all: sync with master

internal/home/auth.go

@@ -8,12 +8,14 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"path"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/timeutil"
@@ -32,7 +34,8 @@ const sessionTokenSize = 16
 
 type session struct {
 	userName string
-	expire   uint32 // expiration time (in seconds)
+	// expire is the expiration time, in seconds.
+	expire uint32
 }
 
 func (s *session) serialize() []byte {
@@ -64,29 +67,29 @@ func (s *session) deserialize(data []byte) bool {
 
 // Auth - global object
 type Auth struct {
-	db         *bbolt.DB
-	blocker    *authRateLimiter
-	sessions   map[string]*session
-	users      []User
-	lock       sync.Mutex
-	sessionTTL uint32
+	db          *bbolt.DB
+	raleLimiter *authRateLimiter
+	sessions    map[string]*session
+	users       []webUser
+	lock        sync.Mutex
+	sessionTTL  uint32
 }
 
-// User object
-type User struct {
+// webUser represents a user of the Web UI.
+type webUser struct {
 	Name         string `yaml:"name"`
-	PasswordHash string `yaml:"password"` // bcrypt hash
+	PasswordHash string `yaml:"password"`
 }
 
 // InitAuth - create a global object
-func InitAuth(dbFilename string, users []User, sessionTTL uint32, blocker *authRateLimiter) *Auth {
+func InitAuth(dbFilename string, users []webUser, sessionTTL uint32, rateLimiter *authRateLimiter) *Auth {
 	log.Info("Initializing auth module: %s", dbFilename)
 
 	a := &Auth{
-		sessionTTL: sessionTTL,
-		blocker:    blocker,
-		sessions:   make(map[string]*session),
-		users:      users,
+		sessionTTL:  sessionTTL,
+		raleLimiter: rateLimiter,
+		sessions:    make(map[string]*session),
+		users:       users,
 	}
 	var err error
 	a.db, err = bbolt.Open(dbFilename, 0o644, nil)
@@ -326,35 +329,25 @@ func newSessionToken() (data []byte, err error) {
 	return randData, nil
 }
 
-// cookieTimeFormat is the format to be used in (time.Time).Format for cookie's
-// expiry field.
-const cookieTimeFormat = "Mon, 02 Jan 2006 15:04:05 GMT"
-
-// cookieExpiryFormat returns the formatted exp to be used in cookie string.
-// It's quite simple for now, but probably will be expanded in the future.
-func cookieExpiryFormat(exp time.Time) (formatted string) {
-	return exp.Format(cookieTimeFormat)
-}
-
-func (a *Auth) httpCookie(req loginJSON, addr string) (cookie string, err error) {
-	blocker := a.blocker
-	u := a.UserFind(req.Name, req.Password)
-	if len(u.Name) == 0 {
-		if blocker != nil {
-			blocker.inc(addr)
+// newCookie creates a new authentication cookie.
+func (a *Auth) newCookie(req loginJSON, addr string) (c *http.Cookie, err error) {
+	rateLimiter := a.raleLimiter
+	u, ok := a.findUser(req.Name, req.Password)
+	if !ok {
+		if rateLimiter != nil {
+			rateLimiter.inc(addr)
 		}
 
-		return "", err
+		return nil, errors.Error("invalid username or password")
 	}
 
-	if blocker != nil {
-		blocker.remove(addr)
+	if rateLimiter != nil {
+		rateLimiter.remove(addr)
 	}
 
-	var sess []byte
-	sess, err = newSessionToken()
+	sess, err := newSessionToken()
 	if err != nil {
-		return "", err
+		return nil, fmt.Errorf("generating token: %w", err)
 	}
 
 	now := time.Now().UTC()
@@ -364,11 +357,15 @@ func (a *Auth) httpCookie(req loginJSON, addr string) (cookie string, err error)
 		expire:   uint32(now.Unix()) + a.sessionTTL,
 	})
 
-	return fmt.Sprintf(
-		"%s=%s; Path=/; HttpOnly; Expires=%s",
-		sessionCookieName, hex.EncodeToString(sess),
-		cookieExpiryFormat(now.Add(cookieTTL)),
-	), nil
+	return &http.Cookie{
+		Name:    sessionCookieName,
+		Value:   hex.EncodeToString(sess),
+		Path:    "/",
+		Expires: now.Add(cookieTTL),
+
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	}, nil
 }
 
