security: Respect the autologin setting better.

src/httpd.js.c

@@ -2166,31 +2166,22 @@ static void _httpd_endpoint_logout(tf_http_request_t* request)
 	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
 }
 
-static bool _task_arg_is_mobile(tf_task_t* task)
-{
-	bool result = false;
-	JSContext* context = tf_task_get_context(task);
-	JSValue global = JS_GetGlobalObject(context);
-	JSValue tildefriends = JS_GetPropertyStr(context, global, "tildefriends");
-	JSValue args = JS_GetPropertyStr(context, tildefriends, "args");
-	JSValue mobile = JS_GetPropertyStr(context, args, "mobile");
-	result = JS_ToBool(context, mobile) != 0;
-	JS_FreeValue(context, mobile);
-	JS_FreeValue(context, args);
-	JS_FreeValue(context, tildefriends);
-	JS_FreeValue(context, global);
-	return result;
-}
-
 typedef struct _auto_login_t
 {
 	tf_http_request_t* request;
+	bool autologin;
 	const char* users;
 } auto_login_t;
 
 static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data)
 {
 	auto_login_t* request = user_data;
+	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+	tf_ssb_db_get_global_setting_bool(db, "autologin", &request->autologin);
+	tf_ssb_release_db_reader(ssb, db);
+
+	if (request->autologin)
+	{
 		request->users = tf_ssb_db_get_property(ssb, "auth", "users");
 		if (request->users && strcmp(request->users, "[]") == 0)
 		{
@@ -2217,6 +2208,7 @@ static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data)
 
 			request->users = tf_ssb_db_get_property(ssb, "auth", "users");
 		}
+	}
 }
 
 static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
@@ -2224,6 +2216,13 @@ static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_d
 	auto_login_t* work = user_data;
 	JSContext* context = tf_ssb_get_context(ssb);
 	const char* session_token = NULL;
+	if (!work->autologin)
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(work->request, 404, NULL, 0, k_payload, strlen(k_payload));
+	}
+	else
+	{
 		if (work->users)
 		{
 			JSValue json = JS_ParseJSON(context, work->users, strlen(work->users), NULL);
@@ -2255,6 +2254,7 @@ static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_d
 			};
 			tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
 		}
+	}
 	tf_http_request_unref(work->request);
 	tf_free((void*)work->users);
 	tf_free(work);
@@ -2263,20 +2263,12 @@ static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_d
 static void _httpd_endpoint_login_auto(tf_http_request_t* request)
 {
 	tf_task_t* task = request->user_data;
-	if (tf_util_is_mobile() || _task_arg_is_mobile(task))
-	{
 	tf_http_request_ref(request);
 	tf_ssb_t* ssb = tf_task_get_ssb(task);
 
 	auto_login_t* work = tf_malloc(sizeof(auto_login_t));
 	*work = (auto_login_t) { .request = request };
 	tf_ssb_run_work(ssb, _httpd_auto_login_work, _httpd_auto_login_after_work, work);
-	}
-	else
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
-	}
 }
 
 static void _httpd_endpoint_app_socket(tf_http_request_t* request)