mirror of
https://github.com/inventree/InvenTree
synced 2024-08-30 18:33:04 +00:00
CORS fixes: (#6310)
* CORS fixes: - Update CORS headers in settings.py * Remove dead code
This commit is contained in:
parent
917a88c6f4
commit
edad000d8e
@ -25,6 +25,41 @@ class AuthRequiredMiddleware(object):
|
||||
"""Save response object."""
|
||||
self.get_response = get_response
|
||||
|
||||
def get_auth_headers(self, request):
|
||||
"""Extract authorization headers from request."""
|
||||
keys = ['Authorization', 'authorization']
|
||||
|
||||
for k in keys:
|
||||
if k in request.headers.keys():
|
||||
return request.headers[k]
|
||||
|
||||
return None
|
||||
|
||||
def check_token(self, request) -> bool:
|
||||
"""Check if the user is authenticated via token."""
|
||||
auth = self.get_auth_headers(request)
|
||||
|
||||
if not auth:
|
||||
return False
|
||||
|
||||
auth = auth.strip().lower().split()
|
||||
|
||||
if len(auth) > 1 and auth[0].startswith('token'):
|
||||
token = auth[1]
|
||||
|
||||
# Does the provided token match a valid user?
|
||||
try:
|
||||
token = ApiToken.objects.get(key=token)
|
||||
|
||||
if token.active and token.user:
|
||||
# Provide the user information to the request
|
||||
request.user = token.user
|
||||
return True
|
||||
except ApiToken.DoesNotExist:
|
||||
logger.warning('Access denied for unknown token %s', token)
|
||||
|
||||
return False
|
||||
|
||||
def __call__(self, request):
|
||||
"""Check if user needs to be authenticated and is.
|
||||
|
||||
@ -70,28 +105,8 @@ class AuthRequiredMiddleware(object):
|
||||
):
|
||||
authorized = True
|
||||
|
||||
elif (
|
||||
'Authorization' in request.headers.keys()
|
||||
or 'authorization' in request.headers.keys()
|
||||
):
|
||||
auth = request.headers.get(
|
||||
'Authorization', request.headers.get('authorization')
|
||||
).strip()
|
||||
|
||||
if auth.lower().startswith('token') and len(auth.split()) == 2:
|
||||
token_key = auth.split()[1]
|
||||
|
||||
# Does the provided token match a valid user?
|
||||
try:
|
||||
token = ApiToken.objects.get(key=token_key)
|
||||
|
||||
if token.active and token.user:
|
||||
# Provide the user information to the request
|
||||
request.user = token.user
|
||||
authorized = True
|
||||
|
||||
except ApiToken.DoesNotExist:
|
||||
logger.warning('Access denied for unknown token %s', token_key)
|
||||
elif self.check_token(request):
|
||||
authorized = True
|
||||
|
||||
# No authorization was found for the request
|
||||
if not authorized:
|
||||
|
@ -131,15 +131,17 @@ ALLOWED_HOSTS = get_setting(
|
||||
|
||||
# Cross Origin Resource Sharing (CORS) options
|
||||
|
||||
# Extract CORS options from configuration file
|
||||
CORS_ALLOW_ALL_ORIGINS = get_boolean_setting(
|
||||
'INVENTREE_CORS_ORIGIN_ALLOW_ALL', config_key='cors.allow_all', default_value=DEBUG
|
||||
)
|
||||
|
||||
CORS_ALLOW_CREDENTIALS = True
|
||||
|
||||
# Only allow CORS access to API and media endpoints
|
||||
CORS_URLS_REGEX = r'^/(api|media|static)/.*$'
|
||||
|
||||
# Extract CORS options from configuration file
|
||||
CORS_ORIGIN_ALLOW_ALL = get_boolean_setting(
|
||||
'INVENTREE_CORS_ORIGIN_ALLOW_ALL', config_key='cors.allow_all', default_value=False
|
||||
)
|
||||
|
||||
CORS_ORIGIN_WHITELIST = get_setting(
|
||||
CORS_ALLOWED_ORIGINS = get_setting(
|
||||
'INVENTREE_CORS_ORIGIN_WHITELIST',
|
||||
config_key='cors.whitelist',
|
||||
default_value=[],
|
||||
@ -263,9 +265,9 @@ MIDDLEWARE = CONFIG.get(
|
||||
'x_forwarded_for.middleware.XForwardedForMiddleware',
|
||||
'user_sessions.middleware.SessionMiddleware', # db user sessions
|
||||
'django.middleware.locale.LocaleMiddleware',
|
||||
'django.middleware.common.CommonMiddleware',
|
||||
'django.middleware.csrf.CsrfViewMiddleware',
|
||||
'corsheaders.middleware.CorsMiddleware',
|
||||
'django.middleware.common.CommonMiddleware',
|
||||
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
||||
'InvenTree.middleware.InvenTreeRemoteUserMiddleware', # Remote / proxy auth
|
||||
'django_otp.middleware.OTPMiddleware', # MFA support
|
||||
|
Loading…
Reference in New Issue
Block a user