 // realIP extracts the real IP address of the client from an HTTP request using
@@ -436,8 +433,8 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if blocker := Context.auth.blocker; blocker != nil {
-		if left := blocker.check(remoteAddr); left > 0 {
+	if rateLimiter := Context.auth.raleLimiter; rateLimiter != nil {
+		if left := rateLimiter.check(remoteAddr); left > 0 {
 			w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds())))
 			aghhttp.Error(r, w, http.StatusTooManyRequests, "auth: blocked for %s", left)
 
@@ -445,10 +442,9 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	var cookie string
-	cookie, err = Context.auth.httpCookie(req, remoteAddr)
+	cookie, err := Context.auth.newCookie(req, remoteAddr)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "crypto rand reader: %s", err)
+		aghhttp.Error(r, w, http.StatusForbidden, "%s", err)
 
 		return
 	}
@@ -462,20 +458,11 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		log.Error("auth: unknown ip")
 	}
 
-	if len(cookie) == 0 {
-		log.Info("auth: failed to login user %q from ip %v", req.Name, ip)
-
-		time.Sleep(1 * time.Second)
-
-		http.Error(w, "invalid username or password", http.StatusBadRequest)
-
-		return
-	}
-
 	log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
 
+	http.SetCookie(w, cookie)
+
 	h := w.Header()
-	h.Set("Set-Cookie", cookie)
 	h.Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
 	h.Set("Pragma", "no-cache")
 	h.Set("Expires", "0")
@@ -484,17 +471,31 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 }
 
 func handleLogout(w http.ResponseWriter, r *http.Request) {
-	cookie := r.Header.Get("Cookie")
-	sess := parseCookie(cookie)
+	respHdr := w.Header()
+	c, err := r.Cookie(sessionCookieName)
+	if err != nil {
+		// The only error that is returned from r.Cookie is [http.ErrNoCookie].
+		// The user is already logged out.
+		respHdr.Set("Location", "/login.html")
+		w.WriteHeader(http.StatusFound)
 
-	Context.auth.RemoveSession(sess)
+		return
+	}
 
-	w.Header().Set("Location", "/login.html")
+	Context.auth.RemoveSession(c.Value)
 
-	s := fmt.Sprintf("%s=; Path=/; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:00 GMT",
-		sessionCookieName)
-	w.Header().Set("Set-Cookie", s)
+	c = &http.Cookie{
+		Name:    sessionCookieName,
+		Value:   "",
+		Path:    "/",
+		Expires: time.Unix(0, 0),
 
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	}
+
+	respHdr.Set("Location", "/login.html")
+	respHdr.Set("Set-Cookie", c.String())
 	w.WriteHeader(http.StatusFound)
 }
 
@@ -504,101 +505,108 @@ func RegisterAuthHandlers() {
 	httpRegister(http.MethodGet, "/control/logout", handleLogout)
 }
 
-func parseCookie(cookie string) string {
-	pairs := strings.Split(cookie, ";")
-	for _, pair := range pairs {
-		pair = strings.TrimSpace(pair)
-		kv := strings.SplitN(pair, "=", 2)
-		if len(kv) != 2 {
-			continue
-		}
-		if kv[0] == sessionCookieName {
-			return kv[1]
-		}
-	}
-	return ""
-}
-
 // optionalAuthThird return true if user should authenticate first.
-func optionalAuthThird(w http.ResponseWriter, r *http.Request) (authFirst bool) {
-	authFirst = false
+func optionalAuthThird(w http.ResponseWriter, r *http.Request) (mustAuth bool) {
+	if glProcessCookie(r) {
+		log.Debug("auth: authentication is handled by GL-Inet submodule")
+
+		return false
+	}
 
