From b9588343a66f18582eb584af197df7a8101db87c Mon Sep 17 00:00:00 2001
From: Evangelos Paterakis <evan@geopjr.dev>
Date: Thu, 8 Jun 2023 19:19:51 +0300
Subject: [PATCH] feat(network): remove header on insecure requests

if a request is known to be 100% out of instance or doesn't need auth then setting is_insecure should strip any auth headers even if with_account is explicitly set
---
 src/API/Status/PreviewCard.vala   |  1 +
 src/Services/Network/Request.vala | 10 ++++++++--
 src/Widgets/BookWyrmPage.vala     |  1 +
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/API/Status/PreviewCard.vala b/src/API/Status/PreviewCard.vala
index 2b518cf9..da05ea5f 100644
--- a/src/API/Status/PreviewCard.vala
+++ b/src/API/Status/PreviewCard.vala
@@ -173,6 +173,7 @@ public class Tuba.API.PreviewCard : Entity, Widgetizable {
 				
 
 				new Request.GET (special_api_url)
+					.is_insecure ()
 					.then ((sess, msg, in_stream) => {
 						bool failed = true;
 						var parser = Network.get_parser_from_inputstream(in_stream);
diff --git a/src/Services/Network/Request.vala b/src/Services/Network/Request.vala
index 605023d1..580753cf 100644
--- a/src/Services/Network/Request.vala
+++ b/src/Services/Network/Request.vala
@@ -34,6 +34,7 @@ public class Tuba.Request : GLib.Object {
 	HashMap<string, string>? pars;
 	Soup.Multipart? form_data;
 	public GLib.Cancellable cancellable;
+	public bool insecure { get; set; default=false; }
 
 	weak Gtk.Widget? ctx;
 	bool has_ctx = false;
@@ -108,6 +109,11 @@ public class Tuba.Request : GLib.Object {
 		return this;
 	}
 
+	public Request is_insecure () {
+		this.insecure = true;
+		return this;
+	}
+
 	public Request with_param (string name, string val) {
 		if (pars == null)
 			pars = new HashMap<string, string> ();
@@ -165,8 +171,8 @@ public class Tuba.Request : GLib.Object {
 			msg.uri = t_uri;
 		}
 
-		if (account != null && account.access_token != null) {
-			msg.request_headers.remove ("Authorization");
+		msg.request_headers.remove ("Authorization");
+		if (account != null && account.access_token != null && !insecure) {
 			msg.request_headers.append ("Authorization", @"Bearer $(account.access_token)");
 		}
 
diff --git a/src/Widgets/BookWyrmPage.vala b/src/Widgets/BookWyrmPage.vala
index 376fd419..ba20753b 100644
--- a/src/Widgets/BookWyrmPage.vala
+++ b/src/Widgets/BookWyrmPage.vala
@@ -67,6 +67,7 @@ public class Tuba.Widgets.BookWyrmPage : Gtk.Box {
 
             foreach (var author in t_obj.authors) {
                 new Request.GET (@"$author.json")
+                    .is_insecure ()
                     .then ((sess, msg, in_stream) => {
                         var parser = Network.get_parser_from_inputstream(in_stream);
                         var node = network.parse_node (parser);