diff --git a/lib/api/api_auth.go b/lib/api/api_auth.go index ee3bb88e6..76914d387 100644 --- a/lib/api/api_auth.go +++ b/lib/api/api_auth.go @@ -87,12 +87,6 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura return } - // Exception for static assets and REST calls that don't require authentication. - if isNoAuthPath(r.URL.Path) { - next.ServeHTTP(w, r) - return - } - cookie, err := r.Cookie(cookieName) if err == nil && cookie != nil { sessionsMut.Lock() @@ -111,6 +105,12 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura return } + // Exception for static assets and REST calls that don't require authentication. + if isNoAuthPath(r.URL.Path) { + next.ServeHTTP(w, r) + return + } + // Some browsers don't send the Authorization request header unless prompted by a 401 response. // This enables https://user:pass@localhost style URLs to keep working. if guiCfg.SendBasicAuthPrompt {