 	// redirect to login page if not authenticated
-	ok := false
+	isAuthenticated := false
 	cookie, err := r.Cookie(sessionCookieName)
-
-	if glProcessCookie(r) {
-		log.Debug("auth: authentication was handled by GL-Inet submodule")
-		ok = true
-	} else if err == nil {
-		r := Context.auth.checkSession(cookie.Value)
-		if r == checkSessionOK {
-			ok = true
-		} else if r < 0 {
-			log.Debug("auth: invalid cookie value: %s", cookie)
-		}
-	} else {
-		// there's no Cookie, check Basic authentication
-		user, pass, ok2 := r.BasicAuth()
-		if ok2 {
-			u := Context.auth.UserFind(user, pass)
-			if len(u.Name) != 0 {
-				ok = true
-			} else {
+	if err != nil {
+		// The only error that is returned from r.Cookie is [http.ErrNoCookie].
+		// Check Basic authentication.
+		user, pass, hasBasic := r.BasicAuth()
+		if hasBasic {
+			_, isAuthenticated = Context.auth.findUser(user, pass)
+			if !isAuthenticated {
 				log.Info("auth: invalid Basic Authorization value")
 			}
 		}
-	}
-	if !ok {
-		if r.URL.Path == "/" || r.URL.Path == "/index.html" {
-			if glProcessRedirect(w, r) {
-				log.Debug("auth: redirected to login page by GL-Inet submodule")
-			} else {
-				w.Header().Set("Location", "/login.html")
-				w.WriteHeader(http.StatusFound)
-			}
-		} else {
-			w.WriteHeader(http.StatusForbidden)
-			_, _ = w.Write([]byte("Forbidden"))
+	} else {
+		res := Context.auth.checkSession(cookie.Value)
+		isAuthenticated = res == checkSessionOK
+		if !isAuthenticated {
+			log.Debug("auth: invalid cookie value: %s", cookie)
 		}
-		authFirst = true
 	}
 
-	return authFirst
+	if isAuthenticated {
+		return false
+	}
+
+	if p := r.URL.Path; p == "/" || p == "/index.html" {
+		if glProcessRedirect(w, r) {
+			log.Debug("auth: redirected to login page by GL-Inet submodule")
+		} else {
+			log.Debug("auth: redirected to login page")
+			w.Header().Set("Location", "/login.html")
+			w.WriteHeader(http.StatusFound)
+		}
+	} else {
+		log.Debug("auth: responded with forbidden to %s %s", r.Method, p)
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = w.Write([]byte("Forbidden"))
+	}
+
+	return true
 }
 
-func optionalAuth(handler func(http.ResponseWriter, *http.Request)) func(http.ResponseWriter, *http.Request) {
+// TODO(a.garipov): Use [http.Handler] consistently everywhere throughout the
+// project.
+func optionalAuth(
+	h func(http.ResponseWriter, *http.Request),
+) (wrapped func(http.ResponseWriter, *http.Request)) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path == "/login.html" {
-			// redirect to dashboard if already authenticated
-			authRequired := Context.auth != nil && Context.auth.AuthRequired()
+		p := r.URL.Path
+		authRequired := Context.auth != nil && Context.auth.AuthRequired()
+		if p == "/login.html" {
 			cookie, err := r.Cookie(sessionCookieName)
 			if authRequired && err == nil {
-				r := Context.auth.checkSession(cookie.Value)
-				if r == checkSessionOK {
+				// Redirect to the dashboard if already authenticated.
+				res := Context.auth.checkSession(cookie.Value)
+				if res == checkSessionOK {
 					w.Header().Set("Location", "/")
 					w.WriteHeader(http.StatusFound)
 
 					return
-				} else if r == checkSessionNotFound {
-					log.Debug("auth: invalid cookie value: %s", cookie)
 				}
-			}
 
-		} else if strings.HasPrefix(r.URL.Path, "/assets/") ||
-			strings.HasPrefix(r.URL.Path, "/login.") {
-			// process as usual
-			// no additional auth requirements
-		} else if Context.auth != nil && Context.auth.AuthRequired() {
+				log.Debug("auth: invalid cookie value: %s", cookie)
+			}
+		} else if isPublicResource(p) {
+			// Process as usual, no additional auth requirements.
+		} else if authRequired {
 			if optionalAuthThird(w, r) {
 				return
 			}
 		}
 
-		handler(w, r)
+		h(w, r)
 	}
 }
 
+// isPublicResource returns true if p is a path to a public resource.
+func isPublicResource(p string) (ok bool) {
+	isAsset, err := path.Match("/assets/*", p)
+	if err != nil {
+		// The only error that is returned from path.Match is
+		// [path.ErrBadPattern].  This is a programmer error.
+		panic(fmt.Errorf("bad asset pattern: %w", err))
+	}
+
+	isLogin, err := path.Match("/login.*", p)
+	if err != nil {
+		// Same as above.
+		panic(fmt.Errorf("bad login pattern: %w", err))
+	}
+
+	return isAsset || isLogin
+}
+
 type authHandler struct {
 	handler http.Handler
 }
@@ -612,7 +620,7 @@ func optionalAuthHandler(handler http.Handler) http.Handler {
 }
 
