From bb38d5397cbc94e53a8aa6ff3f1a7e59639cdfcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis=20V=C3=A9zina?=
 <5130500+morpheus65535@users.noreply.github.com>
Date: Sun, 23 Aug 2020 21:10:59 -0400
Subject: [PATCH] Moving UI API key authentication to X-Api-Key header.

---
 bazarr/api.py    | 5 ++++-
 views/_main.html | 9 +--------
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/bazarr/api.py b/bazarr/api.py
index a40fd6e3a..9db482869 100644
--- a/bazarr/api.py
+++ b/bazarr/api.py
@@ -54,8 +54,11 @@ def authenticate(actual_method):
         apikey_settings = settings.auth.apikey
         apikey_get = request.args.get('apikey')
         apikey_post = request.form.get('apikey')
+        apikey_header = None
+        if 'X-Api-Key' in request.headers:
+            apikey_header = request.headers['X-Api-Key']
 
-        if apikey_settings in [apikey_get, apikey_post]:
+        if apikey_settings in [apikey_get, apikey_post, apikey_header]:
             return actual_method(*args, **kwargs)
 
         return abort(401, message="Unauthorized")
diff --git a/views/_main.html b/views/_main.html
index 014a4dfa4..adb4eec35 100644
--- a/views/_main.html
+++ b/views/_main.html
@@ -495,14 +495,7 @@
 
         // Add apikey to all AJAX requests.
         $.ajaxSetup({
-            data: {
-                apikey: "{{ settings.auth.apikey }}"
-            }
-        });
-        $.ajaxPrefilter(function (options, originalOptions, jqXHR) {
-            if (originalOptions.data instanceof FormData) {
-                originalOptions.data.append("apikey", "{{ settings.auth.apikey }}");
-            }
+            headers: { 'X-Api-Key': "{{ settings.auth.apikey }}" }
         });
 
         $(window).on('beforeunload', function () {