Files under /media require session to be authenticated

References: - https://docs.djangoproject.com/en/3.2/howto/deployment/wsgi/apache-auth/ - https://stackoverflow.com/questions/46421589/nginx-location-and-django-auth - https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/ - https://pawamoy.github.io/posts/django-auth-server-for-shiny/
2024-08-30 18:33:04 +00:00 · 2021-06-16 21:30:25 +10:00 · 2021-06-16 21:30:25 +10:00 · acd7322ff0
commit acd7322ff0
parent 058fc57ff1
3 changed files with 31 additions and 6 deletions
--- a/InvenTree/InvenTree/urls.py
+++ b/InvenTree/InvenTree/urls.py
@ -37,6 +37,7 @@ from django.conf.urls.static import static
 from django.views.generic.base import RedirectView
 from rest_framework.documentation import include_docs_urls

+from .views import auth_request
 from .views import IndexView, SearchView, DatabaseStatsView
 from .views import SettingsView, EditUserView, SetPasswordView
 from .views import CurrencySettingsView, CurrencyRefreshView
@ -155,6 +156,8 @@ urlpatterns = [
    url(r'^search/', SearchView.as_view(), name='search'),
    url(r'^stats/', DatabaseStatsView.as_view(), name='stats'),

+    url(r'^auth/?', auth_request),
+
    url(r'^api/', include(apipatterns)),
    url(r'^api-doc/', include_docs_urls(title='InvenTree API')),

--- a/InvenTree/InvenTree/views.py
+++ b/InvenTree/InvenTree/views.py
@ -10,7 +10,7 @@ from __future__ import unicode_literals

 from django.utils.translation import gettext_lazy as _
 from django.template.loader import render_to_string
-from django.http import JsonResponse, HttpResponseRedirect
+from django.http import HttpResponse, JsonResponse, HttpResponseRedirect
 from django.urls import reverse_lazy
 from django.conf import settings

@ -36,6 +36,19 @@ from .helpers import str2bool
 from rest_framework import views


+def auth_request(request):
+    """
+    Simple 'auth' endpoint used to determine if the user is authenticated.
+    Useful for (for example) redirecting authentication requests through
+    django's permission framework.
+    """
+
+    if request.user.is_authenticated:
+        return HttpResponse(status=200)
+    else:
+        return HttpResponse(status=403)
+
+
 class TreeSerializer(views.APIView):
    """ JSON View for serializing a Tree object.

--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@ -1,3 +1,4 @@
+
 server {

    # Listen for connection on (internal) port 80
@ -37,12 +38,20 @@ server {
    # Redirect any requests for media files
    location /media/ {
        alias /var/www/media/;
-        autoindex on;

-        # Caching settings
-        expires 30d;
-        add_header Pragma public;
-        add_header Cache-Control "public";
+        # Media files require user authentication
+        auth_request /auth;
+    }
+
+    # Use the 'user' API endpoint for auth
+    location /auth {
+        internal;
+
+        proxy_pass http://inventree-server:8000/auth/;
+
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+        proxy_set_header X-Original-URI $request_uri;
    }

 }