From 90e68875f13aaa02d2ab5c1574f7a735d036e60e Mon Sep 17 00:00:00 2001
From: Tulir Asokan <tulir@maunium.net>
Date: Tue, 15 Oct 2024 12:03:06 +0300
Subject: [PATCH] server: only validate sec-fetch headers if present

---
 server.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/server.go b/server.go
index f0063b3..c20baec 100644
--- a/server.go
+++ b/server.go
@@ -76,7 +76,7 @@ func (gmx *Gomuks) StartServer() {
 }
 
 var (
-	ErrInvalidHeader = mautrix.RespError{ErrCode: "FI.MAU.GOMUKS.INVALID_HEADER", StatusCode: http.StatusBadRequest}
+	ErrInvalidHeader = mautrix.RespError{ErrCode: "FI.MAU.GOMUKS.INVALID_HEADER", StatusCode: http.StatusForbidden}
 	ErrMissingCookie = mautrix.RespError{ErrCode: "FI.MAU.GOMUKS.MISSING_COOKIE", Err: "Missing gomuks_auth cookie", StatusCode: http.StatusUnauthorized}
 	ErrInvalidCookie = mautrix.RespError{ErrCode: "FI.MAU.GOMUKS.INVALID_COOKIE", Err: "Invalid gomuks_auth cookie", StatusCode: http.StatusUnauthorized}
 )
@@ -166,7 +166,13 @@ func isUserFetch(header http.Header) bool {
 
 func (gmx *Gomuks) AuthMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Header.Get("Sec-WebSocket-Key") == "" && r.Header.Get("Sec-Fetch-Site") != "same-origin" && !isUserFetch(r.Header) {
+		if r.Header.Get("Sec-Fetch-Site") != "" && r.Header.Get("Sec-Fetch-Site") != "same-origin" && !isUserFetch(r.Header) {
+			hlog.FromRequest(r).Debug().
+				Str("site", r.Header.Get("Sec-Fetch-Site")).
+				Str("dest", r.Header.Get("Sec-Fetch-Dest")).
+				Str("mode", r.Header.Get("Sec-Fetch-Mode")).
+				Str("user", r.Header.Get("Sec-Fetch-User")).
+				Msg("Invalid Sec-Fetch-Site header")
 			ErrInvalidHeader.WithMessage("Invalid Sec-Fetch-Site header").Write(w)
 			return
 		}