From f90b78a9768fca08219f13fa73e44dc397158a9d Mon Sep 17 00:00:00 2001
From: "J. King" <jking@jkingweb.ca>
Date: Wed, 3 Mar 2021 16:46:57 -0500
Subject: [PATCH] Fix compatibility issues

- CORS OPTIONS requests may not ask for credentials
- Fever apparently didn't care about supplied Content-Type
---
 lib/REST/Fever/API.php          |  3 ---
 lib/REST/Miniflux/V1.php        |  8 ++++----
 lib/REST/NextcloudNews/V1_2.php | 12 ++++++------
 3 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/lib/REST/Fever/API.php b/lib/REST/Fever/API.php
index 8f43d45..20e6c35 100644
--- a/lib/REST/Fever/API.php
+++ b/lib/REST/Fever/API.php
@@ -72,9 +72,6 @@ class API extends \JKingWeb\Arsse\REST\AbstractHandler {
                 ]);
             case "GET": // HTTP violation required for client "Unread" on iOS
             case "POST":
-                if (!HTTP::matchType($req, "", ...self::ACCEPTED_TYPES)) {
-                    return new EmptyResponse(415, ['Accept' => implode(", ", self::ACCEPTED_TYPES)]);
-                }
                 $out = [
                     'api_version' => self::LEVEL,
                     'auth'        => 0,
diff --git a/lib/REST/Miniflux/V1.php b/lib/REST/Miniflux/V1.php
index a3854ea..96eb8c4 100644
--- a/lib/REST/Miniflux/V1.php
+++ b/lib/REST/Miniflux/V1.php
@@ -236,10 +236,6 @@ class V1 extends \JKingWeb\Arsse\REST\AbstractHandler {
     }
 
     public function dispatch(ServerRequestInterface $req): ResponseInterface {
-        // try to authenticate
-        if (!$this->authenticate($req)) {
-            return new ErrorResponse("401", 401);
-        }
         // get the request path only; this is assumed to already be normalized
         $target = parse_url($req->getRequestTarget(), \PHP_URL_PATH) ?? "";
         $method = $req->getMethod();
@@ -247,6 +243,10 @@ class V1 extends \JKingWeb\Arsse\REST\AbstractHandler {
         if ($method === "OPTIONS") {
             return $this->handleHTTPOptions($target);
         }
+        // try to authenticate
+        if (!$this->authenticate($req)) {
+            return new ErrorResponse("401", 401);
+        }
         $func = $this->chooseCall($target, $method);
         if ($func instanceof ResponseInterface) {
             return $func;
diff --git a/lib/REST/NextcloudNews/V1_2.php b/lib/REST/NextcloudNews/V1_2.php
index 984491a..111cf2f 100644
--- a/lib/REST/NextcloudNews/V1_2.php
+++ b/lib/REST/NextcloudNews/V1_2.php
@@ -76,18 +76,18 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
     }
 
     public function dispatch(ServerRequestInterface $req): ResponseInterface {
-        // try to authenticate
-        if ($req->getAttribute("authenticated", false)) {
-            Arsse::$user->id = $req->getAttribute("authenticatedUser");
-        } else {
-            return new EmptyResponse(401);
-        }
         // get the request path only; this is assumed to already be normalized
         $target = parse_url($req->getRequestTarget())['path'] ?? "";
         // handle HTTP OPTIONS requests
         if ($req->getMethod() === "OPTIONS") {
             return $this->handleHTTPOptions($target);
         }
+        // try to authenticate
+        if ($req->getAttribute("authenticated", false)) {
+            Arsse::$user->id = $req->getAttribute("authenticatedUser");
+        } else {
+            return new EmptyResponse(401);
+        }
         // normalize the input
         $data = (string) $req->getBody();
         if ($data) {