From 7a402409f15f888e38ca0fef489d5ad369e8a9ac Mon Sep 17 00:00:00 2001
From: Eric P <eric@kastelo.net>
Date: Thu, 6 Oct 2022 21:28:49 +0200
Subject: [PATCH] lib/api: Add /rest/noauth/health health-check (fixes #8430) 
 (#8585)

---
 lib/api/api.go      | 5 +++++
 lib/api/api_auth.go | 6 ++++++
 lib/api/api_csrf.go | 7 +++++++
 3 files changed, 18 insertions(+)

diff --git a/lib/api/api.go b/lib/api/api.go
index 5ca8f5215..03420c5a5 100644
--- a/lib/api/api.go
+++ b/lib/api/api.go
@@ -258,6 +258,7 @@ func (s *service) Serve(ctx context.Context) error {
 	restMux.HandlerFunc(http.MethodGet, "/rest/folder/pullerrors", s.getFolderErrors)         // folder (deprecated)
 	restMux.HandlerFunc(http.MethodGet, "/rest/events", s.getIndexEvents)                     // [since] [limit] [timeout] [events]
 	restMux.HandlerFunc(http.MethodGet, "/rest/events/disk", s.getDiskEvents)                 // [since] [limit] [timeout]
+	restMux.HandlerFunc(http.MethodGet, "/rest/noauth/health", s.getHealth)                   // -
 	restMux.HandlerFunc(http.MethodGet, "/rest/stats/device", s.getDeviceStats)               // -
 	restMux.HandlerFunc(http.MethodGet, "/rest/stats/folder", s.getFolderStats)               // -
 	restMux.HandlerFunc(http.MethodGet, "/rest/svc/deviceid", s.getDeviceID)                  // id
@@ -1565,6 +1566,10 @@ func (s *service) postDBPrio(w http.ResponseWriter, r *http.Request) {
 	s.getDBNeed(w, r)
 }
 
+func (*service) getHealth(w http.ResponseWriter, _ *http.Request) {
+	sendJSON(w, map[string]string{"status": "OK"})
+}
+
 func (*service) getQR(w http.ResponseWriter, r *http.Request) {
 	var qs = r.URL.Query()
 	var text = qs.Get("text")
diff --git a/lib/api/api_auth.go b/lib/api/api_auth.go
index 70add9a95..e84ae645e 100644
--- a/lib/api/api_auth.go
+++ b/lib/api/api_auth.go
@@ -44,6 +44,12 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura
 			return
 		}
 
+		// Exception for REST calls that don't require authentication.
+		if strings.HasPrefix(r.URL.Path, "/rest/noauth") {
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		cookie, err := r.Cookie(cookieName)
 		if err == nil && cookie != nil {
 			sessionsMut.Lock()
diff --git a/lib/api/api_csrf.go b/lib/api/api_csrf.go
index 97e0f3357..b597c2e49 100644
--- a/lib/api/api_csrf.go
+++ b/lib/api/api_csrf.go
@@ -74,6 +74,13 @@ func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if strings.HasPrefix(r.URL.Path, "/rest/noauth") {
+		// REST calls that don't require authentication also do not
+		// need a CSRF token.
+		m.next.ServeHTTP(w, r)
+		return
+	}
+
 	// Allow requests for anything not under the protected path prefix,
 	// and set a CSRF cookie if there isn't already a valid one.
 	if !strings.HasPrefix(r.URL.Path, m.prefix) {