 // UserAdd - add new user
-func (a *Auth) UserAdd(u *User, password string) {
+func (a *Auth) UserAdd(u *webUser, password string) {
 	if len(password) == 0 {
 		return
 	}
@@ -631,31 +639,35 @@ func (a *Auth) UserAdd(u *User, password string) {
 	log.Debug("auth: added user: %s", u.Name)
 }
 
-// UserFind - find a user
-func (a *Auth) UserFind(login, password string) User {
+// findUser returns a user if there is one.
+func (a *Auth) findUser(login, password string) (u webUser, ok bool) {
 	a.lock.Lock()
 	defer a.lock.Unlock()
-	for _, u := range a.users {
+
+	for _, u = range a.users {
 		if u.Name == login &&
 			bcrypt.CompareHashAndPassword([]byte(u.PasswordHash), []byte(password)) == nil {
-			return u
+			return u, true
 		}
 	}
-	return User{}
+
+	return webUser{}, false
 }
 
 // getCurrentUser returns the current user.  It returns an empty User if the
 // user is not found.
-func (a *Auth) getCurrentUser(r *http.Request) User {
+func (a *Auth) getCurrentUser(r *http.Request) (u webUser) {
 	cookie, err := r.Cookie(sessionCookieName)
 	if err != nil {
 		// There's no Cookie, check Basic authentication.
 		user, pass, ok := r.BasicAuth()
 		if ok {
-			return Context.auth.UserFind(user, pass)
+			u, _ = Context.auth.findUser(user, pass)
+
+			return u
 		}
 
-		return User{}
+		return webUser{}
 	}
 
 	a.lock.Lock()
@@ -663,20 +675,20 @@ func (a *Auth) getCurrentUser(r *http.Request) User {
 
 	s, ok := a.sessions[cookie.Value]
 	if !ok {
-		return User{}
+		return webUser{}
 	}
 
-	for _, u := range a.users {
+	for _, u = range a.users {
 		if u.Name == s.userName {
 			return u
 		}
 	}
 
-	return User{}
+	return webUser{}
 }
 
 // GetUsers - get users
-func (a *Auth) GetUsers() []User {
+func (a *Auth) GetUsers() []webUser {
 	a.lock.Lock()
 	users := a.users
 	a.lock.Unlock()

internal/home/auth_test.go

@@ -43,14 +43,14 @@ func TestAuth(t *testing.T) {
 	dir := t.TempDir()
 	fn := filepath.Join(dir, "sessions.db")
 
-	users := []User{{
+	users := []webUser{{
 		Name:         "name",
 		PasswordHash: "$2y$05$..vyzAECIhJPfaQiOK17IukcQnqEgKJHy0iETyYqxn3YXJl8yZuo2",
 	}}
 	a := InitAuth(fn, nil, 60, nil)
 	s := session{}
 
-	user := User{Name: "name"}
+	user := webUser{Name: "name"}
 	a.UserAdd(&user, "password")
 
 	assert.Equal(t, checkSessionNotFound, a.checkSession("notfound"))
@@ -84,7 +84,8 @@ func TestAuth(t *testing.T) {
 	a.storeSession(sess, &s)
 	a.Close()
 
-	u := a.UserFind("name", "password")
+	u, ok := a.findUser("name", "password")
+	assert.True(t, ok)
 	assert.NotEmpty(t, u.Name)
 
 	time.Sleep(3 * time.Second)
@@ -118,7 +119,7 @@ func TestAuthHTTP(t *testing.T) {
 	dir := t.TempDir()
 	fn := filepath.Join(dir, "sessions.db")
 
-	users := []User{
+	users := []webUser{
 		{Name: "name", PasswordHash: "$2y$05$..vyzAECIhJPfaQiOK17IukcQnqEgKJHy0iETyYqxn3YXJl8yZuo2"},
 	}
 	Context.auth = InitAuth(fn, users, 60, nil)
@@ -150,18 +151,19 @@ func TestAuthHTTP(t *testing.T) {
 	assert.True(t, handlerCalled)
 
