DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Support for Synology NAS, QNAP NAS and other Embedded Linux systems
Post Reply
Dmx
Posts: 7
Joined: 26 Feb 2021, 18:55

DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by Dmx »

Hi,

actually I've been trying for like two hours to fix this myself but I'm out of ideas. Today I upgraded my DS 918+ to 6.2.4-25554. After the obligatory restart filebot-node indicated it needed repair. Ok well, done. I couldn't start it afterwards until restarting the package manually. I can display the GUI now but when I enter anything and then click something (like Dry Run, Show System Info, Execute etc.) it doesn't do anything. I restarted, re-installed filebot (+node), went to clear cache and reset settings for filebot via SSH and tried to dig through the logfiles. I tried a lot of stuff and actually I'm at I point where I think I at least know whats happening.
Checking with the Browser Tools I see endless requests coming in with "401 Unauthorized". Filebot Node Log shows the same:

Code: Select all

2021-02-26T20:31:31+0100 /usr/syno/synoman/webman/modules/authenticate.cgi
2021-02-26T20:31:31+0100 {
  HTTP_COOKIE: 'id=null',
  HTTP_X_SYNO_TOKEN: 'KL0yVAhasgj2', -> I changed this to a random Token for the Forum
  REMOTE_ADDR: '192.168.178.20'
}
I believe actually it's due to the Cookie which I assume Filebot Node uses to authenticate? Howver I have no clue why it can't see the Cookie. I do not see anything in the changelog regarding this https://www.synology.com/en-global/rele ... l=DS3615xs
What I tried additionally is to disable the CSRF in Security Settings -> Logout and Login again. However doing that doesn't change it, in that case I'm even missing the Syno Token which reports back as empty then in the filebot-node log. I see that DSM 7 changed a lot of things, maybe the backported some stuff?
Any ideas how I can find a fix for this? Does anyone have similiar problems?

I would be happy about any tip/idea.
Thanks!
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by rednoah »

You might need to log-out log-in into DSM. FileBot Node integrates into DSM authentication, so you must be logged into DSM, so make sure to open FileBot Node via the DSM WebUI launch icon instead of opening the internal frame directly.
:idea: Please read the FAQ and How to Request Help.
Dmx
Posts: 7
Joined: 26 Feb 2021, 18:55

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by Dmx »

Hi,
unfortunately I did that already. I logged out countless times, like 20 or so and logged in again. Even deleted the Device as known to reset 2FA and require a code again. Also tried various Browsers &. Incognito mode.
If I understand your second part correct you mean to open it through the Synology Web UI instead of opening filebot node directly via <IP>:Port. If so I didn't do that even once, always clicked the icon in the UI.
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by rednoah »

If none of this make a difference, then my educated guess would be that they enabled HttpOnly cookies for DSM 6.* now as well, which fundamentally breaks authentication, as the JS client-side will no longer be able to read cookie data from the JS engine. I'm not sure if users can enable / disable this security feature.


:idea: Since DSM 7.* had the same feature / limitation, so we already have a solution for the DSM 7.* beta package. But that package requires DSM 7.* and I would refrain from upgrading to DSM 7.* at this point.


:idea: If you can use docker, then the FileBot Node docker container might be a viable work around. You can use HTTP basic authentication, or disable authentication all together in this case.
:idea: Please read the FAQ and How to Request Help.
Dmx
Posts: 7
Joined: 26 Feb 2021, 18:55

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by Dmx »

Would be too bad :( Can I check/confirm this somehow?

Docker is a another good idea, however I'm not to keen on doing that right now. But if I have no other choice I might need to try it.

My other idea would be to simply create the Script myself. As I understand Filebot Node doesn't do anything else then show a GUI for script creation. However unfortunately since the package broke and I reset everything I don't know where the scripts are exactly put that Filebot Node creates and which rights are applied etc.. My end goal is simply to have a scheduled Task via Synology to run every x-minutes/hours.
Can you give any hints about that?

Edit: I think I got it from my Bash history/and Filebot Node Github. Should be in /usr/local/filebot-node/data/task labeled {task-nr}.args. However I'm not clear on which permissions to set to not mess anything up. I've created 1.args manually in that directory and currently it's set to:

Code: Select all

-rwx--x--x 1 root root 371 Feb 27 09:50 1.args
Script looks like this:

Code: Select all

-script
fn:amc
/volume1/xxx
--output
/volume1/xxx
--action
move
-non-strict
--order
Airdate
--conflict
skip
--lang
de
--def
clean=y
skipExtract=y
minFileSize=100000000
minLengthMS=300000
music=n
exec=/volume1/homes/admin/UpdateKodi.sh
seriesFormat={kodi}
movieFormat={kodi}
excludeList=/volume1/homes/admin/filebot_exclude
--apply
refresh
--log
all
--log-file
After permissions are correct I would simply create a user scheduled task via synology run as "admin" and point it to /usr/local/filebot-node/data/task/1.args. Does that seem about right?
Dmx
Posts: 7
Joined: 26 Feb 2021, 18:55

