From df83516086cd293e2074691fcbc77eecdb441674 Mon Sep 17 00:00:00 2001
From: waweic <hesiha@gmx.de>
Date: Mon, 26 Feb 2018 17:01:06 +0100
Subject: [PATCH 1/5] Fix jumping time in beets.js

Round was used instead of floor
---
 beetsplug/web/static/beets.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/beetsplug/web/static/beets.js b/beetsplug/web/static/beets.js
index ec9aae9b3..51985c183 100644
--- a/beetsplug/web/static/beets.js
+++ b/beetsplug/web/static/beets.js
@@ -4,7 +4,7 @@ var timeFormat = function(secs) {
         return '0:00';
     }
     secs = Math.round(secs);
-    var mins = '' + Math.round(secs / 60);
+    var mins = '' + Math.floor(secs / 60);
     secs = '' + (secs % 60);
     if (secs.length < 2) {
         secs = '0' + secs;

From e3599742b44a8d2053d98e004d71a9451c001610 Mon Sep 17 00:00:00 2001
From: Samuel Loury <konubinixweb@gmail.com>
Date: Mon, 26 Feb 2018 16:10:54 +0100
Subject: [PATCH 2/5] Add a support for supports_credentials

If the web plugin is behind a credential based http server and is
accessed by another in-browser client in another domain, the
specification of CORS requires the server to indicate it supports
such credentials.
---
 beetsplug/web/__init__.py |  8 +++++++-
 docs/changelog.rst        |  3 +++
 docs/plugins/web.rst      | 18 +++++++++++-------
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/beetsplug/web/__init__.py b/beetsplug/web/__init__.py
index 635c2f5a8..c78e7b73b 100644
--- a/beetsplug/web/__init__.py
+++ b/beetsplug/web/__init__.py
@@ -341,6 +341,7 @@ class WebPlugin(BeetsPlugin):
             'host': u'127.0.0.1',
             'port': 8337,
             'cors': '',
+            'cors_supports_credentials': False,
             'reverse_proxy': False,
             'include_paths': False,
         })
@@ -372,7 +373,12 @@ class WebPlugin(BeetsPlugin):
                 app.config['CORS_RESOURCES'] = {
                     r"/*": {"origins": self.config['cors'].get(str)}
                 }
-                CORS(app)
+                CORS(
+                    app,
+                    supports_credentials=self.config[
+                        'cors_supports_credentials'
+                    ]
+                )
 
             # Allow serving behind a reverse proxy
             if self.config['reverse_proxy']:
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 3121b3394..ab1d53e48 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -15,6 +15,9 @@ New features:
 * :doc:`/plugins/fetchart`: extended syntax for the ``sources`` option to give
   fine-grained control over the search order for backends with several matching
   strategies.
+* :doc:`/plugins/web`: added the boolean ``cors_supports_credentials`` option to
+  allow in-browser clients to login to the beet web server even when it is
+  protected by an authorization mechanism.
 
 
 Fixes:
diff --git a/docs/plugins/web.rst b/docs/plugins/web.rst
index 73a2b9147..fcf7e4934 100644
--- a/docs/plugins/web.rst
+++ b/docs/plugins/web.rst
@@ -63,6 +63,8 @@ configuration file. The available options are:
   Default: 8337.
 - **cors**: The CORS allowed origin (see :ref:`web-cors`, below).
   Default: CORS is disabled.
+- **cors_supports_credentials**: Support credentials when using CORS (see :ref:`web-cors`, below).
+  Default: CORS_SUPPORTS_CREDENTIALS is disabled.
 - **reverse_proxy**: If true, enable reverse proxy support (see
   :ref:`reverse-proxy`, below).
   Default: false.
@@ -100,13 +102,15 @@ default, browsers will only allow access from clients running on the same
 server as the API. (You will get an arcane error about ``XMLHttpRequest``
 otherwise.) A technology called `CORS`_ lets you relax this restriction.
 
