Mirrored_Repos/InvenTree
1
0
Fork 0
mirror of https://github.com/inventree/InvenTree synced 2024-08-30 18:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bypass custom token auth for /api/ endpoint

Browse Source
This commit is contained in:
Oliver 2021-08-10 23:09:54 +10:00
parent 7ef5c0058e
commit 799f17ef50
1 changed files with 10 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
InvenTree/InvenTree/middleware.py
View File

@ -21,26 +21,15 @@ class AuthRequiredMiddleware(object):
assert hasattr(request, 'user') assert hasattr(request, 'user')
# API requests are handled by the DRF library
if request.path_info.startswith('/api/'):
return self.get_response(request)
if not request.user.is_authenticated: if not request.user.is_authenticated:
""" """
Normally, a web-based session would use csrftoken based authentication. Normally, a web-based session would use csrftoken based authentication.
However when running an external application (e.g. the InvenTree app), However when running an external application (e.g. the InvenTree app or Python library),
we wish to use token-based auth to grab media files. we must validate the user token manually.
So, we will allow token-based authentication but ONLY for the /media/ directory.
What problem is this solving?
- The InvenTree mobile app does not use csrf token auth
- Token auth is used by the Django REST framework, but that is under the /api/ endpoint
- Media files (e.g. Part images) are required to be served to the app
- We do not want to make /media/ files accessible without login!
There is PROBABLY a better way of going about this?
a) Allow token-based authentication against a user?
b) Serve /media/ files in a duplicate location e.g. /api/media/ ?
c) Is there a "standard" way of solving this problem?
My [google|stackoverflow]-fu has failed me. So this hack has been created.
""" """
authorized = False authorized = False
@ -57,18 +46,19 @@ class AuthRequiredMiddleware(object):
elif 'Authorization' in request.headers.keys() or 'authorization' in request.headers.keys(): elif 'Authorization' in request.headers.keys() or 'authorization' in request.headers.keys():
auth = request.headers.get('Authorization', request.headers.get('authorization')).strip() auth = request.headers.get('Authorization', request.headers.get('authorization')).strip()
if auth.startswith('Token') and len(auth.split()) == 2: if auth.lower().startswith('token') and len(auth.split()) == 2:
token = auth.split()[1] token_key = auth.split()[1]
# Does the provided token match a valid user? # Does the provided token match a valid user?
try: try:
token = Token.objects.get(key=token) token = Token.objects.get(key=token_key)
# Provide the user information to the request # Provide the user information to the request
request.user = token.user request.user = token.user
authorized = True authorized = True
except Token.DoesNotExist: except Token.DoesNotExist:
logger.warning(f"Access denied for unknown token {token_key}")
pass pass
# No authorization was found for the request # No authorization was found for the request