I recently had a problem logging into my own self-hosted GNU Social instance using multiple Android apps. I could log into the instance just fine from a web browser, but any attempt to log in from an app (all of which use the API to log in) returned the error “Could not authenticate you” from the HTTP call to verify_credentials.json.

There are a couple of places this problem, or one very similar, is mentioned online. One mention is on the GNU Social bug site itself, and several more are on the Github of Andstatus (co-incidentally one of the apps I was trying to use). The Andstatus community provide a workaround for one particular server, but nowhere seems to have an actual fix, and I certainly couldn’t find anything that solved my particular problem. So as I figured out what was going on (at least in my case) by looking at the code, I thought I’d post my solution here in case it helps someone else.

The fix (for me) was simple. Add the line

CGIPassAuth On

to your .htaccess file.

The reason this works is because GNU Social uses standard HTTP Authentication for the API. The way it does this is by using the PHP_AUTH_USER variable, which is empty if the server is running PHP as a CGI/FastCGI module, as is the case with my instance. Adding this line to the .htaccess causes those variables to be set. Obviously it would be nicer if the apps in question used Oauth to log in.