fix REST API CSRF and auth handling

2025-06-01 07:18:27 -04:00 · 2024-09-03 14:16:44 -07:00 · 2024-09-03 14:16:44 -07:00 · 01094ecb03
commit 01094ecb03
parent 41a318a8bd
9 changed files with 164 additions and 89 deletions
--- a/archivebox/api/auth.py
+++ b/archivebox/api/auth.py
@ -1,13 +1,34 @@
 __package__ = 'archivebox.api'

-from typing import Optional, cast
+from typing import Any, Optional, cast
+from datetime import timedelta

 from django.http import HttpRequest
+from django.utils import timezone
 from django.contrib.auth import login
 from django.contrib.auth import authenticate
 from django.contrib.auth.models import AbstractBaseUser

 from ninja.security import HttpBearer, APIKeyQuery, APIKeyHeader, HttpBasicAuth, django_auth_superuser
+from ninja.errors import HttpError
+
+
+def get_or_create_api_token(user):
+    from api.models import APIToken
+    
+    if user and user.is_superuser:
+        api_tokens = APIToken.objects.filter(created_by_id=user.pk, expires__gt=timezone.now())
+        if api_tokens.exists():
+            # unexpired token exists, use it
+            api_token = api_tokens.last()
+        else:
+            # does not exist, create a new one
+            api_token = APIToken.objects.create(created_by_id=user.pk, expires=timezone.now() + timedelta(days=30))
+        
+        assert api_token.is_valid(), f"API token is not valid {api_token}"
+
+        return api_token
+    return None


 def auth_using_token(token, request: Optional[HttpRequest]=None) -> Optional[AbstractBaseUser]:
@ -16,21 +37,20 @@ def auth_using_token(token, request: Optional[HttpRequest]=None) -> Optional[Abs
    
    user = None

-    submitted_empty_form = token in ('string', '', None)
-    if submitted_empty_form:
-        assert request is not None, 'No request provided for API key authentication'
-        user = request.user       # see if user is authed via django session and use that as the default
-    else:
+    submitted_empty_form = str(token).strip() in ('string', '', 'None', 'null')
+    if not submitted_empty_form:
        try:
            token = APIToken.objects.get(token=token)
            if token.is_valid():
                user = token.created_by
+                request._api_token = token
        except APIToken.DoesNotExist:
            pass

    if not user:
-        print('[❌] Failed to authenticate API user using API Key:', request)
+        # print('[❌] Failed to authenticate API user using API Key:', request)
        return None
+    
    return cast(AbstractBaseUser, user)

 def auth_using_password(username, password, request: Optional[HttpRequest]=None) -> Optional[AbstractBaseUser]:
@ -38,17 +58,14 @@ def auth_using_password(username, password, request: Optional[HttpRequest]=None)
    user = None
    
    submitted_empty_form = (username, password) in (('string', 'string'), ('', ''), (None, None))
-    if submitted_empty_form:
-        assert request is not None, 'No request provided for API key authentication'
-        user = request.user       # see if user is authed via django session and use that as the default
-    else:
+    if not submitted_empty_form:
        user = authenticate(
            username=username,
            password=password,
        )

    if not user:
-        print('[❌] Failed to authenticate API user using API Key:', request)
+        # print('[❌] Failed to authenticate API user using API Key:', request)
        user = None

    return cast(AbstractBaseUser | None, user)
@ -56,28 +73,41 @@ def auth_using_password(username, password, request: Optional[HttpRequest]=None)

 ### Base Auth Types

+
 class APITokenAuthCheck:
    """The base class for authentication methods that use an api.models.APIToken"""
    def authenticate(self, request: HttpRequest, key: Optional[str]=None) -> Optional[AbstractBaseUser]:
-        user = auth_using_token(
+        request.user = auth_using_token(
            token=key,
            request=request,
        )
-        if user is not None:
-            login(request, user, backend='django.contrib.auth.backends.ModelBackend')
-        return user
+        if request.user and request.user.pk:
+            # Don't set cookie/persist login ouside this erquest, user may be accessing the API from another domain (CSRF/CORS):
+            # login(request, request.user, backend='django.contrib.auth.backends.ModelBackend')
+            request._api_auth_method = self.__class__.__name__
+
+            if not request.user.is_superuser:
+                raise HttpError(403, 'Valid API token but User does not have permission (make sure user.is_superuser=True)')
+        return request.user
+

 class UserPassAuthCheck:
    """The base class for authentication methods that use a username & password"""
    def authenticate(self, request: HttpRequest, username: Optional[str]=None, password: Optional[str]=None) -> Optional[AbstractBaseUser]:
-        user = auth_using_password(
+        request.user = auth_using_password(
            username=username,
            password=password,
            request=request,
        )
-        if user is not None:
-            login(request, user, backend='django.contrib.auth.backends.ModelBackend')
-        return user
+        if request.user and request.user.pk:
+            # Don't set cookie/persist login ouside this erquest, user may be accessing the API from another domain (CSRF/CORS):
+            # login(request, request.user, backend='django.contrib.auth.backends.ModelBackend')
+            request._api_auth_method = self.__class__.__name__
+
+            if not request.user.is_superuser:
+                raise HttpError(403, 'Valid API token but User does not have permission (make sure user.is_superuser=True)')
+
+        return request.user


