From ed05b40ba461641b1b59b0a92f51f3f6a66ce180 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Wed, 15 May 2024 13:18:50 -0700
Subject: [PATCH] Security: disallow API remote-user auth if disabled (#6739)

---
 src/paperless/auth.py                   | 11 +++++++++
 src/paperless/tests/test_remote_user.py | 33 +++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index ba9320b5d..6ca97d608 100644
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -52,6 +52,17 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
 
     header = settings.HTTP_REMOTE_USER_HEADER_NAME
 
+    def process_request(self, request: HttpRequest) -> None:
+        # If remote user auth is enabled only for the frontend, not the API,
+        # then we need dont want to authenticate the user for API requests.
+        if (
+            "/api/" in request.path
+            and "paperless.auth.PaperlessRemoteUserAuthentication"
+            not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+        ):
+            return
+        return super().process_request(request)
+
 
 class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
     """
diff --git a/src/paperless/tests/test_remote_user.py b/src/paperless/tests/test_remote_user.py
index c5d7a6db4..ebe1b3ff5 100644
--- a/src/paperless/tests/test_remote_user.py
+++ b/src/paperless/tests/test_remote_user.py
@@ -2,6 +2,7 @@ import os
 from unittest import mock
 
 from django.contrib.auth.models import User
+from django.test import override_settings
 from rest_framework import status
 from rest_framework.test import APITestCase
 
@@ -88,6 +89,38 @@ class TestRemoteUser(DirectoriesMixin, APITestCase):
 
             self.assertEqual(response.status_code, status.HTTP_200_OK)
 
+    @override_settings(
+        REST_FRAMEWORK={
+            "DEFAULT_AUTHENTICATION_CLASSES": [
+                "rest_framework.authentication.BasicAuthentication",
+                "rest_framework.authentication.TokenAuthentication",
+                "rest_framework.authentication.SessionAuthentication",
+            ],
+        },
+    )
+    def test_remote_user_api_disabled(self):
+        """
+        GIVEN:
+            - Configured user
+            - Remote user auth enabled for frontend but disabled for the API
+            - Note that REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] is set in settings.py in production
+        WHEN:
+            - API call is made to get documents
+        THEN:
+            - Call fails
+        """
+        response = self.client.get(
+            "/api/documents/",
+            headers={
+                "Remote-User": self.user.username,
+            },
+        )
+
+        self.assertIn(
+            response.status_code,
+            [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
+        )
+
     def test_remote_user_header_setting(self):
         """
         GIVEN: