Fix: Disable auto-login for API token requests (#5094)

src/paperless/auth.py

@@ -2,12 +2,16 @@ from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.middleware import PersistentRemoteUserMiddleware
 from django.contrib.auth.models import User
+from django.http import HttpRequest
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
 
 
 class AutoLoginMiddleware(MiddlewareMixin):
-    def process_request(self, request):
+    def process_request(self, request: HttpRequest):
+        # Dont use auto-login with token request
+        if request.path.startswith("/api/token/") and request.method == "POST":
+            return None
         try:
             request.user = User.objects.get(username=settings.AUTO_LOGIN_USERNAME)
             auth.login(

src/paperless/settings.py

@@ -297,8 +297,8 @@ if DEBUG:
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": [
         "rest_framework.authentication.BasicAuthentication",
-        "rest_framework.authentication.SessionAuthentication",
         "rest_framework.authentication.TokenAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
     ],
     "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.AcceptHeaderVersioning",
     "DEFAULT_VERSION": "1",