From c257866d71e69aedde93853b8d6c2f9eae986bb7 Mon Sep 17 00:00:00 2001
From: Linty <lintydev@gmail.com>
Date: Thu, 13 Nov 2025 13:04:22 +0100
Subject: [PATCH] fixes #2436 refactor async upload authentication

Replaces direct login check with ws_session_login for 'pwg.images.uploadAsync' and updates error handling to return the login response. Also updates the web service method definition to make username and password optional and clarifies admin credential requirements in the documentation.
---
 include/user.inc.php | 15 ++++++++++++---
 ws.php               |  6 +++---
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/include/user.inc.php b/include/user.inc.php
index 8bb62e76c..ded889409 100644
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -102,10 +102,19 @@ if (
   and isset($_POST['password'])
 )
 {
-  if (!try_log_user($_POST['username'], $_POST['password'], false))
+  include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php');
+  include_once(PHPWG_ROOT_PATH.'include/ws_functions/pwg.php');
+
+  $credentials = array(
+    'username' => $_POST['username'],
+    'password' => $_POST['password']
+  );
+
+  $login = ws_session_login($credentials, $service);
+  
+  if (true !== $login)
   {
-    include_once(PHPWG_ROOT_PATH.'include/ws_init.inc.php');
-    $service->sendResponse(new PwgError(999, 'Invalid username/password'));
+    $service->sendResponse($login);
     exit();
   }
   $_SESSION['connected_with'] = 'pwg.images.uploadAsync';
diff --git a/ws.php b/ws.php
index a8628418b..ac86b4347 100644
--- a/ws.php
+++ b/ws.php
@@ -517,8 +517,8 @@ function ws_addDefaultMethods( $arr )
     'pwg.images.uploadAsync',
     'ws_images_uploadAsync',
     array(
-        'username' => array(),
-        'password' => array('default'=>null),
+        'username' => array('flags'=>WS_PARAM_OPTIONAL),
+        'password' => array('default'=>null, 'flags'=>WS_PARAM_OPTIONAL),
         'chunk' => array('type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
         'chunk_sum' => array(),
         'chunks' => array('type'=>WS_TYPE_INT|WS_TYPE_POSITIVE),
@@ -538,7 +538,7 @@ function ws_addDefaultMethods( $arr )
 <br>Start with chunk 0 (zero).
 <br>Set the form encoding to "form-data".
 <br>You can update an existing photo if you define an existing image_id.
-<br>Requires <b>admin</b> credentials.',
+<br>Requires <b>admin</b> credentials: either with username/password or header authorization with api key.',
       $ws_functions_root . 'pwg.images.php',
       array('admin_only'=>true, 'post_only'=>true)
     );