From 8c122e1ff7ca2a3d9454e7cd89b2ed7363457137 Mon Sep 17 00:00:00 2001
From: Eicke Hauck <eicke.hauck01@startmail.com>
Date: Wed, 5 May 2021 12:24:47 +0200
Subject: [PATCH] Removed checking of bearer token in favor of the login cookie
 for authorizing web interface requests

---
 middleware/middleware.go | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/middleware/middleware.go b/middleware/middleware.go
index 0ad5e33e..817ca16d 100644
--- a/middleware/middleware.go
+++ b/middleware/middleware.go
@@ -71,8 +71,7 @@ func GetContext(handler http.Handler) http.HandlerFunc {
 	}
 }
 
-// RequireAPIKey ensures that a valid API key is set as either the api_key GET
-// parameter, or a Bearer token.
+// RequireAPIKey ensures that a valid API key or login cookie is set
 func RequireAPIKey(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
@@ -84,13 +83,11 @@ func RequireAPIKey(handler http.Handler) http.Handler {
 		}
 		r.ParseForm()
 		ak := r.Form.Get("api_key")
-		// If we can't get the API key, we'll also check for the
-		// Authorization Bearer token
+		// If we can't get the API key, we'll also check if user is logged in
+		// via the web interface
 		if ak == "" {
-			tokens, ok := r.Header["Authorization"]
-			if ok && len(tokens) >= 1 {
-				ak = tokens[0]
-				ak = strings.TrimPrefix(ak, "Bearer ")
+			if u := ctx.Get(r, "user"); u != nil {
+				ak = u.(models.User).ApiKey
 			}
 		}
 		if ak == "" {