Ensure that cookies are sent only to the correct domains.cookies

We want to avoid that authentication data is sent when fetching images from external sources, for instance.

3 files changed, 48 insertions, 7 deletions

diff --git a/config.yml.example b/config.yml.example
index e933ade..1c0e597 100644
--- a/config.yml.example
+++ b/config.yml.example
@@ -96,6 +96,8 @@ options:
   cookies:
     - name: authentication
       value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2N...
+      # if the domain value is different from the domain of the RSS feed
+      domain: foo.bar.ex
 
 ## Feeds
 # Each feed must have a name, and a URL or Exec argument. The name must be unique.
diff --git a/internal/feed/feed.go b/internal/feed/feed.go
index f31de65..f403036 100644
--- a/internal/feed/feed.go
+++ b/internal/feed/feed.go
@@ -21,6 +21,7 @@ type Feed struct {
 	items  []Item
 	Global config.GlobalOptions
 	extID  FeedID
+	jar    http.CookieJar
 }
 
 type FeedID interface {
@@ -35,10 +36,18 @@ type Descriptor struct {
 }
 
 func (feed *Feed) Context() http.Context {
+	if feed.Url != "" && len(feed.Cookies) > 0 && feed.jar == nil {
+		var err error
+		feed.jar, err = http.JarOfCookies(feed.Cookies, feed.Url)
+		if err != nil {
+			log.Errorf("Error while initialising cookies for feed '%s': %w", feed.Name, err)
+		}
+	}
+
 	return http.Context{
 		Timeout:    feed.Global.Timeout,
 		DisableTLS: feed.NoTLS,
-		Cookies:    feed.Cookies,
+		Jar:        feed.jar,
 	}
 }
 
diff --git a/internal/http/client.go b/internal/http/client.go
index 4272a5b..b47203d 100644
--- a/internal/http/client.go
+++ b/internal/http/client.go
@@ -5,6 +5,8 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"net/http/cookiejar"
+	urlpkg "net/url"
 	"time"
 )
 
@@ -23,7 +25,7 @@ type Error struct {
 type Context struct {
 	Timeout    int
 	DisableTLS bool
-	Cookies    []Cookie
+	Jar        CookieJar
 }
 
 func (err Error) Error() string {
@@ -55,8 +57,35 @@ func client(disableTLS bool) *http.Client {
 var noop ctxt.CancelFunc = func() {}
 
 type Cookie struct {
-	Name  string
-	Value string
+	Name   string
+	Value  string
+	Domain string
+}
+
+type CookieJar http.CookieJar
+
+func JarOfCookies(cookies []Cookie, url string) (CookieJar, error) {
+	jar, err := cookiejar.New(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	cs := make([]*http.Cookie, len(cookies))
+	for i, c := range cookies {
+		cs[i] = &http.Cookie{Name: c.Name, Value: c.Value, Domain: c.Domain}
+	}
+
+	u, err := urlpkg.Parse(url)
+	if err != nil {
+		return nil, err
+	}
+
+	// ignore the path of the URL
+	u.Path = ""
+
+	jar.SetCookies(u, cs)
+
+	return jar, nil
 }
 
 func Get(url string, ctx Context) (resp *http.Response, cancel ctxt.CancelFunc, err error) {
@@ -82,9 +111,10 @@ func Get(url string, ctx Context) (resp *http.Response, cancel ctxt.CancelFunc,
 	}
 	req.Header.Set("User-Agent", "Feed2Imap-Go/1.0")
 
-	for _, c := range ctx.Cookies {
-		cookie := http.Cookie{Name: c.Name, Value: c.Value}
-		req.AddCookie(&cookie)
+	if ctx.Jar != nil {
+		for _, c := range ctx.Jar.Cookies(req.URL) {
+			req.AddCookie(c)
+		}
 	}
 
 	resp, err = client(ctx.DisableTLS).Do(req)