Fix detection of protected user API operations

The current implementation would set the access token before trying out calling `/rest/sitemaps` which would obviously always succeed, since the call would be made with the token. Therefore the "requireToken" flag would not be set properly and prevent the alternative SSE implementation (which allows headers) to be used. Fixes #1146. Signed-off-by: Yannick Schaus <github@schaus.net>
openhab · Aug 25, 2021 · 4a5f7b0 · 4a5f7b0
1 parent 8cec28a
commit 4a5f7b0
Showing 1 changed file with 15 additions and 10 deletions.
diff --git a/bundles/org.openhab.ui/web/src/js/openhab/auth.js b/bundles/org.openhab.ui/web/src/js/openhab/auth.js
@@ -84,17 +84,22 @@ export function storeBasicCredentials () {
 }
 
 export function setAccessToken (token, api) {
-  accessToken = token
-  if (!token || !api || requireToken !== undefined) return Promise.resolve()
-
-  // determine whether the token is required for user operations
-  return api.get('/rest/sitemaps').then((resp) => {
-    requireToken = false
-    return Promise.resolve()
-  }).catch((err) => {
-    if (err === 'Unauthorized' || err === 401) requireToken = true
+  if (!token || !api) return Promise.resolve()
+  if (requireToken === undefined) {
+    // determine whether the token is required for user operations
+    return api.get('/rest/sitemaps').then((resp) => {
+      accessToken = token
+      requireToken = false
+      return Promise.resolve()
+    }).catch((err) => {
+      if (err === 'Unauthorized' || err === 401) requireToken = true
+      accessToken = token
+      return Promise.resolve()
+    })
+  } else {
+    accessToken = token
     return Promise.resolve()
-  })
+  }
 }
 
 export function clearAccessToken () {