mirror of
https://github.com/syncthing/syncthing.git
synced 2025-12-23 22:18:14 -05:00
This adds our short device ID to the basic auth realm. This has at least two consequences: - It is different from what's presented by another device on the same address (e.g., if I use SSH forwards to different dives on the same local address), preventing credentials for one from being sent to another. - It is different from what we did previously, meaning we avoid cached credentials from old versions interfering with the new login flow. I don't *think* there should be things that depend on our precise realm string, so this shouldn't break any existing setups... Sneakily this also changes the session cookie and CSRF name, because I think `id.Short().String()` is nicer than `id.String()[:5]` and the short ID is two characters longer. That's also not a problem...
This commit is contained in:
Jakob Borg
@@ -173,7 +173,7 @@ func TestHTTPPOSTWithoutCSRF(t *testing.T) {
|
||||
}
|
||||
res.Body.Close()
|
||||
hdr := res.Header.Get("Set-Cookie")
|
||||
id := res.Header.Get("X-Syncthing-ID")[:5]
|
||||
id := res.Header.Get("X-Syncthing-ID")[:protocol.ShortIDStringLength]
|
||||
if !strings.Contains(hdr, "CSRF-Token") {
|
||||
t.Error("Missing CSRF-Token in", hdr)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user