| 94 | } |
| 95 | |
| 96 | func isNoAuthPath(path string, metricsWithoutAuth bool) bool { |
| 97 | // Local variable instead of module var to prevent accidental mutation |
| 98 | noAuthPaths := []string{ |
| 99 | "/", |
| 100 | "/index.html", |
| 101 | "/modal.html", |
| 102 | "/rest/svc/lang", // Required to load language settings on login page |
| 103 | } |
| 104 | |
| 105 | if metricsWithoutAuth { |
| 106 | noAuthPaths = append(noAuthPaths, "/metrics") |
| 107 | } |
| 108 | |
| 109 | // Local variable instead of module var to prevent accidental mutation |
| 110 | noAuthPrefixes := []string{ |
| 111 | // Static assets |
| 112 | "/assets/", |
| 113 | "/syncthing/", |
| 114 | "/vendor/", |
| 115 | "/theme-assets/", // This leaks information from config, but probably not sensitive |
| 116 | |
| 117 | // No-auth API endpoints |
| 118 | "/rest/noauth", |
| 119 | } |
| 120 | |
| 121 | return slices.Contains(noAuthPaths, path) || |
| 122 | slices.ContainsFunc(noAuthPrefixes, func(prefix string) bool { |
| 123 | return strings.HasPrefix(path, prefix) |
| 124 | }) |
| 125 | } |
| 126 | |
| 127 | type basicAuthAndSessionMiddleware struct { |
| 128 | tokenCookieManager *tokenCookieManager |