Improve caching, HTTP headers and URL handling (#3594)

* Fix relative URLs * Improve login base URL and redirects * Prevent duplicate customlocales requests * Improve UI base URL handling * Improve UI embedding * Improve CSP header * Add Cache-Control headers to all responses * Improve CORS responses * Improve authentication handler * Add back media timestamp suffixes * Fix default image handling * Add default param to other image URLs
2025-12-17 12:24:38 +03:00 · 2023-04-19 05:01:32 +02:00
parent 87abe8c38c
commit b4b7cf02b6
74 changed files with 808 additions and 782 deletions
--- a/internal/api/authentication.go
+++ b/internal/api/authentication.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"path"
 	"strings"

 	"github.com/stashapp/stash/internal/manager"
@@ -13,11 +14,6 @@ import (
 	"github.com/stashapp/stash/pkg/session"
 )

-const (
-	loginEndPoint  = "/login"
-	logoutEndPoint = "/logout"
-)
-
 const (
 	tripwireActivatedErrMsg = "Stash is exposed to the public internet without authentication, and is not serving any more content to protect your privacy. " +
 		"More information and fixes are available at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet"
@@ -30,7 +26,7 @@ const (

 func allowUnauthenticated(r *http.Request) bool {
 	// #2715 - allow access to UI files
-	return strings.HasPrefix(r.URL.Path, loginEndPoint) || r.URL.Path == logoutEndPoint || r.URL.Path == "/css" || strings.HasPrefix(r.URL.Path, "/assets")
+	return strings.HasPrefix(r.URL.Path, loginEndpoint) || r.URL.Path == logoutEndpoint || r.URL.Path == "/css" || strings.HasPrefix(r.URL.Path, "/assets")
 }

 func authenticateHandler() func(http.Handler) http.Handler {
@@ -38,38 +34,41 @@ func authenticateHandler() func(http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			c := config.GetInstance()

-			if !checkSecurityTripwireActivated(c, w) {
+			// error if external access tripwire activated
+			if accessErr := session.CheckExternalAccessTripwire(c); accessErr != nil {
+				http.Error(w, tripwireActivatedErrMsg, http.StatusForbidden)
 				return
 			}

 			userID, err := manager.GetInstance().SessionStore.Authenticate(w, r)
 			if err != nil {
 				if errors.Is(err, session.ErrUnauthorized) {
-					w.WriteHeader(http.StatusInternalServerError)
-					_, err = w.Write([]byte(err.Error()))
-					if err != nil {
-						logger.Error(err)
-					}
+					http.Error(w, err.Error(), http.StatusInternalServerError)
 					return
 				}

 				// unauthorized error
-				w.Header().Add("WWW-Authenticate", `FormBased`)
+				w.Header().Add("WWW-Authenticate", "FormBased")
 				w.WriteHeader(http.StatusUnauthorized)
 				return
 			}

 			if err := session.CheckAllowPublicWithoutAuth(c, r); err != nil {
-				var externalAccess session.ExternalAccessError
-				switch {
-				case errors.As(err, &externalAccess):
-					securityActivateTripwireAccessedFromInternetWithoutAuth(c, externalAccess, w)
-					return
-				default:
+				var accessErr session.ExternalAccessError
+				if errors.As(err, &accessErr) {
+					session.LogExternalAccessError(accessErr)
+
+					err := c.ActivatePublicAccessTripwire(net.IP(accessErr).String())
+					if err != nil {
+						logger.Errorf("Error activating public access tripwire: %v", err)
+					}
+
+					http.Error(w, externalAccessErrMsg, http.StatusForbidden)
+				} else {
 					logger.Errorf("Error checking external access security: %v", err)
 					w.WriteHeader(http.StatusInternalServerError)
-					return
 				}
+				return
 			}

 			ctx := r.Context()
@@ -77,15 +76,15 @@ func authenticateHandler() func(http.Handler) http.Handler {
 			if c.HasCredentials() {
 				// authentication is required
 				if userID == "" && !allowUnauthenticated(r) {
-					// authentication was not received, redirect
-					// if graphql was requested, we just return a forbidden error
-					if r.URL.Path == "/graphql" {
-						w.Header().Add("WWW-Authenticate", `FormBased`)
+					// if graphql or a non-webpage was requested, we just return a forbidden error
+					ext := path.Ext(r.URL.Path)
+					if r.URL.Path == gqlEndpoint || (ext != "" && ext != ".html") {
+						w.Header().Add("WWW-Authenticate", "FormBased")
 						w.WriteHeader(http.StatusUnauthorized)
 						return
 					}

-					prefix := getProxyPrefix(r.Header)
+					prefix := getProxyPrefix(r)

 					// otherwise redirect to the login page
 					returnURL := url.URL{
@@ -95,7 +94,7 @@ func authenticateHandler() func(http.Handler) http.Handler {
 					q := make(url.Values)
 					q.Set(returnURLParam, returnURL.String())
 					u := url.URL{
-						Path:     prefix + "/login",
+						Path:     prefix + loginEndpoint,
 						RawQuery: q.Encode(),
 					}
 					http.Redirect(w, r, u.String(), http.StatusFound)
@@ -111,31 +110,3 @@ func authenticateHandler() func(http.Handler) http.Handler {
 		})
 	}
 }
-
-func checkSecurityTripwireActivated(c *config.Instance, w http.ResponseWriter) bool {
-	if accessErr := session.CheckExternalAccessTripwire(c); accessErr != nil {
-		w.WriteHeader(http.StatusForbidden)
-		_, err := w.Write([]byte(tripwireActivatedErrMsg))
-		if err != nil {
-			logger.Error(err)
-		}
-		return false
-	}
-
-	return true
-}
-
-func securityActivateTripwireAccessedFromInternetWithoutAuth(c *config.Instance, accessErr session.ExternalAccessError, w http.ResponseWriter) {
-	session.LogExternalAccessError(accessErr)
-
-	err := c.ActivatePublicAccessTripwire(net.IP(accessErr).String())
-	if err != nil {
-		logger.Error(err)
-	}
-
-	w.WriteHeader(http.StatusForbidden)
-	_, err = w.Write([]byte(externalAccessErrMsg))
-	if err != nil {
-		logger.Error(err)
-	}
-}