#1
Hi,

I discovered an issue when connecting to cookie-based applications (such as Deluge).
In my setup, I am forced to run Deluge behind CloudFlare due to other issues with my ISP. CloudFlare adds additional cookies to the request and this gives issues with the current implementation of basic authentication and/or the cookiejar/cookiestore, as explained below.

Currently, nzb360 implements the OkHttp Authenticator interface to add basic authentication to the request. As stated in the documentation, the OkHttp authentication interface performs "Reactive Authentication" for basic auth, instead of "Preemptive Authentication".

I observed the following HTTP flow (authentication + additional json requests) and that result in issues due to additional CF cookies:

Request 1:
JSON endpoint: "auth.login" method
Basic auth: (empty due to "Reactive Authentication")
Cookie: (empty due to first request)

Response 1:
HTTP/1.1 401 Unauthorized
Set-Cookie : __cfduid=xxxx (CloudFlare cookie)
=> Cookiejar adds __cfduid cookie


Request 2:
JSON endpoint: "auth.login" method
Basic auth: user+password
Cookie: __cfduid=xxxx

Response 2:
HTTP/1.1 200 OK
Set-Cookie : _session_id=xxx (Deluge session cookie)
=> Cookiejar overwrites __cfduid cookie with _session_id cookie


Request 3:
JSON endpoint: "web.update_ui" method
Basic auth: (empty due to "Reactive Authentication")
Cookie: _session_id=xxx

Response 3:
HTTP/1.1 401 Unauthorized
Set-Cookie : __cfduid=xxxx (CloudFlare cookie)
=> Cookiejar overwrites _session_id cookie with __cfduid cookie, this results in authentication issues in later requests


Request 4:
JSON endpoint: "web.update_ui" method
Basic auth: user+password
Cookie: __cfduid=xxxx

Response 4:
=> Error not authenticated, due to missing deluge session cookie


Would it be possible to modify the Reactive basic auth implementation to Preemptive basic auth? I believe this can be achieved by replacing the Authenticator interface with an interceptor, as shown in this example. This should also result in 50% less HTTP requests being made.
Alternatively, could the cookiejar/cookiestore implementation be modified to take this issue into account?
cron