Password: `changeme`
+**Username**: admin<br/>
+**Password**: changeme<br/>
 
-(Please change that password on first login)
-
-You can create more accounts withing the app when logged in as administrator.
+Please change the admin password immediately.
+</nosso>

apache/freshrss.conf

@@ -1,18 +1,55 @@
+# https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/FreshRSS.Apache.conf
+
+ServerName %{HTTP_HOST}
+
 <VirtualHost *:8000>
     DocumentRoot /app/code/p
     AllowEncodedSlashes On
 
-    ErrorLog /dev/stderr 
-    CustomLog /dev/stdout combined
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
+    CustomLog "|/bin/cat" proxy
+    ErrorLog "|/bin/cat"
 
     <Directory /app/code/p/>
         Options +FollowSymLinks
         AllowOverride All
         Require all granted
-
-        <IfModule mod_php7.c>
-            php_value memory_limit 64m
-        </IfModule>
-
     </Directory>
+
+    <Directory /app/code/p/api>
+        Include /app/code/p/api/.htaccess
+    </Directory>
+
+    <Directory /app/code/p/i>
+        ExpiresActive Off
+
+        <IfDefine OIDC_ENABLED>
+            AuthType openid-connect
+            Require valid-user
+        </IfDefine>
+        IncludeOptional /app/code/p/i/.htaccess
+    </Directory>
+
+    <Directory /app/code/p/themes>
+        Include /app/code/p/themes/.htaccess
+    </Directory>
+
+
+    <IfDefine OIDC_ENABLED>
+        OIDCProviderMetadataURL ${CLOUDRON_OIDC_DISCOVERY_URL}
+        OIDCClientID ${CLOUDRON_OIDC_CLIENT_ID}
+        OIDCClientSecret ${CLOUDRON_OIDC_CLIENT_SECRET}
+
+        OIDCRedirectURI /i/oidc/
+
+        OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE}
+
+        OIDCRemoteUserClaim sub
+
+        OIDCScope "openid profile email"
+
+        OIDCRefreshAccessTokenBeforeExpiry 30
+        OIDCPassClaimsAs headers
+        OIDCXForwardedHeaders X-Forwarded-Proto
+    </IfDefine>
 </VirtualHost>

apache/mpm_prefork.conf

@@ -9,7 +9,7 @@
 	MaxSpareServers 3
 
     # Maximum number of servers at any given instant. Requests will be queued after this
-	MaxRequestWorkers	  6
+	MaxRequestWorkers	  10
 
     # Recycle process after handling these many requests. This protected against accidental memory leaks
 	MaxConnectionsPerChild   100

start.sh

@@ -2,22 +2,30 @@
 
 set -eu
 
-mkdir -p /run/php/session
+mkdir -p /run/php/session /app/data/extensions
 
 if ! [ -f /app/data/.installed ]; then
     echo "==> Fresh installation, setting up..."
     rsync -a /app/code/data-orig/ /app/data/
     php cli/do-install.php \
       --environment production --default_user admin \
-      --db-type mysql --db-host "${MYSQL_HOST}" \
-      --db-user "${MYSQL_USERNAME}" --db-password "${MYSQL_PASSWORD}" \
-      --db-base "${MYSQL_DATABASE}" --db-prefix "" \
+      --db-type mysql --db-host "${CLOUDRON_MYSQL_HOST}" \
+      --db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \
+      --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
       --disable_update
-    php cli/create-user.php --user admin --password changeme --language en
+
+    if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        php cli/create-user.php --user admin --password changeme --language en
+    fi
+
     touch /app/data/.installed
     echo "==> Done."
 fi
 
+if [[ ! -f /app/data/php.ini ]]; then
+    echo -e "; Add custom PHP configuration in this file\n; Settings here are merged with the package's built-in php.ini\n\n" > /app/data/php.ini
+fi
+
 echo "==> Symlinking log file"
 rm -f /app/data/users/_/log_api.txt
 touch /tmp/log_api.txt
@@ -25,17 +33,24 @@ ln -s /tmp/log_api.txt /app/data/users/_/log_api.txt
 
