Security: disallow API remote-user auth if disabled (#6739)

This commit is contained in:
shamoon 2024-05-15 13:18:50 -07:00 committed by GitHub
parent 97eec44647
commit ed05b40ba4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 44 additions and 0 deletions

View File

@ -52,6 +52,17 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
header = settings.HTTP_REMOTE_USER_HEADER_NAME
def process_request(self, request: HttpRequest) -> None:
# If remote user auth is enabled only for the frontend, not the API,
# then we need dont want to authenticate the user for API requests.
if (
"/api/" in request.path
and "paperless.auth.PaperlessRemoteUserAuthentication"
not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
):
return
return super().process_request(request)
class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
"""

View File

@ -2,6 +2,7 @@ import os
from unittest import mock
from django.contrib.auth.models import User
from django.test import override_settings
from rest_framework import status
from rest_framework.test import APITestCase
@ -88,6 +89,38 @@ class TestRemoteUser(DirectoriesMixin, APITestCase):
self.assertEqual(response.status_code, status.HTTP_200_OK)
@override_settings(
REST_FRAMEWORK={
"DEFAULT_AUTHENTICATION_CLASSES": [
"rest_framework.authentication.BasicAuthentication",
"rest_framework.authentication.TokenAuthentication",
"rest_framework.authentication.SessionAuthentication",
],
},
)
def test_remote_user_api_disabled(self):
"""
GIVEN:
- Configured user
- Remote user auth enabled for frontend but disabled for the API
- Note that REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] is set in settings.py in production
WHEN:
- API call is made to get documents
THEN:
- Call fails
"""
response = self.client.get(
"/api/documents/",
headers={
"Remote-User": self.user.username,
},
)
self.assertIn(
response.status_code,
[status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
)
def test_remote_user_header_setting(self):
"""
GIVEN: