From 17efd41457c7cb9aa962952c2118d96303d32b04 Mon Sep 17 00:00:00 2001
From: norohind <60548839+norohind@users.noreply.github.com>
Date: Wed, 8 Dec 2021 18:10:09 +0300
Subject: [PATCH] allow secret both in cookies and in headers

---
 web.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/web.py b/web.py
index ad0c198..1eaabeb 100644
--- a/web.py
+++ b/web.py
@@ -11,10 +11,13 @@ logger.propagate = False
 
 
 def check_secret(req: falcon.request.Request, resp: falcon.response.Response, resource, params) -> None:
-    cookies_secret = req.headers.get('AUTH')
+    header_secret = req.headers.get('AUTH')  # for legacy reasons
 
-    if cookies_secret != config.access_key:
-        raise falcon.HTTPForbidden
+    cookies_secret = req.get_cookie_values('key')
+
+    if header_secret != config.access_key:
+        if cookies_secret is None or cookies_secret[0] != config.access_key:
+            raise falcon.HTTPForbidden
 
 
 class AuthInit: