mirror of
https://github.com/octoleo/syncthing.git
synced 2024-12-22 10:58:57 +00:00
ea1ea366d2
This is motivated by the Android app: https://github.com/syncthing/syncthing-android/pull/1982#issuecomment-1752042554 The planned fix in response to basic auth behaviour changing in #8757 was to add the `Authorization` header when opening the WebView, but it turns out the function used only applies the header to the initial page load, not any subsequent script loads or AJAX calls. The `basicAuthAndSessionMiddleware` checks for no-auth exceptions before checking the `Authorization` header, so the header has no effect on the initial page load since the `/` path is a no-auth exception. Thus the Android app fails to log in when opening the WebView. This changes the order of checks in `basicAuthAndSessionMiddleware` so that the `Authorization` header is always checked if present, and a session cookie is set if it is valid. Only after that does the middleware fall back to checking for no-auth exceptions. `api_test.go` has been expanded with additional checks: - Check that a session cookie is set whenever correct basic auth is provided. - Check that a session cookie is not set when basic auth is incorrect. - Check that a session cookie is not set when authenticating with an API token (either via `X-Api-Key` or `Authorization: Bearer`). And an additional test case: - Check that requests to `/` always succeed, but receive a session cookie when correct basic auth is provided. I have manually verified that - The new assertions fail if the `createSession` call is removed in `basicAuthAndSessionMiddleware`. - The new test cases in e6e4df4d7034302b729ada6d91cff6e2b29678da fail before the change in 0e47d37e738d4c15736c496e01cd949afb372e71 is applied. |
||
|---|---|---|
| .. | ||
| api | ||
| assets | ||
| beacon | ||
| build | ||
| config | ||
| connections | ||
| db | ||
| dialer | ||
| discover | ||
| events | ||
| fs | ||
| httpcache | ||
| ignore | ||
| locations | ||
| logger | ||
| model | ||
| nat | ||
| netutil | ||
| osutil | ||
| pmp | ||
| protocol | ||
| rand | ||
| rc | ||
| relay | ||
| scanner | ||
| semaphore | ||
| sha256 | ||
| signature | ||
| sliceutil | ||
| stats | ||
| stringutil | ||
| structutil | ||
| stun | ||
| svcutil | ||
| sync | ||
| syncthing | ||
| testutil | ||
| tlsutil | ||
| upgrade | ||
| upnp | ||
| ur | ||
| versioner | ||
| watchaggregator | ||
| weakhash | ||