syncthing/lib/api
Emil Lundberg ea1ea366d2 lib/api: Check basic auth (and set session cookie) before noauth exceptions (#9159)
This is motivated by the Android app:
https://github.com/syncthing/syncthing-android/pull/1982#issuecomment-1752042554

The planned fix in response to basic auth behaviour changing in #8757
was to add the `Authorization` header when opening the WebView, but it
turns out the function used only applies the header to the initial page
load, not any subsequent script loads or AJAX calls. The
`basicAuthAndSessionMiddleware` checks for no-auth exceptions before
checking the `Authorization` header, so the header has no effect on the
initial page load since the `/` path is a no-auth exception. Thus the
Android app fails to log in when opening the WebView.

This changes the order of checks in `basicAuthAndSessionMiddleware` so
that the `Authorization` header is always checked if present, and a
session cookie is set if it is valid. Only after that does the
middleware fall back to checking for no-auth exceptions.

`api_test.go` has been expanded with additional checks:
- Check that a session cookie is set whenever correct basic auth is
provided.
- Check that a session cookie is not set when basic auth is incorrect.
- Check that a session cookie is not set when authenticating with an API
token (either via `X-Api-Key` or `Authorization: Bearer`).

And an additional test case:
- Check that requests to `/` always succeed, but receive a session
cookie when correct basic auth is provided.

I have manually verified that
- The new assertions fail if the `createSession` call is removed in
`basicAuthAndSessionMiddleware`.
- The new test cases in e6e4df4d7034302b729ada6d91cff6e2b29678da fail
before the change in 0e47d37e738d4c15736c496e01cd949afb372e71 is
applied.
2023-10-10 07:48:55 +02:00
..
auto all: Remove usage of deprecated io/ioutil (#7971) 2021-11-22 08:59:47 +01:00
testdata cmd/syncthing, lib/api: Separate api/gui into own package (ref #4085) (#5529) 2019-03-26 19:53:58 +00:00
.gitignore lib/api: Ignore that one file that always shows up in git status 2020-03-07 11:46:54 +01:00
api_auth_test.go lib/api: Better handle %s templates in LDAP strings (fixes #9072) (#9155) 2023-10-07 02:29:53 +00:00
api_auth.go lib/api: Check basic auth (and set session cookie) before noauth exceptions (#9159) 2023-10-10 07:48:55 +02:00
api_csrf.go Add HTML login form (fixes #4137) (#8757) 2023-10-06 13:00:58 +02:00
api_statics.go lib/api: Fix inverted logic in string comparison 2022-07-28 21:51:14 +02:00
api_test.go lib/api: Check basic auth (and set session cookie) before noauth exceptions (#9159) 2023-10-10 07:48:55 +02:00
api.go Add HTML login form (fixes #4137) (#8757) 2023-10-06 13:00:58 +02:00
confighandler.go lib/config: Accept pre-hashed password (fixes #9123) (#9124) 2023-09-24 19:23:49 +02:00
debug.go all, lib/logger: Refactor SetDebug calls (#6054) 2019-10-04 13:03:34 +02:00
mocked_config_test.go lib: Use counterfeiter to mock interfaces in tests (#7375) 2021-03-03 08:53:50 +01:00
support_bundle.go cmd/syncthing, lib/api: Separate api/gui into own package (ref #4085) (#5529) 2019-03-26 19:53:58 +00:00