 	// perform login
-	cookie, err := Context.auth.httpCookie(loginJSON{Name: "name", Password: "password"}, "")
+	cookie, err := Context.auth.newCookie(loginJSON{Name: "name", Password: "password"}, "")
 	require.NoError(t, err)
-	assert.NotEmpty(t, cookie)
+	require.NotNil(t, cookie)
 
 	// get /
 	handler2 = optionalAuth(handler)
 	w.hdr = make(http.Header)
-	r.Header.Set("Cookie", cookie)
+	r.Header.Set("Cookie", cookie.String())
 	r.URL = &url.URL{Path: "/"}
 	handlerCalled = false
 	handler2(&w, &r)
 	assert.True(t, handlerCalled)
+
 	r.Header.Del("Cookie")
 
 	// get / with basic auth
@@ -177,7 +179,7 @@ func TestAuthHTTP(t *testing.T) {
 	// get login page with a valid cookie - we're redirected to /
 	handler2 = optionalAuth(handler)
 	w.hdr = make(http.Header)
-	r.Header.Set("Cookie", cookie)
+	r.Header.Set("Cookie", cookie.String())
 	r.URL = &url.URL{Path: loginURL}
 	handlerCalled = false
 	handler2(&w, &r)

internal/home/clientshttp.go

@@ -93,13 +93,7 @@ func (clients *clientsContainer) handleGetClients(w http.ResponseWriter, r *http
 
 	data.Tags = clientTags
 
-	w.Header().Set("Content-Type", "application/json")
-	e := json.NewEncoder(w).Encode(data)
-	if e != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "failed to encode to json: %v", e)
-
-		return
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, data)
 }
 
 // Convert JSON object to Client object
@@ -249,11 +243,7 @@ func (clients *clientsContainer) handleFindClient(w http.ResponseWriter, r *http
 		})
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	err := json.NewEncoder(w).Encode(data)
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "Couldn't write response: %s", err)
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, data)
 }
 
 // findRuntime looks up the IP in runtime and temporary storages, like

internal/home/config.go

@@ -85,10 +85,10 @@ type configuration struct {
 	// It's reset after config is parsed
 	fileData []byte
 
-	BindHost     net.IP `yaml:"bind_host"`      // BindHost is the IP address of the HTTP server to bind to
-	BindPort     int    `yaml:"bind_port"`      // BindPort is the port the HTTP server
-	BetaBindPort int    `yaml:"beta_bind_port"` // BetaBindPort is the port for new client
-	Users        []User `yaml:"users"`          // Users that can access HTTP server
+	BindHost     net.IP    `yaml:"bind_host"`      // BindHost is the IP address of the HTTP server to bind to
+	BindPort     int       `yaml:"bind_port"`      // BindPort is the port the HTTP server
+	BetaBindPort int       `yaml:"beta_bind_port"` // BetaBindPort is the port for new client
+	Users        []webUser `yaml:"users"`          // Users that can access HTTP server
 	// AuthAttempts is the maximum number of failed login attempts a user
 	// can do before being blocked.
 	AuthAttempts uint `yaml:"auth_attempts"`

internal/home/control.go

@@ -146,13 +146,7 @@ func handleStatus(w http.ResponseWriter, r *http.Request) {
 		resp.IsDHCPAvailable = Context.dhcpServer != nil
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	err = json.NewEncoder(w).Encode(resp)
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "Unable to write response json: %s", err)
-
-		return
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, resp)
 }
 
 type profileJSON struct {
@@ -162,13 +156,16 @@ type profileJSON struct {
 func handleGetProfile(w http.ResponseWriter, r *http.Request) {
 	pj := profileJSON{}
 	u := Context.auth.getCurrentUser(r)
+
 	pj.Name = u.Name
 
 	data, err := json.Marshal(pj)
 	if err != nil {
 		aghhttp.Error(r, w, http.StatusInternalServerError, "json.Marshal: %s", err)
+
 		return
 	}
+
 	_, _ = w.Write(data)
 }
 
