webapp: Explicitly avoid checking for auth in static subsite requests.

Yesod didn't used to do auth checks for that, but this may have changed.
I don't have a way to reproduce the reported problem yet, but this change
certianly won't hurt anything.

This commit was sponsored by Thom May on Patreon.

1 files changed, 13 insertions, 8 deletions

diff --git a/Utility/WebApp.hs b/Utility/WebApp.hs
index cff5b268e..63ca33520 100644
--- a/Utility/WebApp.hs
+++ b/Utility/WebApp.hs
@@ -182,15 +182,20 @@ genAuthToken = do
  -
  - Note that the usual Yesod error page is bypassed on error, to avoid
  - possibly leaking the auth token in urls on that page!
+ -
+ - If the predicate does not match the route, the auth parameter is not
+ - needed.
  -}
-checkAuthToken :: Yesod.MonadHandler m => (Yesod.HandlerSite m -> AuthToken) -> m Yesod.AuthResult
-checkAuthToken extractAuthToken = do
-	webapp <- Yesod.getYesod
-	req <- Yesod.getRequest
-	let params = Yesod.reqGetParams req
-	if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
-		then return Yesod.Authorized
-		else Yesod.sendResponseStatus unauthorized401 ()
+checkAuthToken :: Yesod.MonadHandler m => Yesod.RenderRoute site => (Yesod.HandlerSite m -> AuthToken) -> Yesod.Route site -> ([T.Text] -> Bool) -> m Yesod.AuthResult
+checkAuthToken extractAuthToken r predicate
+	| not (predicate (fst (Yesod.renderRoute r))) = return Yesod.Authorized
+	| otherwise = do
+		webapp <- Yesod.getYesod
+		req <- Yesod.getRequest
+		let params = Yesod.reqGetParams req
+		if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
+			then return Yesod.Authorized
+			else Yesod.sendResponseStatus unauthorized401 ()
 
 {- A Yesod joinPath method, which adds an auth cgi parameter to every
  - url matching a predicate, containing a token extracted from the