* auth: respond with 403 for API requests when not authenticated

2020-01-21 12:58:55 +03:00
parent b5f95fefc8
commit 080e1dd74e
3 changed files with 11 additions and 3 deletions
--- a/home/auth.go
+++ b/home/auth.go
@@ -406,8 +406,13 @@ func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.Re
 				}
 			}
 			if !ok {
-				w.Header().Set("Location", "/login.html")
-				w.WriteHeader(http.StatusFound)
+				if r.URL.Path == "/" || r.URL.Path == "/index.html" {
+					w.Header().Set("Location", "/login.html")
+					w.WriteHeader(http.StatusFound)
+				} else {
+					w.WriteHeader(http.StatusForbidden)
+					_, _ = w.Write([]byte("Forbidden"))
+				}
 				return
 			}
 		}