Implement API keys

cmd/syncthing/gui.go

@@ -321,6 +321,10 @@ func getQR(w http.ResponseWriter, params martini.Params) {
 
 func basic(username string, passhash string) http.HandlerFunc {
 	return func(res http.ResponseWriter, req *http.Request) {
+		if validAPIKey(req.Header.Get("X-API-Key")) {
+			return
+		}
+
 		error := func() {
 			time.Sleep(time.Duration(rand.Intn(100)+100) * time.Millisecond)
 			res.Header().Set("WWW-Authenticate", "Basic realm=\"Authorization Required\"")
@@ -358,6 +362,10 @@ func basic(username string, passhash string) http.HandlerFunc {
 	}
 }
 
+func validAPIKey(k string) bool {
+	return len(cfg.GUI.APIKey) > 0 && k == cfg.GUI.APIKey
+}
+
 func embeddedStatic() func(http.ResponseWriter, *http.Request, *log.Logger) {
 	var modt = time.Now().UTC().Format(http.TimeFormat)
 

cmd/syncthing/gui_csrf.go

@@ -22,6 +22,9 @@ var csrfMut sync.Mutex
 // the request with 403. For / and /index.html, set a new CSRF cookie if none
 // is currently set.
 func csrfMiddleware(w http.ResponseWriter, r *http.Request) {
+	if validAPIKey(r.Header.Get("X-API-Key")) {
+		return
+	}
 	if strings.HasPrefix(r.URL.Path, "/rest/") {
 		token := r.Header.Get("X-CSRF-Token")
 		if !validCsrfToken(token) {