From 285c31d58b1fe040741a10715f1b17a38f67cd87 Mon Sep 17 00:00:00 2001
From: Mystikfluu <Mystikfluu@gmail.com>
Date: Tue, 21 Jun 2022 23:21:58 +0200
Subject: [PATCH] add a config for an api endpoint to decide if `getotheruser`
 should be allowed to be called without a cookie

---
 server.js          | 11 +++++++++++
 server_config.json |  1 +
 2 files changed, 12 insertions(+)

diff --git a/server.js b/server.js
index 268947c..040890f 100644
--- a/server.js
+++ b/server.js
@@ -365,8 +365,19 @@ router.options("/api/post",async function(req,res,next) {
   res.status(200).send("")
 })
 
+router.options("/api/getotheruser",async function(req,res,next) {
+  res.set("Access-Control-Allow-Origin","*") //we'll allow it for now
+  res.set("Access-Control-Allow-Methods","GET")
+  res.set("Access-Control-Allow-Headers","Content-Type")
+  res.status(200).send("")
+})
+
 router.use("/api/*",async function(req,res,next) {
   res.set("Access-Control-Allow-Origin","*") //we'll allow it for now
+  if(config["allow_getotheruser_without_cookie"] && req.url == "/api/getotheruser") {
+    next()
+    return
+  }
   if(!increaseAPICall(req,res))return;
   let unsigned;
   if(req.body.user == undefined || req.body.pass == undefined) {
diff --git a/server_config.json b/server_config.json
index 51ea466..394cfaa 100644
--- a/server_config.json
+++ b/server_config.json
@@ -1,4 +1,5 @@
 {
+  "allow_getotheruser_without_cookie": true,
   "mysql": {
     "connections":1000,
     "host":"localhost",