Block HTTP Basic Auth proxy for Piped sources

Piped's session token reuses the Authorization header, so a fronting basic auth proxy can't coexist with logged-in Piped use — the two would clobber each other's credentials on every authenticated request. Add a supportsHTTPBasicAuthProxy capability on Instance/InstanceType (false for Piped, true for everything else) and route it through: - AddRemoteServerView refuses Piped if detection only succeeded behind basic auth, surfacing a localized "not supported" error instead of a silently broken instance, and hides the optional credentials section for Piped. - EditSourceView hides the basic auth fields for Piped instances and clears any legacy stored credentials on save, in case a Piped source was added with credentials before this change.
2026-05-14 03:15:03 +00:00 · 2026-05-06 20:17:18 +02:00
parent 11841d7b41
commit 6f8aa9a1b3
4 changed files with 80 additions and 37 deletions
--- a/Yattee/Models/Instance.swift
+++ b/Yattee/Models/Instance.swift
@@ -182,6 +182,22 @@ extension Instance {
    var supportsVideoProxying: Bool {
        type == .invidious || type == .piped || type == .yatteeServer
    }
+
+    /// Whether this instance can sit behind an HTTP Basic Auth reverse proxy.
+    /// Piped is excluded: its session token is sent in the same `Authorization`
+    /// header that the proxy would consume, so logged-in features can't coexist
+    /// with proxy credentials.
+    var supportsHTTPBasicAuthProxy: Bool {
+        type.supportsHTTPBasicAuthProxy
+    }
+}
+
+extension InstanceType {
+    /// See `Instance.supportsHTTPBasicAuthProxy`. Type-only variant for flows
+    /// (e.g., AddRemoteServer detection) that don't yet have an `Instance`.
+    var supportsHTTPBasicAuthProxy: Bool {
+        self != .piped
+    }
 }

 // MARK: - Instance Validation