What's fixed
OAuth users (Authentik / Authelia / Keycloak / GitHub-as-IdP / etc.) can now access OPDS feeds and KOReader Sync through per-user app passwords. Previously these users could sign into the web UI but got rejected on every OPDS feed and every KOSync request — both surfaces use HTTP Basic auth and OAuth users have no usable local password to put in the Basic-auth header. Resolves #95 and the underlying crocodilestick/Calibre-Web-Automated#1269 (reporter: @charredchar).
How to use it
- Sign into your CWA web UI (the OAuth flow you already use).
- Go to your
/meprofile page. - Scroll to "App passwords for OPDS / KOReader Sync".
- Enter a label (e.g. "Kobo Forma", "KOReader iPad"), click Create.
- Copy the token shown once. You won't see it again.
- Paste it into your OPDS reader (or KOReader Sync config) as the password. Username stays the same.
Revoke any time from the same page. Revoking doesn't affect your active web session.
docker pull ghcr.io/new-usemame/calibre-web-nextgen:v4.0.31
Or use :latest. Existing data + sessions are preserved.
Why "app passwords" specifically
Standard pattern for OAuth-fronted apps that also speak HTTP Basic — Forgejo, Gitea, Mastodon, Bitwarden all do this. The IdP redirect flow can't be sent through a Basic-auth header, and most IdPs reject Basic auth anyway.
Regression coverage
9 new unit tests pin the auth path against a real in-memory SQLAlchemy session: cross-key lookup behavior, user_id scoping (privilege-escalation pin), revoked-row exclusion, multi-password independence, empty-password short-circuit, end-to-end OAuth-user-authenticates, end-to-end wrong-password-still-rejected. The new branch is strictly additive to verify_password() — no regression risk on existing LDAP / local-password flows.
Credits
Reporter: @charredchar on CWA #1269.