 # We have to copy instead of symlinking extensions (see #2)
 echo "==> Copying packaged extensions"
-mkdir -p /app/data/extensions
 for f in $(ls /app/code/extensions-orig); do
     rm -rf "/app/data/extensions/$f"
     cp -r "/app/code/extensions-orig/$f" "/app/data/extensions"
 done
 
 echo "==> Updating config file"
-php cli/reconfigure.php --default_user admin --base_url "https://${APP_DOMAIN}" \
-    --db-type mysql --db-host "${MYSQL_HOST}" \
-    --db-user "${MYSQL_USERNAME}" --db-password "${MYSQL_PASSWORD}" \
-    --db-base "${MYSQL_DATABASE}" --db-prefix "" \
+if [[ -z "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    extra_args="--default_user admin"
+    [[ ! -f /app/data/.oauth_crypto_passphrase ]] && openssl rand -base64 42 > /app/data/.oauth_crypto_passphrase
+    export OIDC_CRYPTO_PASSPHRASE=$(</app/data/.oauth_crypto_passphrase) # used in apache config
+else
+    extra_args="--auth_type http_auth"
+fi
+
+php cli/reconfigure.php ${extra_args} --base_url "https://${CLOUDRON_APP_DOMAIN}" \
+    --db-type mysql --db-host "${CLOUDRON_MYSQL_HOST}" \
+    --db-user "${CLOUDRON_MYSQL_USERNAME}" --db-password "${CLOUDRON_MYSQL_PASSWORD}" \
+    --db-base "${CLOUDRON_MYSQL_DATABASE}" --db-prefix "" \
     --disable_update
 
 echo "==> Setting permissions"
@@ -44,4 +59,4 @@ chown -R www-data.www-data /run/php /app/data /tmp/log_api.txt
 echo "==> Starting apache"
 APACHE_CONFDIR="" source /etc/apache2/envvars
 rm -f "${APACHE_PID_FILE}"
-exec /usr/sbin/apache2 -DFOREGROUND
+exec /usr/sbin/apache2 -D FOREGROUND $([[ -n "$CLOUDRON_OIDC_ISSUER" ]] && echo '-D OIDC_ENABLED')

test/package.json

@@ -9,14 +9,10 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "chromedriver": "^2.38.3",
-    "ejs": "^2.4.2",
+    "chromedriver": "^120.0.1",
     "expect.js": "^0.3.1",
-    "mkdirp": "^0.5.1",
-    "mocha": "^2.5.3",
-    "rimraf": "^2.5.3",
-    "selenium-server-standalone-jar": "^2.53.1",
-    "selenium-webdriver": "^2.53.3",
-    "superagent": "^1.8.5"
+    "mocha": "^10.2.0",
+    "selenium-webdriver": "^4.16.0",
+    "superagent": "^8.1.2"
   }
 }

test/test.js

@@ -1,57 +1,58 @@
 #!/usr/bin/env node
 
+/* jshint esversion: 8 */
+/* global describe */
+/* global before */
+/* global after */
+/* global it */
+/* global xit */
+
 'use strict';
 
 require('chromedriver');
 
-var execSync = require('child_process').execSync,
+const execSync = require('child_process').execSync,
     expect = require('expect.js'),
     path = require('path'),
     superagent = require('superagent'),
-    webdriver = require('selenium-webdriver');
+    { Builder, By, Key, until } = require('selenium-webdriver'),
+    { Options } = require('selenium-webdriver/chrome');
 
-var by = webdriver.By,
-    until = webdriver.until;
-
-var username = 'admin',
-    password = 'changeme';
-
-process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+const admin_username = 'admin', admin_password = 'changeme';
 
+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
 
 describe('Application life cycle test', function () {
     this.timeout(0);
 
-    var chrome = require('selenium-webdriver/chrome');
-    var server, browser = new chrome.Driver();
+    const LOCATION = 'test';
+    const TEST_TIMEOUT = parseInt(process.env.TIMEOUT, 10) || 10000;
+    const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
-    before(function (done) {
-        var seleniumJar= require('selenium-server-standalone-jar');
-        var SeleniumServer = require('selenium-webdriver/remote').SeleniumServer;
-        server = new SeleniumServer(seleniumJar.path, { port: 4444 });
-        server.start();
+    const USERNAME = process.env.USERNAME;
+    const PASSWORD = process.env.PASSWORD;
 