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by Dmx »

Hi,

okay, sorry for the Double Post but the editing is getting confusing. I think I got it replicated now how filebot node creates the Task & Synology Schedule by looking through your Github. Actually I had a few mistakes which I found in the above post. What I've done now is the following:

1) created "1.args" under /usr/local/filebot-node/data/task with the following content

Code: Select all

-script
fn:amc
/volume1/xxx
--output
/volume1/xxx
--action
move
-non-strict
--order
Airdate
--conflict
skip
--lang
de
--def
clean=y
skipExtract=y
minFileSize=100000000
minLengthMS=300000
music=n
exec=/volume1/homes/admin/UpdateKodi.sh
seriesFormat={kodi}
movieFormat={kodi}.BluRay
excludeList=/volume1/homes/admin/filebot_exclude
--apply
refresh
--log
all
--log-file
/usr/local/filebot-node/data/filebot.log
2) chmod 755 the Task (1.args), reading the following

Code: Select all

-rwxr-xr-x 1 root root 439 Feb 27 11:34 1.args
3) created a custom Task Schedule via DSM Web which is run as user admin and executes /usr/local/filebot-node/task 1 (->this I had actually wrong initially, I tried to call /usr/local/filebot-node/data/task/1.args directly which obviously didn't work...)

4) Log output shows in /usr/local/filebot-node/data/filebot.log

So I believe I got that working. However I'm still unsure about 2). @rednoah: could you quickly verify that and confirm which permissions & owner/group are usually set on a task when it is created via filebot node GUI?
Additionally I'm of course still curious about the original problem in the first place and how I can further check if the Update added some new Cookie Security Measures.
Thanks
User avatar
rednoah
The Source
Posts: 22923
Joined: 16 Nov 2011, 08:59
Location: Taipei
Contact:

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by rednoah »

FileBot Node is essentially a amc script command generator. You can do anything on the command-line directly. Unless you're calling previously prepared tasks, it's probably easier to just create a new *.sh script from scratch and type your filebot command there, instead of recreating how FileBot Node does things. Then test things on the command-line until you're happy. Then configure Task Scheduler to call it on a schedule.


:idea: Permissions don't matter. @file syntax just makes passing complex arguments easier, by having the process read arguments from a text file. The file needs to be readable for that.


:idea: You may be able to inspect and debug cookies with your browser, but some web development expertise will be required for that.



EDIT:

If you have basic programming skills, and a completely secure local network that only you use, then you could modify the NodeJS service to disable authentication in the service start script.

i.e. change SYNO:

Code: Select all

export FILEBOT_NODE_AUTH=SYNO
to NONE:

Code: Select all

export FILEBOT_NODE_AUTH=NONE

:!: THIS WORKAROUND IS AKIN TO GIVING ANYONE THAT CAN CONNECT TO YOUR NAS ROOT SHELL ACCESS :!:
:idea: Please read the FAQ and How to Request Help.
Dmx
Posts: 7
Joined: 26 Feb 2021, 18:55

Re: DSM 6.2.4-25554 Upgrade Filebot Node Unauthorized

Post by Dmx »

Hi,
yeah, I understand that. However at some point, either when a solution comes around or DSM 7 I want to continue to run Filebot node so I figured why not just try it. I had the most part of the script that filebot node created as a Task last year luckily in my Text Editor on my host machine because I copied it at some point. So I decided to try and re-create it where i also learned some stuff. It was then basically more or less just a copy/paste job to create the .args file.

Now that is working fine, only thing I don't know is correct owner/group and permissions for the .args file. Currently it's simply set to:

Code: Select all

-rwxr-xr-x 1 root root 439 Feb 27 11:34 1.args
If you can tell me that please then everything is basically solved via this workaround going forward and the topic closed, unless you are curious about chasing down the original issue.

Edit:
Ah, didn't see your edit before I created my post :D
Thank you for the links, I think I understand now. So the .args file simply needs to be set to be readable, nothing else required.

Modification of the NodeJS seems intriguing. Since I'm actually the only one in my LAN using it I will try that later.

Edit 2:
Tried it right away and changed the start script the way you advised. That works and Filebot Node is back in a working state via GUI. Actually quite funny, 30 second work in changing that script and it's back to working while I tried around 2-3 hours to make it work :mrgreen: :?
Guess that's the advantage when you have someone who knows exactly where to look :D

For now it can stay this way I believe because I have no one accessing Filebot here in my LAN. Only difference should be in my understanding that I could even access the GUI directly without accessing it from DSM Web.

Thank you for the guidance and help with it :)
Post Reply