Refactor HTTP response builder

middleware/app_session.go

@@ -27,8 +27,7 @@ func (m *Middleware) AppSession(next http.Handler) http.Handler {
 
 			session, err = m.store.CreateSession()
 			if err != nil {
-				logger.Error("[Middleware:AppSession] %v", err)
-				html.ServerError(w, err)
+				html.ServerError(w, r, err)
 				return
 			}
 
@@ -43,7 +42,7 @@ func (m *Middleware) AppSession(next http.Handler) http.Handler {
 
 			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
 				logger.Error(`[Middleware:AppSession] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
-				html.BadRequest(w, errors.New("invalid or missing CSRF"))
+				html.BadRequest(w, r, errors.New("Invalid or missing CSRF"))
 				return
 			}
 		}

middleware/basic_auth.go

@@ -22,26 +22,26 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 		username, password, authOK := r.BasicAuth()
 		if !authOK {
 			logger.Debug("[Middleware:BasicAuth] No authentication headers sent")
-			json.Unauthorized(w)
+			json.Unauthorized(w, r)
 			return
 		}
 
 		if err := m.store.CheckPassword(username, password); err != nil {
 			logger.Error("[Middleware:BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username)
-			json.Unauthorized(w)
+			json.Unauthorized(w, r)
 			return
 		}
 
 		user, err := m.store.UserByUsername(username)
 		if err != nil {
 			logger.Error("[Middleware:BasicAuth] %v", err)
-			json.ServerError(w, err)
+			json.ServerError(w, r, err)
 			return
 		}
 
 		if user == nil {
 			logger.Error("[Middleware:BasicAuth] [ClientIP=%s] User not found: %s", clientIP, username)
-			json.Unauthorized(w)
+			json.Unauthorized(w, r)
 			return
 		}
 

middleware/common_headers.go

@@ -1,25 +0,0 @@
-// Copyright 2018 Frédéric Guillot. All rights reserved.
-// Use of this source code is governed by the Apache 2.0
-// license that can be found in the LICENSE file.
-
-package middleware // import "miniflux.app/middleware"
-
-import (
-	"net/http"
-)
-
-// CommonHeaders sends common HTTP headers.
-func (m *Middleware) CommonHeaders(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-XSS-Protection", "1; mode=block")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
-		w.Header().Set("X-Frame-Options", "DENY")
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
-
-		if m.cfg.IsHTTPS && m.cfg.HasHSTS() {
-			w.Header().Set("Strict-Transport-Security", "max-age=31536000")
-		}
-
-		next.ServeHTTP(w, r)
-	})
-}

middleware/fever.go

@@ -26,7 +26,7 @@ func (m *Middleware) FeverAuth(next http.Handler) http.Handler {
 		}
 
 		if user == nil {
-			logger.Info("[Middleware:Fever] Fever authentication failure")
+			logger.Info("[Middleware:Fever] No user found with this API key")
 			json.OK(w, r, map[string]int{"api_version": 3, "auth": 0})
 			return
 		}

middleware/header_config.go

@@ -14,6 +14,11 @@ func (m *Middleware) HeaderConfig(next http.Handler) http.Handler {
 		if r.Header.Get("X-Forwarded-Proto") == "https" {
 			m.cfg.IsHTTPS = true
 		}
+
+		if m.cfg.IsHTTPS && m.cfg.HasHSTS() {
+			w.Header().Set("Strict-Transport-Security", "max-age=31536000")
+		}
+
 		next.ServeHTTP(w, r)
 	})
 }

middleware/user_session.go

@@ -10,7 +10,7 @@ import (
 
 	"miniflux.app/http/cookie"
 	"miniflux.app/http/request"
-	"miniflux.app/http/response"
+	"miniflux.app/http/response/html"
 	"miniflux.app/http/route"
 	"miniflux.app/logger"
 	"miniflux.app/model"
@@ -28,7 +28,7 @@ func (m *Middleware) UserSession(next http.Handler) http.Handler {
 			if m.isPublicRoute(r) {
 				next.ServeHTTP(w, r)
 			} else {
-				response.Redirect(w, r, route.Path(m.router, "login"))
+				html.Redirect(w, r, route.Path(m.router, "login"))
 			}
 		} else {
 			logger.Debug("[Middleware:UserSession] %s", session)