Prioritize auth header compared to auth cookie

back/src/Kyoo.Authentication/AuthenticationModule.cs

@@ -29,6 +29,7 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Primitives;
 using Microsoft.IdentityModel.Tokens;
 
 namespace Kyoo.Authentication
@@ -69,12 +70,8 @@ namespace Kyoo.Authentication
 			PermissionOption options =
 				new()
 				{
-					Default = _configuration
+					Default = _configuration.GetValue("UNLOGGED_PERMISSIONS", "")!.Split(',').Where(x => x.Length > 0).ToArray(),
-						.GetValue("UNLOGGED_PERMISSIONS", "overall.read,overall.play")!
+					NewUser = _configuration.GetValue("DEFAULT_PERMISSIONS", "overall.read,overall.play")!.Split(','),
-						.Split(','),
-					NewUser = _configuration
-						.GetValue("DEFAULT_PERMISSIONS", "overall.read,overall.play")!
-						.Split(','),
 					RequireVerification = _configuration.GetValue(
 						"REQUIRE_ACCOUNT_VERIFICATION",
 						true
@@ -141,7 +138,6 @@ namespace Kyoo.Authentication
 				new AuthenticationOption() { Secret = secret, Permissions = options, }
 			);
 
-			// TODO handle direct-videos with bearers (probably add a cookie and a app.Use to translate that for videos)
 			services
 				.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 				.AddJwtBearer(options =>
@@ -150,6 +146,18 @@ namespace Kyoo.Authentication
 					{
 						OnMessageReceived = (ctx) =>
 						{
+							string prefix = "Bearer ";
+							if (
+								ctx.Request.Headers.TryGetValue(
+									"Authorization",
+									out StringValues val
+								)
+								&& val.ToString() is string auth
+								&& auth.StartsWith(prefix)
+							)
+							{
+								ctx.Token ??= auth[prefix.Length..];
+							}
 							ctx.Token ??= ctx.Request.Cookies["X-Bearer"];
 							return Task.CompletedTask;
 						}

front/packages/models/src/login.ts

@@ -33,7 +33,7 @@ export const login = async (
 	action: "register" | "login",
 	{ apiUrl, ...body }: { username: string; password: string; email?: string; apiUrl?: string },
 ): Promise<Result<Account, string>> => {
-	apiUrl ??= getCurrentApiUrl()!;
+	if (!apiUrl || apiUrl.length === 0) apiUrl = getCurrentApiUrl()!;
 	try {
 		const controller = new AbortController();
 		setTimeout(() => controller.abort(), 5_000);
@@ -63,7 +63,7 @@ export const login = async (
 };
 
 export const oidcLogin = async (provider: string, code: string, apiUrl?: string) => {
-	apiUrl ??= getCurrentApiUrl()!;
+	if (!apiUrl || apiUrl.length === 0) apiUrl = getCurrentApiUrl()!;
 	try {
 		const token = await queryFn(
 			{

front/packages/models/src/query.tsx

@@ -50,7 +50,7 @@ export const queryFn = async <Parser extends z.ZodTypeAny>(
 	type?: Parser,
 	token?: string | null,
 ): Promise<z.infer<Parser>> => {
-	const url = context.apiUrl ?? getCurrentApiUrl();
+	const url = context.apiUrl && context.apiUrl.length > 0 ? context.apiUrl : getCurrentApiUrl();
 	lastUsedUrl = url!;
 
 	if (token === undefined && context.authenticated !== false) token = await getToken();