 ### Django-Ninja-Provided Auth Methods
@ -98,7 +128,6 @@ class UsernameAndPasswordAuth(UserPassAuthCheck, HttpBasicAuth):
    """Allow authenticating by passing username & password via HTTP Basic Authentication (not recommended)"""
    pass

-
 ### Enabled Auth Methods

 API_AUTH_METHODS = [
--- a/archivebox/api/v1_api.py
+++ b/archivebox/api/v1_api.py
@ -53,7 +53,26 @@ class NinjaAPIWithIOCapture(NinjaAPI):

                response = super().create_temporal_response(request)

-        print('RESPONDING NOW', response)
+        # Diable caching of API responses entirely
+        response['Cache-Control'] = 'no-store'
+
+        # Add debug stdout and stderr headers to response
+        response['X-ArchiveBox-Stdout'] = str(request.stdout)[200:]
+        response['X-ArchiveBox-Stderr'] = str(request.stderr)[200:]
+        # response['X-ArchiveBox-View'] = self.get_openapi_operation_id(request) or 'Unknown'
+
+        # Add Auth Headers to response
+        api_token = getattr(request, '_api_token', None)
+        token_expiry = api_token.expires.isoformat() if api_token else 'Never'
+
+        response['X-ArchiveBox-Auth-Method'] = getattr(request, '_api_auth_method', None) or 'None'
+        response['X-ArchiveBox-Auth-Expires'] = token_expiry
+        response['X-ArchiveBox-Auth-Token-Id'] = api_token.abid if api_token else 'None'
+        response['X-ArchiveBox-Auth-User-Id'] = request.user.pk if request.user.pk else 'None'
+        response['X-ArchiveBox-Auth-User-Username'] = request.user.username if request.user.pk else 'None'
+
+        # import ipdb; ipdb.set_trace()
+        # print('RESPONDING NOW', response)

        return response

--- a/archivebox/api/v1_auth.py
+++ b/archivebox/api/v1_auth.py
@ -7,10 +7,10 @@ from django.utils import timezone
 from datetime import timedelta

 from api.models import APIToken
-from api.auth import auth_using_token, auth_using_password
+from api.auth import auth_using_token, auth_using_password, get_or_create_api_token


-router = Router(tags=['Authentication'])
+router = Router(tags=['Authentication'], auth=None)


 class PasswordAuthSchema(Schema):
@ -28,14 +28,8 @@ def get_api_token(request, auth_data: PasswordAuthSchema):
    )

    if user and user.is_superuser:
-        api_tokens = APIToken.objects.filter(created_by_id=user.pk, expires__gt=timezone.now())
-        if api_tokens.exists():
-            api_token = api_tokens.last()
-        else:
-            api_token = APIToken.objects.create(created_by_id=user.pk, expires=timezone.now() + timedelta(days=30))
-        
-        assert api_token.is_valid(), f"API token is not valid {api_token.abid}"
-
+        api_token = get_or_create_api_token(user)
+        assert api_token is not None, "Failed to create API token"
        return api_token.__json__()
    
    return {"success": False, "errors": ["Invalid credentials"]}
--- a/archivebox/api/v1_cli.py
+++ b/archivebox/api/v1_cli.py
@ -16,8 +16,10 @@ from ..util import ansi_to_html
 from ..config import ONLY_NEW


+from .auth import API_AUTH_METHODS
+
 # router for API that exposes archivebox cli subcommands as REST endpoints
-router = Router(tags=['ArchiveBox CLI Sub-Commands'])
+router = Router(tags=['ArchiveBox CLI Sub-Commands'], auth=API_AUTH_METHODS)


 # Schemas
--- a/archivebox/api/v1_core.py
+++ b/archivebox/api/v1_core.py
@ -12,11 +12,15 @@ from django.contrib.auth import get_user_model

 from ninja import Router, Schema, FilterSchema, Field, Query
 from ninja.pagination import paginate, PaginationBase
+from ninja.errors import HttpError

 from core.models import Snapshot, ArchiveResult, Tag
+from api.models import APIToken, OutboundWebhook
 from abid_utils.abid import ABID

-router = Router(tags=['Core Models'])
+from .auth import API_AUTH_METHODS
+
+router = Router(tags=['Core Models'], auth=API_AUTH_METHODS)



@ -421,4 +425,10 @@ def get_any(request, abid: str):
    except Exception:
        pass

-    return response
+    if abid.startswith(APIToken.abid_prefix):
+        raise HttpError(403, 'APIToken objects are not accessible via REST API')
+    
+    if abid.startswith(OutboundWebhook.abid_prefix):
+        raise HttpError(403, 'OutboundWebhook objects are not accessible via REST API')
+
+    raise HttpError(404, 'Object with given ABID not found')