-        done();
+    let browser, app;
+    let athenticated_by_oidc = false;
+
+    before(function () {
+        const options = new Options().windowSize({ width: 1280, height: 1024 });
+        if (process.env.HEADLESS) options.addArguments('headless');
+
+        browser = new Builder().forBrowser('chrome').setChromeOptions(options).build();
     });
 
-    after(function (done) {
+    after(function () {
         browser.quit();
-        server.stop();
-        done();
     });
 
-    var LOCATION = 'test';
-    var TEST_TIMEOUT = 10000;
-    var app;
-
-    function exists(selector) {
-        return browser.wait(until.elementLocated(selector), TEST_TIMEOUT);
-    }
-
-    function visible(selector, callback) {
-        return exists(selector).then(function () {
-            return browser.wait(until.elementIsVisible(browser.findElement(selector)), TEST_TIMEOUT);
-        });
+    function getAppInfo() {
+        var inspect = JSON.parse(execSync('cloudron inspect'));
+        app = inspect.apps.filter(function (a) { return a.location.indexOf(LOCATION) === 0; })[0];
+        expect(app).to.be.an('object');
     }
 
     function baseUrl() {
@@ -59,205 +60,174 @@ describe('Application life cycle test', function () {
         return `https://${app.fqdn}`;
     }
 
-    // we do this because it perm redirects to /p/ in old versions
-    function clearCache() {
-        // https://stackoverflow.com/questions/49614217/selenium-clear-chrome-cache
-        // defaut clearance is 1 hour of cache
-        return browser.get('chrome://settings/clearBrowserData').then(function () {
-            return visible(by.css('* /deep/ #clearBrowsingDataConfirm'));
-        }).then(function () {
-            return browser.findElement(by.css('* /deep/ #clearBrowsingDataConfirm')).click();
-        }).then(function () {
-            return browser.sleep(5000);
-        });
+    async function waitForElement(elem) {
+        await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
+        await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
     }
 
-    function login(password, callback) {
-        browser.get('https://' + app.fqdn).then(function () {
-            return visible(by.id('loginButton'));
-        }).then(function () {
-            return browser.findElement(by.id('username')).sendKeys(username);
-        }).then(function () {
-            return browser.findElement(by.id('passwordPlain')).sendKeys(password);
-        }).then(function () {
-            return browser.findElement(by.id('loginButton')).click();
-        }).then(function () {
-            return browser.wait(until.elementLocated(by.id('dropdown-configure')), TEST_TIMEOUT);
-        }).then(function () {
-            callback();
-        });
+    async function login(username, password) {
+        await browser.get('https://' + app.fqdn);
+        await waitForElement(By.id('loginButton'));
+        await browser.findElement(By.id('username')).sendKeys(username);
+        await browser.findElement(By.id('passwordPlain')).sendKeys(password);
+        await browser.findElement(By.id('loginButton')).click();
+        await waitForElement(By.id('btn-subscription'));
     }
 
-    function logout(callback) {
-        var logout_btn = by.xpath('//ul[@class="dropdown-menu"]/li/a[@class="signout"]');
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/i/`);
+        await browser.sleep(6000);
 
-        browser.get('https://' + app.fqdn).then(function () {
-            return visible(by.id('stream'));
-        }).then(function () {
-            return browser.findElement(by.className('dropdown-toggle')).click();
-        }).then(function () {
-            return visible(logout_btn);
-        }).then(function () {
-            return browser.findElement(logout_btn).click();
-        }).then(function () {
-            return browser.wait(until.elementLocated(by.id('loginButton')), TEST_TIMEOUT);
-        }).then(function () {
-            callback();
-        });
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//button[@type="submit" and contains(text(), "Sign in")]')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await waitForElement(By.id('btn-subscription'));
     }
 
-    function addSubscription(callback) {
-        var url = "https://cloudron.io/blog/rss.xml";
+    async function logout() {
+        var logout_btn = By.xpath('//li/a[@class="signout"]');
 
