allowed credentials through cors, fixed panic on no auth

1 year ago · f19951df4f
2 changed files with 3 additions and 4 deletions
--- a/server/src/main.rs
+++ b/server/src/main.rs
@ -99,7 +99,7 @@ async fn main() -> Result<(), LemmyError> {

    let cors = Cors::default()
      .allow_any_origin()
-      .send_wildcard()
+      .supports_credentials()
      .allowed_methods(vec!["GET", "POST", "PUT", "OPTIONS"])
      .allow_any_header()
      .max_age(3600);
--- a/server/src/routes/images.rs
+++ b/server/src/routes/images.rs
@ -49,10 +49,9 @@ async fn upload(
 ) -> Result<HttpResponse, Error> {
  // TODO: check rate limit here
  let jwt = req
-    .cookie("jwt")
-    .expect("No auth header for picture upload");
+    .cookie("jwt");

-  if Claims::decode(jwt.value()).is_err() {
+  if jwt.is_none() || Claims::decode(jwt.unwrap().value()).is_err() {
    return Ok(HttpResponse::Unauthorized().finish());
  };