rascal999/gist:a7141263386e61a455190b144bd2978b

## gistfile1.txt
I wanted to allow guests to access Koel without logging in, so I modified the nginx.conf file bundled as part of https://github.com/binhex/arch-koel to inject some JavaScript on GET / which will set some local storage variable (jwt-token). Koel will assume you're an authenticated user and will try and hit /api/data. If the JWT is good and signed correctly you'll be seamlessly authenticated to Koel.

For the following to work your nginx instance needs to be compiled with the --with-http_sub_module config parameter. You can check this by running "nginx -V". This solution will not work if nginx hasn't been compiled with this config parameter.

Next you need to create a new user in Koel which will be used as the guest account.

Now locate the nginx.conf file and add the following lines under "location ~ \.php$ {":

            sub_filter '<script>' '<script>if (window.location.hostname == "KOEL-DOMAIN-HERE") localStorage.setItem("jwt-token", "\\"JWT-HERE\\"");';
            sub_filter_once on;
            sub_filter_types *;

I'm assuming you have a domain set up for Koel - replace KOEL-DOMAIN-HERE with your domain (for example, koel.com). The if statement will allow you to hit the app using interface IP in order to be presented with login page (so you can administer the app).

Now you need to generate a valid JWT and replace the JWT-HERE string in the config above. I used https://gchq.github.io/CyberChef/ for this (specifically, the "JWT Sign" operation). You need to grab the secret from the koel .env file (the JWT_SECRET value) and stick it in the "Prive/Secret Key" parameter in Cyber Chef > JWT Sign.

Now authenticate to Koel using the new user you created (the guest user which will sign in automatically) and grab the JWT from local storage. Strip the double quotes and paste it into a new instance of Cyber Chef. Search for the "JWT Decode" operation. In the Cyber Chef output text area you should see something like:

{
    "sub": 2,
    "iss": "http://KOEL-DOMAIN-HERE/api/me",
    "iat": 1588700000,
    "exp": 2219800000,
    "nbf": 1588700000,
    "jti": "4JczEwHuuXXXXXXX"
}

Before you copy the data presented, update the exp epoch parameter to something further in the future, otherwise the token will expire in 7 days or something.

Copy the decoded JWT into the first instance of Cyber Chef (the one using the "JWT Sign" operation) and you should see some encoded JWT in the output. Replace the JWT-HERE string in the nginx config listed above and restart nginx. It may also be necessary to disable gzip compression in nginx.conf file.

You can test the JWT works before updating the nginx.conf by using the following curl statement:

curl -vvv -H 'Authorization: Bearer GENERATED-JWT-HERE' 'http://KOEL-DOMAIN-HERE/api/data'

If you see a 401 your JWT is badly formatted or the signature verification may have failed. If you see a 200 everything is probably good.
	I wanted to allow guests to access Koel without logging in, so I modified the nginx.conf file bundled as part of https://github.com/binhex/arch-koel to inject some JavaScript on GET / which will set some local storage variable (jwt-token). Koel will assume you're an authenticated user and will try and hit /api/data. If the JWT is good and signed correctly you'll be seamlessly authenticated to Koel.

	For the following to work your nginx instance needs to be compiled with the --with-http_sub_module config parameter. You can check this by running "nginx -V". This solution will not work if nginx hasn't been compiled with this config parameter.

	Next you need to create a new user in Koel which will be used as the guest account.

	Now locate the nginx.conf file and add the following lines under "location ~ \.php$ {":

	sub_filter '<script>' '<script>if (window.location.hostname == "KOEL-DOMAIN-HERE") localStorage.setItem("jwt-token", "\\"JWT-HERE\\"");';
	sub_filter_once on;
	sub_filter_types *;

	I'm assuming you have a domain set up for Koel - replace KOEL-DOMAIN-HERE with your domain (for example, koel.com). The if statement will allow you to hit the app using interface IP in order to be presented with login page (so you can administer the app).

	Now you need to generate a valid JWT and replace the JWT-HERE string in the config above. I used https://gchq.github.io/CyberChef/ for this (specifically, the "JWT Sign" operation). You need to grab the secret from the koel .env file (the JWT_SECRET value) and stick it in the "Prive/Secret Key" parameter in Cyber Chef > JWT Sign.

	Now authenticate to Koel using the new user you created (the guest user which will sign in automatically) and grab the JWT from local storage. Strip the double quotes and paste it into a new instance of Cyber Chef. Search for the "JWT Decode" operation. In the Cyber Chef output text area you should see something like:

	{
	"sub": 2,
	"iss": "http://KOEL-DOMAIN-HERE/api/me",
	"iat": 1588700000,
	"exp": 2219800000,
	"nbf": 1588700000,
	"jti": "4JczEwHuuXXXXXXX"
	}

	Before you copy the data presented, update the exp epoch parameter to something further in the future, otherwise the token will expire in 7 days or something.

	Copy the decoded JWT into the first instance of Cyber Chef (the one using the "JWT Sign" operation) and you should see some encoded JWT in the output. Replace the JWT-HERE string in the nginx config listed above and restart nginx. It may also be necessary to disable gzip compression in nginx.conf file.

	You can test the JWT works before updating the nginx.conf by using the following curl statement:

	curl -vvv -H 'Authorization: Bearer GENERATED-JWT-HERE' 'http://KOEL-DOMAIN-HERE/api/data'

	If you see a 401 your JWT is badly formatted or the signature verification may have failed. If you see a 200 everything is probably good.