webapp: Explicitly avoid checking for auth in static subsite requests.

Yesod didn't used to do auth checks for that, but this may have changed.
I don't have a way to reproduce the reported problem yet, but this change
certianly won't hurt anything.

This commit was sponsored by Thom May on Patreon.

3 files changed, 32 insertions, 8 deletions

diff --git a/CHANGELOG b/CHANGELOG
index a6b734ae9..0981bc5ea 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,9 @@ git-annex (6.20161032) UNRELEASED; urgency=medium
   * reinject --known: Avoid second, unncessary checksum of file.
   * OSX: Remove RPATHs from git-annex binary, which are not needed,
     slow down startup, and break the OSX Sierra linker.
+  * webapp: Explicitly avoid checking for auth in static subsite
+    requests. Yesod didn't used to do auth checks for that, but this may
+    have changed.
 
  -- Joey Hess <id@joeyh.name>  Tue, 01 Nov 2016 14:02:06 -0400
 
diff --git a/Utility/WebApp.hs b/Utility/WebApp.hs
index cff5b268e..63ca33520 100644
--- a/Utility/WebApp.hs
+++ b/Utility/WebApp.hs
@@ -182,15 +182,20 @@ genAuthToken = do
  -
  - Note that the usual Yesod error page is bypassed on error, to avoid
  - possibly leaking the auth token in urls on that page!
+ -
+ - If the predicate does not match the route, the auth parameter is not
+ - needed.
  -}
-checkAuthToken :: Yesod.MonadHandler m => (Yesod.HandlerSite m -> AuthToken) -> m Yesod.AuthResult
-checkAuthToken extractAuthToken = do
-	webapp <- Yesod.getYesod
-	req <- Yesod.getRequest
-	let params = Yesod.reqGetParams req
-	if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
-		then return Yesod.Authorized
-		else Yesod.sendResponseStatus unauthorized401 ()
+checkAuthToken :: Yesod.MonadHandler m => Yesod.RenderRoute site => (Yesod.HandlerSite m -> AuthToken) -> Yesod.Route site -> ([T.Text] -> Bool) -> m Yesod.AuthResult
+checkAuthToken extractAuthToken r predicate
+	| not (predicate (fst (Yesod.renderRoute r))) = return Yesod.Authorized
+	| otherwise = do
+		webapp <- Yesod.getYesod
+		req <- Yesod.getRequest
+		let params = Yesod.reqGetParams req
+		if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
+			then return Yesod.Authorized
+			else Yesod.sendResponseStatus unauthorized401 ()
 
 {- A Yesod joinPath method, which adds an auth cgi parameter to every
  - url matching a predicate, containing a token extracted from the
diff --git a/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment b/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment
new file mode 100644
index 000000000..eb630f364
--- /dev/null
+++ b/doc/bugs/Webapp_missing_CSS_and_JS_resources___40__401_Unauthorized__41__/comment_2_20e774c16d6978e0a1137a1e406da244._comment
@@ -0,0 +1,16 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2016-11-10T17:30:57Z"
+ content="""
+I don't reproduce the problem here. From where did you install git-annex?
+
+This seems likely to have something to do with the version of yesod it was
+built against.
+
+No session cookie is used; the auth token is not supposed to be needed when
+accessing urls under `/static/`. Looking at the code, this was not done
+explicitly; it seems to have relied on yesod not checking for authorization
+for static site parts. I've committed a change, to explicitly skip auth for
+`/static/` but without being able to reproduce the problem, can't test it.
+"""]]