From 0e47d37e738d4c15736c496e01cd949afb372e71 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@emlun.se>
Date: Sun, 8 Oct 2023 20:12:39 +0200
Subject: [PATCH] Check basic auth (and set session cookie) before noauth
 exceptions

This enables logging in by simply making a GET request to `/` with the
`Authorization` header.
---
 lib/api/api_auth.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/api/api_auth.go b/lib/api/api_auth.go
index ee3bb88e6..76914d387 100644
--- a/lib/api/api_auth.go
+++ b/lib/api/api_auth.go
@@ -87,12 +87,6 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura
 			return
 		}
 
-		// Exception for static assets and REST calls that don't require authentication.
-		if isNoAuthPath(r.URL.Path) {
-			next.ServeHTTP(w, r)
-			return
-		}
-
 		cookie, err := r.Cookie(cookieName)
 		if err == nil && cookie != nil {
 			sessionsMut.Lock()
@@ -111,6 +105,12 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura
 			return
 		}
 
+		// Exception for static assets and REST calls that don't require authentication.
+		if isNoAuthPath(r.URL.Path) {
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		// Some browsers don't send the Authorization request header unless prompted by a 401 response.
 		// This enables https://user:pass@localhost style URLs to keep working.
 		if guiCfg.SendBasicAuthPrompt {