Remove login information from update request

Removed the username and password in the GET /update request. The endpoint does not require authentication and it is unsafe to transmit login credentials over GET requests.
Support SSE for source updates
2025-04-12 23:00:24 +02:00 · 2025-04-12 22:59:48 +02:00
1 changed files with 7 additions and 20 deletions
--- a/shared/src/commonMain/kotlin/bou/amine/apps/readerforselfossv2/rest/SelfossApi.kt
+++ b/shared/src/commonMain/kotlin/bou/amine/apps/readerforselfossv2/rest/SelfossApi.kt
@ -19,6 +19,7 @@ import io.ktor.client.plugins.cookies.HttpCookies
 import io.ktor.client.plugins.logging.LogLevel
 import io.ktor.client.plugins.logging.Logger
 import io.ktor.client.plugins.logging.Logging
 import io.ktor.client.plugins.sse.SSE
 import io.ktor.client.request.get
 import io.ktor.client.request.headers
 import io.ktor.client.request.parameter
@ -89,6 +90,7 @@ class SelfossApi(
                    }
                }
            }
            install(SSE)
            expectSuccess = false
        }
@ -363,26 +365,11 @@ class SelfossApi(
    suspend fun update(): StatusAndData<String> =
        bodyOrFailure(
            client.tryToGet(url("/update")) {
-                if (!shouldHavePostLogin()) {
+                headers {
-                    parameter("username", appSettingsService.getUserName())
+                    append(
-                    parameter("password", appSettingsService.getPassword())
+                        HttpHeaders.Accept,
-                }
+                        "text/event-stream",
-                if (appSettingsService
+                    )
                        .getBasicUserName()
                        .isNotEmpty() &&
                    appSettingsService.getBasicPassword().isNotEmpty()
                ) {
                    headers {
                        append(
                            HttpHeaders.Authorization,
                            constructBasicAuthValue(
                                BasicAuthCredentials(
                                    username = appSettingsService.getBasicUserName(),
                                    password = appSettingsService.getBasicPassword(),
                                ),
                            ),
                        )
                    }
                }
            },
        )
Author	SHA1	Message	Date
davidoskky	4b9899c04e	Remove login information from update request All checks were successful Check PR code / translations (pull_request) Successful in 30s Details Check PR code / Lint (pull_request) Successful in 38s Details Check PR code / build (pull_request) Successful in 24s Details Removed the username and password in the GET /update request. The endpoint does not require authentication and it is unsafe to transmit login credentials over GET requests.	2025-04-12 23:00:24 +02:00
davidoskky	e9e2b6415f	Support SSE for source updates This uses the Server Side Events added in Selfoss API 6.1.0 when calling GET /update This change only supports the new response format but provides no change for the users. The older versions are still supported.	2025-04-12 22:59:48 +02:00