From 5576a073a5b0308147945bd7cc45152d14972b67 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Tue, 26 Dec 2023 14:22:41 -0800
Subject: [PATCH] Fix: Disable auto-login for API token requests (#5094)

---
 src/paperless/auth.py     | 6 +++++-
 src/paperless/settings.py | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index 2285d0526..a23b01cb4 100644
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -2,12 +2,16 @@ from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.middleware import PersistentRemoteUserMiddleware
 from django.contrib.auth.models import User
+from django.http import HttpRequest
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
 
 
 class AutoLoginMiddleware(MiddlewareMixin):
-    def process_request(self, request):
+    def process_request(self, request: HttpRequest):
+        # Dont use auto-login with token request
+        if request.path.startswith("/api/token/") and request.method == "POST":
+            return None
         try:
             request.user = User.objects.get(username=settings.AUTO_LOGIN_USERNAME)
             auth.login(
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 30986aaa0..2df9b83ea 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -297,8 +297,8 @@ if DEBUG:
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": [
         "rest_framework.authentication.BasicAuthentication",
-        "rest_framework.authentication.SessionAuthentication",
         "rest_framework.authentication.TokenAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
     ],
     "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.AcceptHeaderVersioning",
     "DEFAULT_VERSION": "1",