Good evening
I have a strange question: (How) is it possible a RSS feed I have created with Kirby which is accessible via a specific page?
So what I want to achieve is: https://host.com/api/feed.rss asks for a username and password but host.com/blog-article-123 does not. This is typically done via .htaccess/.htpasswd in the api direction because then people could do something like https://user:password@host.com/feed.rss - but there is no directory is this case, right?
I know this is ugly but unfortunately the customer is asking for an RSS feed for his limited system which does not easily talk REST API. There, the RSS feed would be ingested, kind of invisible to the user and the information displayed. The information is also not really secret which is in this RSS feedback, but still the idea is to protect it a bit from bots and just randomg sharing.
Is this possible?
Thanks
Andreas
You can easily protect any url e.g. via a route, inside which you check any passed parameters.
Note that any route starting with kirby’s internal api
key need authentication, either basic auth or session based
1 Like
Thanks for your quick reply @texnixe ! I have not thought about the route option, merci
I just created an api directory in the content directory to structure the RSS feeds, that’s no issue I guess.
Will give it a try and post here once succeeded (or failed miserably )
Andreas
@texnixe may I ask you if see you any flaw in this route? Because it seems to work and that was too easy
Obviously username/password will not be stored there and I am using the GitHub - bnomei/kirby3-feed: Generate ATOM/JSON/RSS-Feed and XML-Sitemap from Pages-Collection plugin to generate the actual RSS feed.
[
'pattern' => 'en/apitest/feed.rss',
'method' => 'GET',
'action' => function () {
// Define credentials
$username = 'admin';
$password = 'securepassword';
// Check for Basic Auth
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] !== $username || $_SERVER['PHP_AUTH_PW'] !== $password) {
header('WWW-Authenticate: Basic realm="Restricted Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Unauthorized';
exit;
}
// Generate your RSS feed
$options = [
'title' => 'Latest articles',
'description' => 'Lalalalala',
'link' => ''
];
// Output the feed
header('Content-Type: application/rss+xml; charset=utf-8');
echo page('blog')->children()->filterBy('blabla', true)->listed()->flip()->limit(10)->feed($options);
return true;
}
]
Thanks
Andreas
texnixe
January 11, 2025, 12:03pm
5
If you use basic authentication for the request, you might as well use a custom api
route endpoint which then takes care of validating authentication automatically, provided a user with those credentials exists.