basepath fixes

2025-11-09 19:08:57 +00:00 · 2021-03-17 16:25:16 +00:00
parent 5e453e3227
commit f3c55ba5f2
4 changed files with 25 additions and 29 deletions
--- a/src/server/middleware.go
+++ b/src/server/middleware.go
@@ -16,8 +16,12 @@ type authMiddleware struct {
 	public   string
 }

+func unsafeMethod(method string) bool {
+	return method == "POST" || method == "PUT" || method == "DELETE"
+}
+
 func (m *authMiddleware) handler(c *router.Context) {
-	if strings.HasPrefix(c.Req.URL.Path, m.public) {
+	if strings.HasPrefix(c.Req.URL.Path, m.basepath + m.public) {
 		c.Next()
 		return
 	}
@@ -26,9 +30,14 @@ func (m *authMiddleware) handler(c *router.Context) {
 		return
 	}

-	if c.Req.URL.Path != m.basepath {
-		// TODO: check ajax
-		c.Out.WriteHeader(http.StatusForbidden)
+	rootUrl := m.basepath + "/"
+
+	if c.Req.URL.Path != rootUrl {
+		if unsafeMethod(c.Req.Method) && c.Req.Header.Get("X-Requested-By") != "yarr" {
+			c.Out.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		c.Redirect(rootUrl)
 		return
 	}

@@ -37,10 +46,9 @@ func (m *authMiddleware) handler(c *router.Context) {
 		password := c.Req.FormValue("password")
 		if auth.StringsEqual(username, m.username) && auth.StringsEqual(password, m.password) {
 			auth.Authenticate(c.Out, m.username, m.password, m.basepath)
-			c.Redirect(m.basepath)
+			c.Redirect(rootUrl)
 			return
 		} else {
-			// TODO: show error
 			c.HTML(http.StatusOK, assets.Template("login.html"), map[string]string{
 				"username": username,
 				"error": "Invalid username/password",
--- a/src/server/routes.go
+++ b/src/server/routes.go
@@ -21,10 +21,10 @@ func (s *Server) handler() http.Handler {
 	// TODO: auth, base, security
 	if s.Username != "" && s.Password != "" {
 		a := &authMiddleware{
+			basepath: BasePath,
 			username: s.Username,
 			password: s.Password,
-			basepath: BasePath + "/",
-			public: BasePath + "/static",
+			public:   "/static",
 		}
 		r.Use(a.handler)
 	}
@@ -401,6 +401,6 @@ func (s *Server) handlePageCrawl(c *router.Context) {
 }

 func (s *Server) handleLogout(c *router.Context) {
-	auth.Logout(c.Out)
+	auth.Logout(c.Out, BasePath)
 	c.Out.WriteHeader(http.StatusNoContent)
 }
--- a/src/server/server.go
+++ b/src/server/server.go
@@ -54,9 +54,6 @@ func (s *Server) Start() {
 	}
 }

-func unsafeMethod(method string) bool {
-	return method == "POST" || method == "PUT" || method == "DELETE"
-}

 /*
 func (h Server) ServeHTTP(rw http.ResponseWriter, req *http.Request) {