use django authentication instead of auth tokens.

2025-07-28 18:24:38 -05:00 · 2020-11-09 15:28:12 +01:00
parent 7ec4e29966
commit 3b0e794b3d
24 changed files with 172 additions and 328 deletions
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -1,11 +1,17 @@
-from rest_framework.authentication import TokenAuthentication
+from django.conf import settings
+from django.contrib.auth.models import User
+from rest_framework import authentication
+
+
+class AngularApiAuthenticationOverride(authentication.BaseAuthentication):
+    """ This class is here to provide authentication to the angular dev server
+        during development. This is disabled in production.
+    """

-# This authentication method is required to serve documents and thumbnails for the front end.
-# https://stackoverflow.com/questions/29433416/token-in-query-string-with-django-rest-frameworks-tokenauthentication
-class QueryTokenAuthentication(TokenAuthentication):
    def authenticate(self, request):
-        # Check if 'token_auth' is in the request query params.
-        if 'auth_token' in request.query_params and 'HTTP_AUTHORIZATION' not in request.META:
-            return self.authenticate_credentials(request.query_params.get('auth_token'))
+        if settings.DEBUG and 'Origin' in request.headers and request.headers['Origin'] == 'http://localhost:4200':
+            user = User.objects.filter(is_staff=True).first()
+            print("Auto-Login with user {}".format(user))
+            return (user, None)
        else:
            return None
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -21,6 +21,9 @@ def __get_boolean(key, default="NO"):
    """
    return bool(os.getenv(key, default).lower() in ("yes", "y", "1", "t", "true"))

+# NEVER RUN WITH DEBUG IN PRODUCTION.
+DEBUG = __get_boolean("PAPERLESS_DEBUG", "NO")
+
 ###############################################################################
 # Directories                                                                 #
 ###############################################################################
@@ -66,7 +69,6 @@ INSTALLED_APPS = [
    "django.contrib.admin",

    "rest_framework",
-    "rest_framework.authtoken",
    "django_filters",

 ]
@@ -74,11 +76,15 @@ INSTALLED_APPS = [
 REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.BasicAuthentication',
-        'rest_framework.authentication.TokenAuthentication',
-        'paperless.auth.QueryTokenAuthentication'
+        'rest_framework.authentication.SessionAuthentication'
    ]
 }

+if DEBUG:
+    REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'].append(
+        'paperless.auth.AngularApiAuthenticationOverride'
+    )
+
 MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'whitenoise.middleware.WhiteNoiseMiddleware',
@@ -93,8 +99,6 @@ MIDDLEWARE = [

 ROOT_URLCONF = 'paperless.urls'

-LOGIN_URL = "admin:login"
-
 FORCE_SCRIPT_NAME = os.getenv("PAPERLESS_FORCE_SCRIPT_NAME")

 WSGI_APPLICATION = 'paperless.wsgi.application'
@@ -122,9 +126,6 @@ TEMPLATES = [
 # Security                                                                    #
 ###############################################################################

-# NEVER RUN WITH DEBUG IN PRODUCTION.
-DEBUG = __get_boolean("PAPERLESS_DEBUG", "NO")
-
 if DEBUG:
    X_FRAME_OPTIONS = ''
    # this should really be 'allow-from uri' but its not supported in any mayor
--- a/src/paperless/urls.py
+++ b/src/paperless/urls.py
@@ -1,9 +1,9 @@
 from django.conf.urls import include, url
 from django.contrib import admin
+from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import RedirectView
-from rest_framework.authtoken import views
 from rest_framework.routers import DefaultRouter

 from paperless.views import FaviconView
@@ -34,7 +34,7 @@ urlpatterns = [
    url(r"^api/search/autocomplete/", SearchAutoCompleteView.as_view(), name="autocomplete"),
    url(r"^api/search/", SearchView.as_view(), name="search"),
    url(r"^api/statistics/", StatisticsView.as_view(), name="statistics"),
-    url(r"^api/token/", views.obtain_auth_token), url(r"^api/", include((api_router.urls, 'drf'), namespace="drf")),
+    url(r"^api/", include((api_router.urls, 'drf'), namespace="drf")),

    # Favicon
    url(r"^favicon.ico$", FaviconView.as_view(), name="favicon"),
@@ -58,10 +58,12 @@ urlpatterns = [
    url(r"^push$", csrf_exempt(RedirectView.as_view(url='/api/documents/post_document/'))),

    # Frontend assets TODO: this is pretty bad.
-    path('assets/<path:path>', RedirectView.as_view(url='/static/assets/%(path)s')),
+    path('assets/<path:path>', RedirectView.as_view(url='/static/frontend/assets/%(path)s')),
+
+    path('accounts/', include('django.contrib.auth.urls')),

    # Root of the Frontent
-    url(r".*", IndexView.as_view()),
+    url(r".*", login_required(IndexView.as_view())),

 ]