Allow token-based access to /media/ and /static/

- The InvenTree app needs to access the images, but currently token auth only works for the /api/ endpoint
- The app cannot use csrf tokens!
- So, borrow the tokens which are already created per-user in the DRF framework
- If a user is not authed, then check for a token!
- See InvenTree/middleware.py for further documentation
This commit is contained in:
Oliver Walters 2020-04-04 23:29:05 +11:00
parent aee0970e49
commit d505e79be8
2 changed files with 48 additions and 6 deletions

View File

@ -5,6 +5,8 @@ import logging
import time
import operator
from rest_framework.authtoken.models import Token
logger = logging.getLogger(__name__)
@ -20,9 +22,48 @@ class AuthRequiredMiddleware(object):
response = self.get_response(request)
# Redirect any unauthorized HTTP requests to the login page
if not request.user.is_authenticated:
if not request.path_info == reverse_lazy('login') and not request.path_info.startswith('/api/'):
"""
Normally, a web-based session would use csrftoken based authentication.
However when running an external application (e.g. the InvenTree app),
we wish to use token-based auth to grab media files.
So, we will allow token-based authentication but ONLY for the /media/ directory.
What problem is this solving?
- The InvenTree mobile app does not use csrf token auth
- Token auth is used by the Django REST framework, but that is under the /api/ endpoint
- Media files (e.g. Part images) are required to be served to the app
- We do not want to make /media/ files accessible without login!
There is PROBABLY a better way of going about this?
a) Allow token-based authentication against a user?
b) Serve /media/ files in a duplicate location e.g. /api/media/ ?
c) Is there a "standard" way of solving this problem?
My [google|stackoverflow]-fu has failed me. So this hack has been created.
"""
authorized = False
if 'Authorization' in request.headers.keys():
auth = request.headers['Authorization'].strip()
if auth.startswith('Token') and len(auth.split()) == 2:
token = auth.split()[1]
# Does the provided token match a valid user?
if Token.objects.filter(key=token).exists():
allowed = ['/media/', '/static/']
# Only allow token-auth for /media/ or /static/ dirs!
if any([request.path_info.startswith(a) for a in allowed]):
authorized = True
# No authorization was found for the request
if not authorized:
if not request.path_info == reverse_lazy('login') and not request.path_info == '/api/':
return HttpResponseRedirect(reverse_lazy('login'))
# Code to be executed for each request/response after
@ -38,6 +79,8 @@ class QueryCountMiddleware(object):
status code of 200). It does not currently support
multi-db setups.
To enable this middleware, set 'log_queries: True' in the local InvenTree config file.
Reference: https://www.dabapps.com/blog/logging-sql-queries-django-13/
"""

View File

@ -109,9 +109,8 @@ urlpatterns = [
# Static file access
urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
if settings.DEBUG:
# Media file access
urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
# Media file access
urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
# Send any unknown URLs to the parts page
urlpatterns += [url(r'^.*$', RedirectView.as_view(url='/index/', permanent=False), name='index')]