-        browser.get(`${baseUrl()}/i/?c=subscription`).then(function () {
-            return visible(by.xpath('//input[@name="url_rss"]'));
-        }).then(function () {
-            return browser.findElement(by.xpath('//input[@name="url_rss"]')).sendKeys(url);
-        }).then(function () {
-            return browser.findElement(by.xpath('//form[@id="add_rss"]/div/button[@type="submit"]')).click();
-        }).then(function () {
-            return visible(by.xpath('//div[@id="notification" and @class="notification good"]'));
-        }).then(function () {
-            callback();
-        });
+        await browser.get('https://' + app.fqdn);
+        await waitForElement(By.id('stream'));
+        await browser.findElement(By.className('dropdown-toggle')).click();
+        await waitForElement(logout_btn);
+        await browser.findElement(logout_btn).click();
+        await waitForElement(By.id('loginButton'));
     }
 
-    function addUser(password, callback) {
-        var test_username = 'test';
+    async function addSubscription() {
+        var url = 'https://blog.cloudron.io/rss/';
+        const addUrl = app.manifest.version === '1.10.0' ? `${baseUrl()}/i/?c=subscription` : `${baseUrl()}/i/?c=subscription&a=add`;
 
-        browser.get(`${baseUrl()}/i/?c=user&a=manage`).then(function () {
-            return visible(by.id('new_user_name'));
-        }).then(function () {
-            return browser.findElement(by.id('new_user_name')).sendKeys(test_username);
-        }).then(function () {
-            return browser.findElement(by.id('new_user_passwordPlain')).sendKeys(password);
-        }).then(function () {
-            return browser.findElement(by.xpath('//button[text()="Create"]')).click();
-        }).then(function () {
-            return visible(by.xpath('//div[@id="notification" and @class="notification good"]'));
-        }).then(function () {
-            callback();
-        });
+        await browser.get(addUrl);
+        await waitForElement(By.xpath('//input[@name="url_rss"]'));
+        await browser.findElement(By.xpath('//input[@name="url_rss"]')).sendKeys(url);
+        await browser.findElement(By.xpath('//form[@id="add_rss"]//button[text()="Add"]')).click();
+        await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
     }
 
-    function enableApi(callback) {
-        browser.get(`${baseUrl()}/i/?c=auth`).then(function () {
-            return browser.findElement(by.id('api_enabled')).click();
-        }).then(function () {
-            return browser.findElement(by.xpath('//button[text()="Submit"]')).submit();
-        }).then(function () {
-            callback();
-        });
+    async function addUser(username, password) {
+        await browser.get(`${baseUrl()}/i/?c=user&a=manage`);
+        await waitForElement(By.id('new_user_name'));
+        await browser.findElement(By.id('new_user_name')).sendKeys(username);
+        await browser.findElement(By.id('new_user_passwordPlain')).sendKeys(password);
+        await browser.findElement(By.xpath('//button[text()="Create"]')).click();
+        await waitForElement(By.xpath('//div[@id="notification" and @class="notification good"]'));
     }
 
-    function checkApiConfiguration(callback) {
-        browser.get(`${baseUrl()}/api/`).then(function () {
-            return exists(by.xpath('//dd[@id="greaderOutput" and contains(text(), "PASS")]'));
-        }).then(function () {
-            return exists(by.xpath('//dd[@id="feverOutput" and contains(text(), "PASS")]'));
-        }).then(function () {
-            callback();
-        });
+    async function enableApi() {
+        await browser.get(`${baseUrl()}/i/?c=auth`);
+        await waitForElement(By.id('api_enabled'));
+        await browser.findElement(By.id('api_enabled')).click();
+        await browser.findElement(By.xpath('//button[text()="Submit"]')).click();
+        await browser.sleep(5000);
     }
 
-    function getAppInfo() {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION || a.location === LOCATION + '2'; })[0];
-        expect(app).to.be.an('object');
+    async function checkApiConfiguration() {
+        await browser.get(`${baseUrl()}/api/`);
+        await waitForElement(By.xpath('//dd[@id="greaderOutput" and contains(text(), "PASS")]'));
+        await waitForElement(By.xpath('//dd[@id="feverOutput" and contains(text(), "PASS")]'));
     }
 
