From d81b281d18b8cb00328478c55ec893d4a409b2ca Mon Sep 17 00:00:00 2001
From: Felix Ableitner <me@nutomic.com>
Date: Mon, 13 Jan 2025 16:31:05 +0100
Subject: [PATCH] Check all auth headers and cookies for valid token

---
 src/backend/api/mod.rs | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/backend/api/mod.rs b/src/backend/api/mod.rs
index 3796db3..b5f9f38 100644
--- a/src/backend/api/mod.rs
+++ b/src/backend/api/mod.rs
@@ -37,6 +37,7 @@ use axum::{
 use axum_extra::extract::CookieJar;
 use axum_macros::debug_handler;
 use instance::list_remote_instances;
+use std::collections::HashSet;
 use user::{count_notifications, list_notifications, update_user_profile};
 
 pub mod article;
@@ -78,15 +79,24 @@ async fn auth(
     mut request: Request<Body>,
     next: Next,
 ) -> Result<Response, StatusCode> {
-    let auth = request
+    // Check all duplicate auth headers and cookies for the first valid one.
+    let auth: HashSet<_> = request
         .headers()
-        .get(AUTH_COOKIE)
-        .and_then(|h| h.to_str().ok())
-        .or(jar.get(AUTH_COOKIE).map(|c| c.value()));
+        .get_all(AUTH_COOKIE)
+        .into_iter()
+        .filter_map(|h| h.to_str().ok())
+        .chain(
+            jar.iter()
+                .filter(|c| c.name() == AUTH_COOKIE)
+                .map(|c| c.value()),
+        )
+        .map(|s| s.to_string())
+        .collect();
 
-    if let Some(auth) = auth {
-        if let Ok(user) = validate(auth, &data).await {
+    for a in &auth {
+        if let Ok(user) = validate(a, &data).await {
             request.extensions_mut().insert(user);
+            continue;
         }
     }
     let response = next.run(request).await;