webapp: Explicitly avoid checking for auth in static subsite requests.

Yesod didn't used to do auth checks for that, but this may have changed.
I don't have a way to reproduce the reported problem yet, but this change
certianly won't hurt anything.

This commit was sponsored by Thom May on Patreon.

Assistant/WebApp/Types.hs

@@ -48,17 +48,17 @@ data WebApp = WebApp
 	}
 
 mkYesodData "WebApp" $(parseRoutesFile "Assistant/WebApp/routes")
+	  
+excludeStatic [] = True
+excludeStatic (p:_) = p /= "static"
 
 instance Yesod WebApp where
 	{- Require an auth token be set when accessing any (non-static) route -}
-	isAuthorized _ _ = checkAuthToken authToken
+	isAuthorized r _ = checkAuthToken authToken r excludeStatic
 
 	{- Add the auth token to every url generated, except static subsite
 	 - urls (which can show up in Permission Denied pages). -}
 	joinPath = insertAuthToken authToken excludeStatic
-	  where
-		excludeStatic [] = True
-		excludeStatic (p:_) = p /= "static"
 
 	makeSessionBackend = webAppSessionBackend
 	jsLoader _ = BottomOfHeadBlocking

CHANGELOG

@@ -13,6 +13,9 @@ git-annex (6.20161032) UNRELEASED; urgency=medium
   * reinject --known: Avoid second, unncessary checksum of file.
   * OSX: Remove RPATHs from git-annex binary, which are not needed,
     slow down startup, and break the OSX Sierra linker.
+  * webapp: Explicitly avoid checking for auth in static subsite
+    requests. Yesod didn't used to do auth checks for that, but this may
+    have changed.
 
  -- Joey Hess <id@joeyh.name>  Tue, 01 Nov 2016 14:02:06 -0400
 

Utility/WebApp.hs

@@ -182,15 +182,20 @@ genAuthToken = do
  -
  - Note that the usual Yesod error page is bypassed on error, to avoid
  - possibly leaking the auth token in urls on that page!
+ -
+ - If the predicate does not match the route, the auth parameter is not
+ - needed.
  -}
-checkAuthToken :: Yesod.MonadHandler m => (Yesod.HandlerSite m -> AuthToken) -> m Yesod.AuthResult
+checkAuthToken :: Yesod.MonadHandler m => Yesod.RenderRoute site => (Yesod.HandlerSite m -> AuthToken) -> Yesod.Route site -> ([T.Text] -> Bool) -> m Yesod.AuthResult
-checkAuthToken extractAuthToken = do
+checkAuthToken extractAuthToken r predicate
-	webapp <- Yesod.getYesod
+	| not (predicate (fst (Yesod.renderRoute r))) = return Yesod.Authorized
-	req <- Yesod.getRequest
+	| otherwise = do
-	let params = Yesod.reqGetParams req
+		webapp <- Yesod.getYesod
-	if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
+		req <- Yesod.getRequest
-		then return Yesod.Authorized
+		let params = Yesod.reqGetParams req
-		else Yesod.sendResponseStatus unauthorized401 ()
+		if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
+			then return Yesod.Authorized
+			else Yesod.sendResponseStatus unauthorized401 ()
 
 {- A Yesod joinPath method, which adds an auth cgi parameter to every
  - url matching a predicate, containing a token extracted from the

doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment

@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2016-11-10T17:30:57Z"
+ content="""
+I don't reproduce the problem here. From where did you install git-annex?
+
+This seems likely to have something to do with the version of yesod it was
+built against.
+
+No session cookie is used; the auth token is not supposed to be needed when
+accessing urls under `/static/`. Looking at the code, this was not done
+explicitly; it seems to have relied on yesod not checking for authorization
+for static site parts. I've committed a change, to explicitly skip auth for
+`/static/` but without being able to reproduce the problem, can't test it.
+"""]]