Set session cookie for UI requests with Bearer Authorization

[bt90]

See previous discussion in syncthing/syncthing-android#1982 (comment)

Currently, the app uses a rather ugly hack to open the web UI without prompting for credentials. During startup the username and password is always reset, which tends to confuse users as in syncthing/syncthing-android#1710

This is only necessary because the WebView previously relied only on intercepting the HTTP basic auth prompt. With the changes in syncthing/syncthing-android#1982 we can send any HTTP header in the initial request.

My suggestion would be to change the app to use bearer authorization with the API key as described in https://docs.syncthing.net/dev/rest.html#api-key. While this works for the first request to /, it doesn't set a session cookie, which is necessary for subsequent requests because they lack the initial header.

As this would also affect calls to the REST API, we could exempt them or limit this to / and /index.html.

Pseudo code:

if hasValidAPIKeyHeader(r, guiCfg) {
		
	if isUIPath(r.URL.Path) {
	    createApiKeySession(cookieName, guiCfg, w, r)
	}
	
	next.ServeHTTP(w, r)
	return
}

[calmh]

I see no real use case for this; adding further layers of ugly hacks to support weirdness in the Android wrapper is not appealing. Why doesn't the app just make a login request, get a cookie like the UI does, and set that cookie in the header?

[bt90]

Why doesn't the app just make a login request, get a cookie like the UI does, and set that cookie in the header?

That's roughly the gist of syncthing/syncthing-android#1982. We send basic auth credentials in the initial request and rely on the session cookie afterwards.

I see no real use case for this; adding further layers of ugly hacks to support weirdness in the Android wrapper is not appealing.

IMHO, it's odd that the app or any other wrapper has to either keep authentication disabled or (ab)use credentials intended for an interactive user login.

Using the API key is dead simple as it only requires read access to the configuration to retrieve the current value. The user is free to alter his credentials and also the key itself.

This obviously doesn't work with credentials as the password is hashed and needs to be reset by the wrapper if changed.

[calmh]

The web UI is interactive usage. The API key is for API usage. I don't think mixing the two is particularly great. I don't know why the Android app does what it does and has the problems it has, as opposed to other integrations on other platforms.

[emlun]

I think that most use of the Android app if unaffected by the web API changes, but the app also includes the option to launch the upstream Syncthing web UI in a WebView (to access features that are available in the upstream UI but not in the Android app UI), which is partially siloed off from the rest of the app as I understand it. So while the app can use the API key for most things, the WebView is a bit different.

But I think that once we get #8417 revived and merged, there could be a somewhat okay solution that needs no further changes in upstream Syncthing. With Webauthn support, the Android app could implement a software authenticator and exercise the API to pre-authenticate and retrieve a session cookie. Assuming that session cookie can then be injected into the WebView, the password/API key hack should then no longer be necessary.

[emlun]

And to perhaps answer this question a little more thoroughly:

Why doesn't the app just make a login request, get a cookie like the UI does, and set that cookie in the header?

Because

1. Authentication with the API key (X-Api-Key or Authorization: Bearer header) does not return a session cookie.
2. (Automatic) authentication with password (HTML form or Authorization: Basic header) is "not possible" because the password is not stored in cleartext.
   • Which is why the app abuses the password by resetting it to equal the API key, so the API key can be used "as a password" to exchange for a session cookie.

But as noted, #8417 would add a third option which could be performed automatically and still receive a session cookie.