-    function subscriptionExists(callback) {
-        browser.get(`${baseUrl()}/i/?get=c_1`).then(function () {
-            return visible(by.xpath('//a[text()="Cloudron.io"]'));
-        }).then(function () {
-            callback();
-        });
+    async function subscriptionExists() {
+        await browser.get(`${baseUrl()}/i/?get=c_1`);
+        return waitForElement(By.xpath('//span[text()="Cloudron"]'));
     }
 
-    function getStaticExtensionFile(callback) {
-        superagent.get(`${baseUrl()}/ext.php?f=xExtension-StickyFeeds/static/script.js&t=js`)
+    async function getStaticExtensionFile() {
+        const response = await superagent.get(`${baseUrl()}/ext.php?f=xExtension-StickyFeeds/static/script.js&t=js`)
             .buffer(true)
-            .end(function (err, res) {
-                expect(err).to.be(null);
-                expect(res.status).to.be(200);
-                expect(res.text).to.contain('sticky_feeds'); // relies on the buffer flag above
-                callback();
-        });
+            .ok(() => true);
+        expect(response.statusCode).to.be(200);
+        expect(response.text).to.contain('sticky_feeds'); // relies on the buffer flag above
     }
 
-    xit('build app', function () {
-        execSync('cloudron build', { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
-
-    it('install app', function () {
-        execSync('cloudron install --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
+    // No SSO
+    it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
 
     it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, password));
+    it('can login', login.bind(null, admin_username, admin_password));
     it('can subscribe', addSubscription);
-    it('can add users', addUser.bind(null, password));
+    it('can add users', addUser.bind(null, 'test', admin_password));
     it('can enable API', enableApi);
     it('can check configuration', checkApiConfiguration);
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
     it('can logout', logout);
+    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 
-    it('backup app', function () {
-        execSync('cloudron backup create --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    // SSO
+    it('install app (sso)', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
 
-    it('restore app', function () {
-        execSync('cloudron restore --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, password));
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
+    it('can make user Administrator', function () { execSync(`cloudron exec --app ${app.id} -- bash -c "php cli/reconfigure.php --default_user ${USERNAME}"`); });
+    it('can subscribe', addSubscription);
+    it('can enable API', enableApi);
+    it('can check configuration', checkApiConfiguration);
+    it('subscription exists', subscriptionExists);
+    it('can get static extension file', getStaticExtensionFile);
+
+    it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
+
+    it('restore app', function () {
+        const backups = JSON.parse(execSync(`cloudron backup list --raw --app ${app.id}`));
+        execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS);
+        execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
+        getAppInfo();
+        execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
+    });
+
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
     it('can check configuration', checkApiConfiguration);
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
-    it('can logout', logout);
 
     it('move to different location', function () {
         browser.manage().deleteAllCookies();
-        execSync('cloudron configure --location ' + LOCATION + '2 --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+        execSync('cloudron configure --location ' + LOCATION + '2 --app ' + app.id, EXEC_ARGS);
         var inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location === LOCATION + '2'; })[0];
         expect(app).to.be.an('object');
     });
 
-    it('can login', login.bind(null, password));
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
     it('can check configuration', checkApiConfiguration);
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
-    it('can logout', logout);
 
-    it('uninstall app', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 
     // test update
-    it('can install app', function () {
-        execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    it('can install app', function () { execSync('cloudron install --appstore-id org.freshrss.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
 
     it('can get app information', getAppInfo);
-    it('can login', login.bind(null, password));
+    it('can login OIDC', loginOIDC.bind(null, USERNAME, PASSWORD));
+    it('can make user Administrator', function () { execSync(`cloudron exec --app ${app.id} -- bash -c "php cli/reconfigure.php --default_user ${USERNAME}"`); });
     it('can subscribe', addSubscription);
-    it('can add users', addUser.bind(null, password));
+    it('can add users', addUser.bind(null, 'test', admin_password));
 
     it('can update', function () {
-        execSync('cloudron update --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+        execSync('cloudron update --app ' + app.id, EXEC_ARGS);
         var inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
         expect(app).to.be.an('object');
     });
 
-    it('can login', login.bind(null, password));
     it('subscription exists', subscriptionExists);
     it('can get static extension file', getStaticExtensionFile);
 
-    it('uninstall app', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 });