@@ -207,11 +204,24 @@ func ensure(method string, handler func(http.ResponseWriter, *http.Request)) fun
 		log.Debug("%s %v", r.Method, r.URL)
 
 		if r.Method != method {
-			http.Error(w, "This request must be "+method, http.StatusMethodNotAllowed)
+			aghhttp.Error(r, w, http.StatusMethodNotAllowed, "only %s is allowed", method)
+
 			return
 		}
 
 		if method == http.MethodPost || method == http.MethodPut || method == http.MethodDelete {
+			if r.Header.Get(aghhttp.HdrNameContentType) != aghhttp.HdrValApplicationJSON {
+				aghhttp.Error(
+					r,
+					w,
+					http.StatusUnsupportedMediaType,
+					"only %s is allowed",
+					aghhttp.HdrValApplicationJSON,
+				)
+
+				return
+			}
+
 			Context.controlLock.Lock()
 			defer Context.controlLock.Unlock()
 		}

internal/home/controlinstall.go

@@ -59,19 +59,7 @@ func (web *Web) handleInstallGetAddresses(w http.ResponseWriter, r *http.Request
 		data.Interfaces[iface.Name] = iface
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	err = json.NewEncoder(w).Encode(data)
-	if err != nil {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusInternalServerError,
-			"Unable to marshal default addresses to json: %s",
-			err,
-		)
-
-		return
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, data)
 }
 
 type checkConfReqEnt struct {
@@ -201,13 +189,7 @@ func (web *Web) handleInstallCheckConfig(w http.ResponseWriter, r *http.Request)
 		resp.StaticIP = handleStaticIP(req.DNS.IP, req.SetStaticIP)
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	err = json.NewEncoder(w).Encode(resp)
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "encoding the response: %s", err)
-
-		return
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, resp)
 }
 
 // handleStaticIP - handles static IP request
@@ -424,7 +406,7 @@ func (web *Web) handleInstallConfigure(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	u := &User{
+	u := &webUser{
 		Name: req.Username,
 	}
 	Context.auth.UserAdd(u, req.Password)
@@ -688,19 +670,7 @@ func (web *Web) handleInstallGetAddressesBeta(w http.ResponseWriter, r *http.Req
 
 	data.Interfaces = ifaces
 
-	w.Header().Set("Content-Type", "application/json")
-	err = json.NewEncoder(w).Encode(data)
-	if err != nil {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusInternalServerError,
-			"Unable to marshal default addresses to json: %s",
-			err,
-		)
-
-		return
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, data)
 }
 
 // registerBetaInstallHandlers registers the install handlers for new client

internal/home/controlupdate.go

@@ -28,8 +28,6 @@ type temporaryError interface {
 
 // Get the latest available version from the Internet
 func handleGetVersionJSON(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "application/json")
-
 	resp := &versionResponse{}
 	if Context.disableUpdate {
 		resp.Disabled = true
@@ -71,10 +69,7 @@ func handleGetVersionJSON(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = json.NewEncoder(w).Encode(resp)
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "writing body: %s", err)
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, resp)
 }
 
 // requestVersionInfo sets the VersionInfo field of resp if it can reach the

internal/home/home.go

@@ -409,7 +409,7 @@ func run(args options, clientBuildFS fs.FS) {
 	configureLogger(args)
 
 	// Print the first message after logger is configured.
-	log.Println(version.Full())
+	log.Info(version.Full())
 	log.Debug("current working directory is %s", Context.workDir)
 	if args.runningAsService {
 		log.Info("AdGuard Home is running as a service")
@@ -455,9 +455,9 @@ func run(args options, clientBuildFS fs.FS) {
 
 	sessFilename := filepath.Join(Context.getDataDir(), "sessions.db")
 	GLMode = args.glinetMode
-	var arl *authRateLimiter
+	var rateLimiter *authRateLimiter
 	if config.AuthAttempts > 0 && config.AuthBlockMin > 0 {
-		arl = newAuthRateLimiter(
+		rateLimiter = newAuthRateLimiter(
 			time.Duration(config.AuthBlockMin)*time.Minute,
 			config.AuthAttempts,
 		)
@@ -469,7 +469,7 @@ func run(args options, clientBuildFS fs.FS) {
 		sessFilename,
 		config.Users,
 		config.WebSessionTTLHours*60*60,
-		arl,
+		rateLimiter,
 	)
 	if Context.auth == nil {
 		log.Fatalf("Couldn't initialize Auth module")

internal/home/i18n.go

@@ -1,10 +1,8 @@
 package home
 
 import (
-	"fmt"
-	"io"
+	"encoding/json"
 	"net/http"
-	"strings"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/golibs/log"
@@ -51,43 +49,35 @@ var allowedLanguages = stringutil.NewSet(
 	"zh-tw",
 )
 