-If you want to use an in-browser client hosted elsewhere (or running from
-a different server on your machine), first install the `flask-cors`_ plugin by
-typing ``pip install flask-cors``. Then set the ``cors`` configuration option
-to the "origin" (protocol, host, and optional port number) where the client is
-served. Or set it to ``'*'`` to enable access from all origins. Note that
-there are security implications if you set the origin to ``'*'``, so please
-research this before using it.
+If you want to use an in-browser client hosted elsewhere (or running from a
+different server on your machine), first install the `flask-cors`_ plugin by
+typing ``pip install flask-cors``. Then set the ``cors`` configuration option to
+the "origin" (protocol, host, and optional port number) where the client is
+served. Or set it to ``'*'`` to enable access from all origins. Note that there
+are security implications if you set the origin to ``'*'``, so please research
+this before using it. In addition, if the ``web`` server is hidden via
+credentials, you might want to set the ``cors_supports_credentials``
+configuration option to True for the in-browser client to be able to login.
 
 For example::
 

From 00f61e928130db7e33f9c8fc7652f268d1b0aa73 Mon Sep 17 00:00:00 2001
From: waweic <hesiha@gmx.de>
Date: Mon, 26 Feb 2018 21:18:41 +0100
Subject: [PATCH 3/5] Update changelog.rst

Add the changelog entry
---
 docs/changelog.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/changelog.rst b/docs/changelog.rst
index 3121b3394..afd1ae407 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -65,6 +65,9 @@ Fixes:
 * Importing a release with multiple release events now selects the
   event based on the order of your :ref:`preferred` countries rather than
   the order of release events in MusicBrainz. :bug:`2816`
+* :doc:`/plugins/web`: The time display in the web interface would incorrectly jump
+  at the 30-second mark of every minute. Now, it correctly changes over at zero
+  seconds. :bug:`2822`
 
 For developers:
 

From 453fd372a3ff389ed928b54aa3c3812cf9bf781e Mon Sep 17 00:00:00 2001
From: Adrian Sampson <adrian@radbox.org>
Date: Mon, 26 Feb 2018 18:00:59 -0500
Subject: [PATCH 4/5] Flatten a config view (#2821)

---
 beetsplug/web/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/beetsplug/web/__init__.py b/beetsplug/web/__init__.py
index c78e7b73b..fd0060f4c 100644
--- a/beetsplug/web/__init__.py
+++ b/beetsplug/web/__init__.py
@@ -377,7 +377,7 @@ class WebPlugin(BeetsPlugin):
                     app,
                     supports_credentials=self.config[
                         'cors_supports_credentials'
-                    ]
+                    ].get(bool)
                 )
 
             # Allow serving behind a reverse proxy

From 6d5a1e9284ed10d11158ac22160ccf4554b20d88 Mon Sep 17 00:00:00 2001
From: Adrian Sampson <adrian@radbox.org>
Date: Mon, 26 Feb 2018 18:02:16 -0500
Subject: [PATCH 5/5] web docs: Split CORS credentials paragraph (#2821)

---
 docs/plugins/web.rst | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/plugins/web.rst b/docs/plugins/web.rst
index fcf7e4934..35287acc8 100644
--- a/docs/plugins/web.rst
+++ b/docs/plugins/web.rst
@@ -108,9 +108,11 @@ typing ``pip install flask-cors``. Then set the ``cors`` configuration option to
 the "origin" (protocol, host, and optional port number) where the client is
 served. Or set it to ``'*'`` to enable access from all origins. Note that there
 are security implications if you set the origin to ``'*'``, so please research
-this before using it. In addition, if the ``web`` server is hidden via
-credentials, you might want to set the ``cors_supports_credentials``
-configuration option to True for the in-browser client to be able to login.
+this before using it.
+
+If the ``web`` server is behind a proxy that uses credentials, you might want
+to set the ``cors_supports_credentials`` configuration option to true to let
+in-browser clients log in.
 
 For example::