update auth cookie settings

2020-02-05 11:35:31 +01:00
parent 2fba11269a
commit 650c7ede6c
4 changed files with 21 additions and 16 deletions
--- a/pixelapi/pixelapi.go
+++ b/pixelapi/pixelapi.go
@@ -17,7 +17,7 @@ var client = &http.Client{Timeout: time.Minute * 5}
 // PixelAPI is the Pixeldrain API client
 type PixelAPI struct {
 	apiEndpoint string
-	apiKey      string
+	APIKey      string
 	RealIP      string
 }

@@ -60,8 +60,8 @@ func (p *PixelAPI) jsonRequest(method, url string, target interface{}) error {
 			Message:  err.Error(),
 		}
 	}
-	if p.apiKey != "" {
-		req.SetBasicAuth("", p.apiKey)
+	if p.APIKey != "" {
+		req.SetBasicAuth("", p.APIKey)
 	}
 	if p.RealIP != "" {
 		req.Header.Set("X-Real-IP", p.RealIP)
@@ -86,8 +86,8 @@ func (p *PixelAPI) getString(url string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	if p.apiKey != "" {
-		req.SetBasicAuth("", p.apiKey)
+	if p.APIKey != "" {
+		req.SetBasicAuth("", p.APIKey)
 	}
 	if p.RealIP != "" {
 		req.Header.Set("X-Real-IP", p.RealIP)
@@ -110,8 +110,8 @@ func (p *PixelAPI) getRaw(url string) (io.ReadCloser, error) {
 	if err != nil {
 		return nil, err
 	}
-	if p.apiKey != "" {
-		req.SetBasicAuth("", p.apiKey)
+	if p.APIKey != "" {
+		req.SetBasicAuth("", p.APIKey)
 	}
 	if p.RealIP != "" {
 		req.Header.Set("X-Real-IP", p.RealIP)
@@ -141,8 +141,8 @@ func (p *PixelAPI) form(
 			Message:  err.Error(),
 		}
 	}
-	if p.apiKey != "" {
-		req.SetBasicAuth("", p.apiKey)
+	if p.APIKey != "" {
+		req.SetBasicAuth("", p.APIKey)
 	}
 	if p.RealIP != "" {
 		req.Header.Set("X-Real-IP", p.RealIP)
--- a/pixelapi/user.go
+++ b/pixelapi/user.go
@@ -58,7 +58,7 @@ func (p *PixelAPI) UserLogin(username, password string, saveKey bool) (resp *Log
 		return nil, err
 	}
 	if saveKey {
-		p.apiKey = resp.APIKey
+		p.APIKey = resp.APIKey
 	}
 	return resp, nil
 }
--- a/webcontroller/templates.go
+++ b/webcontroller/templates.go
@@ -64,7 +64,10 @@ func (wc *WebController) newTemplateData(w http.ResponseWriter, r *http.Request)
 			log.Debug("Session check for key '%s' failed: %s", key, err)

 			if err.Error() == "authentication_required" || err.Error() == "authentication_failed" {
-				// This key is invalid, delete it
+				// Disable API authentication
+				t.PixelAPI.APIKey = ""
+
+				// Remove the authentication cookie
 				log.Debug("Deleting invalid API key")
 				http.SetCookie(w, &http.Cookie{
 					Name:    "pd_auth_key",
--- a/webcontroller/user_account.go
+++ b/webcontroller/user_account.go
@@ -173,11 +173,13 @@ func (wc *WebController) loginForm(td *TemplateData, r *http.Request) (f Form) {
 			f.SubmitSuccess = true
 			f.SubmitMessages = []template.HTML{"Success!"}
 			f.Extra.SetCookie = &http.Cookie{
-				Name:    "pd_auth_key",
-				Value:   loginResp.APIKey,
-				Path:    "/",
-				Expires: time.Now().AddDate(50, 0, 0),
-				Domain:  wc.sessionCookieDomain,
+				Name:     "pd_auth_key",
+				Value:    loginResp.APIKey,
+				Path:     "/",
+				Expires:  time.Now().AddDate(50, 0, 0),
+				Domain:   wc.sessionCookieDomain,
+				SameSite: http.SameSiteStrictMode,
+				Secure:   true,
 			}
 			f.Extra.RedirectTo = "/user"
 		}