-func handleI18nCurrentLanguage(w http.ResponseWriter, _ *http.Request) {
-	w.Header().Set("Content-Type", "text/plain")
-	log.Printf("config.Language is %s", config.Language)
-	_, err := fmt.Fprintf(w, "%s\n", config.Language)
-	if err != nil {
-		msg := fmt.Sprintf("Unable to write response json: %s", err)
-		log.Println(msg)
-		http.Error(w, msg, http.StatusInternalServerError)
+// languageJSON is the JSON structure for language requests and responses.
+type languageJSON struct {
+	Language string `json:"language"`
+}
 
-		return
-	}
+func handleI18nCurrentLanguage(w http.ResponseWriter, r *http.Request) {
+	log.Printf("home: language is %s", config.Language)
+
+	_ = aghhttp.WriteJSONResponse(w, r, &languageJSON{
+		Language: config.Language,
+	})
 }
 
 func handleI18nChangeLanguage(w http.ResponseWriter, r *http.Request) {
-	// This use of ReadAll is safe, because request's body is now limited.
-	body, err := io.ReadAll(r.Body)
+	if aghhttp.WriteTextPlainDeprecated(w, r) {
+		return
+	}
+
+	langReq := &languageJSON{}
+	err := json.NewDecoder(r.Body).Decode(langReq)
 	if err != nil {
-		msg := fmt.Sprintf("failed to read request body: %s", err)
-		log.Println(msg)
-		http.Error(w, msg, http.StatusBadRequest)
+		aghhttp.Error(r, w, http.StatusInternalServerError, "reading req: %s", err)
 
 		return
 	}
 
-	language := strings.TrimSpace(string(body))
-	if language == "" {
-		msg := "empty language specified"
-		log.Println(msg)
-		http.Error(w, msg, http.StatusBadRequest)
-
-		return
-	}
-
-	if !allowedLanguages.Has(language) {
-		msg := fmt.Sprintf("unknown language specified: %s", language)
-		log.Println(msg)
-		http.Error(w, msg, http.StatusBadRequest)
+	lang := langReq.Language
+	if !allowedLanguages.Has(lang) {
+		aghhttp.Error(r, w, http.StatusBadRequest, "unknown language: %q", lang)
 
 		return
 	}
@@ -96,7 +86,8 @@ func handleI18nChangeLanguage(w http.ResponseWriter, r *http.Request) {
 		config.Lock()
 		defer config.Unlock()
 
-		config.Language = language
+		config.Language = lang
+		log.Printf("home: language is set to %s", lang)
 	}()
 
 	onConfigModified()

internal/home/service.go

@@ -176,7 +176,8 @@ func handleServiceControlAction(opts options, clientBuildFS fs.FS) {
 	chooseSystem()
 
 	action := opts.serviceControlAction
-	log.Printf("service: control action: %s", action)
+	log.Info(version.Full())
+	log.Info("service: control action: %s", action)
 
 	if action == "reload" {
 		sendSigReload()

internal/home/tls.go

@@ -680,8 +680,6 @@ func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
 }
 
 func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
-	w.Header().Set("Content-Type", "application/json")
-
 	if data.CertificateChain != "" {
 		encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
 		data.CertificateChain = encoded
@@ -692,16 +690,7 @@ func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
 		data.PrivateKey = ""
 	}
 
-	err := json.NewEncoder(w).Encode(data)
-	if err != nil {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusInternalServerError,
-			"Failed to marshal json with TLS status: %s",
-			err,
-		)
-	}
+	_ = aghhttp.WriteJSONResponse(w, r, data)
 }
 
 // registerWebHandlers registers HTTP handlers for TLS configuration

internal/home/upgrade.go

@@ -278,11 +278,11 @@ func upgradeSchema4to5(diskConf yobj) error {
 		log.Fatalf("Can't use password \"%s\": bcrypt.GenerateFromPassword: %s", passStr, err)
 		return nil
 	}
-	u := User{
+	u := webUser{
 		Name:         nameStr,
 		PasswordHash: string(hash),
 	}
-	users := []User{u}
+	users := []webUser{u}
 	diskConf["users"] = users
 	return nil
 }