From 1cff9ccc6349f80dcbe50311001d6b1d88a293af Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@nym.se>
Date: Thu, 5 Jun 2014 09:16:12 +0200
Subject: [PATCH] API key change should take effect on restart only

---
 cmd/syncthing/gui.go      | 4 +++-
 cmd/syncthing/gui_csrf.go | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/cmd/syncthing/gui.go b/cmd/syncthing/gui.go
index 0f866fd76..ef21e95c4 100644
--- a/cmd/syncthing/gui.go
+++ b/cmd/syncthing/gui.go
@@ -40,6 +40,7 @@ var (
 	guiErrors    = []guiError{}
 	guiErrorsMut sync.Mutex
 	static       func(http.ResponseWriter, *http.Request, *log.Logger)
+	apiKey       string
 )
 
 const (
@@ -115,6 +116,7 @@ func startGUI(cfg config.GUIConfiguration, assetDir string, m *model.Model) erro
 	mr.Action(router.Handle)
 	mr.Map(m)
 
+	apiKey = cfg.APIKey
 	loadCsrfTokens()
 
 	go http.Serve(listener, mr)
@@ -363,7 +365,7 @@ func basic(username string, passhash string) http.HandlerFunc {
 }
 
 func validAPIKey(k string) bool {
-	return len(cfg.GUI.APIKey) > 0 && k == cfg.GUI.APIKey
+	return len(apiKey) > 0 && k == apiKey
 }
 
 func embeddedStatic() func(http.ResponseWriter, *http.Request, *log.Logger) {
diff --git a/cmd/syncthing/gui_csrf.go b/cmd/syncthing/gui_csrf.go
index 7fb67e19c..1dbf1faf1 100644
--- a/cmd/syncthing/gui_csrf.go
+++ b/cmd/syncthing/gui_csrf.go
@@ -25,6 +25,7 @@ func csrfMiddleware(w http.ResponseWriter, r *http.Request) {
 	if validAPIKey(r.Header.Get("X-API-Key")) {
 		return
 	}
+
 	if strings.HasPrefix(r.URL.Path, "/rest/") {
 		token := r.Header.Get("X-CSRF-Token")
 		if !validCsrfToken(token) {