basepath fixes

2021-03-17 16:25:16 +00:00 · 2021-03-17 16:25:16 +00:00 · f3c55ba5f2
commit f3c55ba5f2
parent 5e453e3227
4 changed files with 25 additions and 29 deletions
--- a/src/server/middleware.go
+++ b/src/server/middleware.go
@ -16,8 +16,12 @@ type authMiddleware struct {
 	public   string
 }

+func unsafeMethod(method string) bool {
+	return method == "POST" || method == "PUT" || method == "DELETE"
+}
+
 func (m *authMiddleware) handler(c *router.Context) {
-	if strings.HasPrefix(c.Req.URL.Path, m.public) {
+	if strings.HasPrefix(c.Req.URL.Path, m.basepath + m.public) {
 		c.Next()
 		return
 	}
@ -26,9 +30,14 @@ func (m *authMiddleware) handler(c *router.Context) {
 		return
 	}

-	if c.Req.URL.Path != m.basepath {
-		// TODO: check ajax
-		c.Out.WriteHeader(http.StatusForbidden)
+	rootUrl := m.basepath + "/"
+
+	if c.Req.URL.Path != rootUrl {
+		if unsafeMethod(c.Req.Method) && c.Req.Header.Get("X-Requested-By") != "yarr" {
+			c.Out.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		c.Redirect(rootUrl)
 		return
 	}

@ -37,10 +46,9 @@ func (m *authMiddleware) handler(c *router.Context) {
 		password := c.Req.FormValue("password")
 		if auth.StringsEqual(username, m.username) && auth.StringsEqual(password, m.password) {
 			auth.Authenticate(c.Out, m.username, m.password, m.basepath)
-			c.Redirect(m.basepath)
+			c.Redirect(rootUrl)
 			return
 		} else {
-			// TODO: show error
 			c.HTML(http.StatusOK, assets.Template("login.html"), map[string]string{
 				"username": username,
 				"error": "Invalid username/password",