From b7723ac245b8b3e38d6410891ef1aa92d4772114 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Wed, 29 Nov 2023 23:20:59 +0000
Subject: [PATCH] rely on filekeys for album-art over bluetooth; will probably
 fail when some devices (sup iphone) stream to car stereos but at least
 passwords won't end up somewhere unexpected this way (plus, the js no longer
 uses the jank url to request waveforms)

---
 copyparty/httpcli.py     | 10 +++++-----
 copyparty/util.py        |  9 ++++-----
 copyparty/web/browser.js | 17 +++++------------
 copyparty/web/util.js    | 11 -----------
 4 files changed, 14 insertions(+), 33 deletions(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 9bb35cc5..cc56a8b4 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -2161,17 +2161,17 @@ class HttpCli(object):
 
             msg = "naw dude"
             pwd = "x"  # nosec
-            dur = None
+            dur = 0
 
         if pwd == "x":
             # reset both plaintext and tls
             # (only affects active tls cookies when tls)
             for k in ("cppwd", "cppws") if self.is_https else ("cppwd",):
-                ck = gencookie(k, pwd, self.args.R, False, dur)
+                ck = gencookie(k, pwd, self.args.R, False)
                 self.out_headerlist.append(("Set-Cookie", ck))
         else:
             k = "cppws" if self.is_https else "cppwd"
-            ck = gencookie(k, pwd, self.args.R, self.is_https, dur)
+            ck = gencookie(k, pwd, self.args.R, self.is_https, dur, "; HttpOnly")
             self.out_headerlist.append(("Set-Cookie", ck))
 
         return msg
@@ -3299,7 +3299,7 @@ class HttpCli(object):
         if v == "y":
             dur = 86400 * 299
         else:
-            dur = None
+            dur = 0
             v = "x"
 
         ck = gencookie("k304", v, self.args.R, False, dur)
@@ -3317,7 +3317,7 @@ class HttpCli(object):
 
     def set_cfg_reset(self) -> bool:
         for k in ("k304", "js", "idxh", "cppwd", "cppws"):
-            cookie = gencookie(k, "x", self.args.R, False, None)
+            cookie = gencookie(k, "x", self.args.R, False)
             self.out_headerlist.append(("Set-Cookie", cookie))
 
         self.redirect("", "?h#cc")
diff --git a/copyparty/util.py b/copyparty/util.py
index 95388714..7d3dab91 100644
--- a/copyparty/util.py
+++ b/copyparty/util.py
@@ -1647,16 +1647,15 @@ def gen_filekey_dbg(
     return ret
 
 
-def gencookie(k: str, v: str, r: str, tls: bool, dur: Optional[int]) -> str:
+def gencookie(k: str, v: str, r: str, tls: bool, dur: int = 0, txt: str = "") -> str:
     v = v.replace("%", "%25").replace(";", "%3B")
     if dur:
         exp = formatdate(time.time() + dur, usegmt=True)
     else:
         exp = "Fri, 15 Aug 1997 01:00:00 GMT"
 
-    return "{}={}; Path=/{}; Expires={}{}; SameSite=Lax".format(
-        k, v, r, exp, "; Secure" if tls else ""
-    )
+    t = "%s=%s; Path=/%s; Expires=%s%s%s; SameSite=Lax"
+    return t % (k, v, r, exp, "; Secure" if tls else "", txt)
 
 
 def humansize(sz: float, terse: bool = False) -> str:
@@ -2511,7 +2510,7 @@ def killtree(root: int) -> None:
 def _find_nice() -> str:
     if WINDOWS:
         return ""  # use creationflags
-    
+
     try:
         zs = shutil.which("nice")
         if zs:
diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index 88afe800..5a39a3b7 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -1506,7 +1506,6 @@ var mpl = (function () {
 			artist = (np.circle && np.circle != np.artist ? np.circle + ' // ' : '') + (np.artist || (fns.length > 1 ? fns[0] : '')),
 			title = np.title || fns.pop(),
 			cover = '',
-			pcover = '',
 			tags = { title: title };
 
 		if (artist)
@@ -1521,20 +1520,14 @@ var mpl = (function () {
 
 			for (var a = 0, aa = files.length; a < aa; a++) {
 				if (/^(cover|folder)\.(jpe?g|png|gif)$/i.test(files[a].textContent)) {
-					cover = noq_href(files[a]);
+					cover = files[a].getAttribute('href');
 					break;
 				}
 			}
 
 			if (cover) {
 				cover += (cover.indexOf('?') === -1 ? '?' : '&') + 'th=j';
-				pcover = cover;
-
-				var pwd = get_pwd();
-				if (pwd)
-					pcover += '&pw=' + uricom_enc(pwd);
-
-				tags.artwork = [{ "src": pcover, type: "image/jpeg" }];
+				tags.artwork = [{ "src": cover, type: "image/jpeg" }];
 			}
 		}
 
@@ -1546,7 +1539,7 @@ var mpl = (function () {
 		ebi('np_dur').textContent = np['.dur'] || '';
 		ebi('np_url').textContent = get_vpath() + np.file.split('?')[0];
 		if (!MOBILE)
-			ebi('np_img').setAttribute('src', cover || ''); // dont give last.fm the pwd
+			ebi('np_img').setAttribute('src', cover || '');
 
 		navigator.mediaSession.metadata = new MediaMetadata(tags);
 		navigator.mediaSession.setActionHandler('play', mplay);
@@ -1724,7 +1717,7 @@ function MPlayer() {
 		var t0 = Date.now();
 
 		if (mpl.waves)
-			fetch(url + '&th=p').then(function (x) {
+			fetch(url.replace(/\bth=opus&/, '') + '&th=p').then(function (x) {
 				x.body.getReader().read();
 			});
 
@@ -3020,7 +3013,7 @@ function play(tid, is_ev, seek) {
 
 		pbar.unwave();
 		if (mpl.waves)
-			pbar.loadwaves(url + '&th=p');
+			pbar.loadwaves(url.replace(/\bth=opus&/, '') + '&th=p');
 
 		mpui.progress_updater();
 		pbar.onresize();
diff --git a/copyparty/web/util.js b/copyparty/web/util.js
index 822b958f..9dfea822 100644
--- a/copyparty/web/util.js
+++ b/copyparty/web/util.js
@@ -754,17 +754,6 @@ function noq_href(el) {
 }
 
 
-function get_pwd() {
-    var k = HTTPS ? 's=' : 'd=',
-        pwd = ('; ' + document.cookie).split('; cppw' + k);
-
-    if (pwd.length < 2)
-        return null;
-
-    return decodeURIComponent(pwd[1].split(';')[0]);
-}
-
-
 function unix2iso(ts) {
     return new Date(ts * 1000).toISOString().replace("T", " ").slice(0, -5);
 }