fix REST API CSRF and auth handling

2025-05-13 22:54:27 -04:00 · 2024-09-03 14:16:44 -07:00 · 2024-09-03 14:16:44 -07:00 · 01094ecb03
commit 01094ecb03
parent 41a318a8bd
9 changed files with 164 additions and 89 deletions
--- a/archivebox/core/admin.py
+++ b/archivebox/core/admin.py
@ -34,6 +34,7 @@ from core.models import Snapshot, ArchiveResult, Tag, SnapshotTag
 from core.forms import AddLinkForm
 from core.mixins import SearchResultsAdminMixin
 from api.models import APIToken
+from api.auth import get_or_create_api_token
 from abid_utils.models import get_or_create_system_user_pk
 from abid_utils.admin import ABIDModelAdmin

@ -268,37 +269,7 @@ class SnapshotActionForm(ActionForm):
    # )


-def get_abid_info(self, obj):
-    return format_html(
-        # URL Hash: <code style="font-size: 10px; user-select: all">{}</code><br/>
-        '''
-        <a href="{}" style="font-size: 16px; font-family: monospace; user-select: all; border-radius: 8px; background-color: #ddf; padding: 3px 5px; border: 1px solid #aaa; margin-bottom: 8px; display: inline-block; vertical-align: top;">{}</a> &nbsp; &nbsp; <a href="{}" style="color: limegreen; font-size: 0.9em; vertical-align: 1px; font-family: monospace;">📖 API DOCS</a>
-        <br/><hr/>
-        <div style="opacity: 0.8">
-        &nbsp; &nbsp; <small style="opacity: 0.8">.abid: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <code style="font-size: 10px; user-select: all">{}</code></small><br/>
-        &nbsp; &nbsp; <small style="opacity: 0.8">.abid.uuid: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <code style="font-size: 10px; user-select: all">{}</code></small><br/>
-        &nbsp; &nbsp; <small style="opacity: 0.8">.id: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<code style="font-size: 10px; user-select: all">{}</code></small><br/>
-        <hr/>
-        &nbsp; &nbsp; TS: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<code style="font-size: 10px;"><b style="user-select: all">{}</b> &nbsp; {}</code> &nbsp; &nbsp; &nbsp;&nbsp; {}: <code style="user-select: all">{}</code><br/>
-        &nbsp; &nbsp; URI: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <code style="font-size: 10px; "><b style="user-select: all">{}</b> &nbsp; &nbsp; {}</code> &nbsp;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp; <span style="display:inline-block; vertical-align: -4px; width: 290px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis;">{}: <code style="user-select: all">{}</code></span>
-        &nbsp; SALT: &nbsp; <code style="font-size: 10px;"><b style="display:inline-block; user-select: all; width: 50px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis;">{}</b></code><br/>
-        &nbsp; &nbsp; SUBTYPE: &nbsp; &nbsp; &nbsp; <code style="font-size: 10px;"><b style="user-select: all">{}</b> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {}</code> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {}: <code style="user-select: all">{}</code><br/>
-        &nbsp; &nbsp; RAND: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <code style="font-size: 10px;"><b style="user-select: all">{}</b> &nbsp; &nbsp; &nbsp; {}</code> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  {}: <code style="user-select: all">{}</code>
-        <br/><hr/>
-        &nbsp; &nbsp; <small style="opacity: 0.5">.old_id: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<code style="font-size: 10px; user-select: all">{}</code></small><br/>
-        </div>
-        ''',
-        obj.api_url, obj.api_url, obj.api_docs_url,
-        str(obj.abid),
-        str(obj.ABID.uuid),
-        str(obj.id),
-        obj.ABID.ts, str(obj.ABID.uuid)[0:14], obj.abid_ts_src, obj.abid_values['ts'].isoformat() if isinstance(obj.abid_values['ts'], datetime) else obj.abid_values['ts'],
-        obj.ABID.uri, str(obj.ABID.uuid)[14:26], obj.abid_uri_src, str(obj.abid_values['uri']),
-        obj.ABID.uri_salt,
-        obj.ABID.subtype, str(obj.ABID.uuid)[26:28], obj.abid_subtype_src, str(obj.abid_values['subtype']),
-        obj.ABID.rand, str(obj.ABID.uuid)[28:36], obj.abid_rand_src, str(obj.abid_values['rand'])[-7:],
-        str(getattr(obj, 'old_id', '')),
-    )
+


@admin.register(Snapshot, site=archivebox_admin)
@ -321,6 +292,7 @@ class SnapshotAdmin(SearchResultsAdminMixin, ABIDModelAdmin):
    show_full_result_count = False

    def changelist_view(self, request, extra_context=None):
+        self.request = request
        extra_context = extra_context or {}
        try:
            return super().changelist_view(request, extra_context | GLOBAL_CONTEXT)
@ -329,6 +301,7 @@ class SnapshotAdmin(SearchResultsAdminMixin, ABIDModelAdmin):
            return super().changelist_view(request, GLOBAL_CONTEXT)

    def change_view(self, request, object_id, form_url="", extra_context=None):
+        self.request = request
        snapshot = None

        try:
@ -350,6 +323,7 @@ class SnapshotAdmin(SearchResultsAdminMixin, ABIDModelAdmin):
        if snapshot:
            object_id = str(snapshot.id)

+
        return super().change_view(
            request,
            object_id,
@ -430,12 +404,6 @@ class SnapshotAdmin(SearchResultsAdminMixin, ABIDModelAdmin):
            obj.extension or '-',
        )

-    def API(self, obj):
-        try:
-            return get_abid_info(self, obj)
-        except Exception as e:
-            return str(e)
-
    @admin.display(
        description='Title',
        ordering='title',
@ -603,8 +571,6 @@ class SnapshotAdmin(SearchResultsAdminMixin, ABIDModelAdmin):
 #     actions = ['delete_selected']
 #     ordering = ['-id']

-#     def API(self, obj):
-#         return get_abid_info(self, obj)


@admin.register(Tag, site=archivebox_admin)
@ -619,11 +585,6 @@ class TagAdmin(ABIDModelAdmin):

    paginator = AccelleratedPaginator

-    def API(self, obj):
-        try:
-            return get_abid_info(self, obj)
-        except Exception as e:
-            return str(e)

    def num_snapshots(self, tag):
        return format_html(
@ -660,6 +621,10 @@ class ArchiveResultAdmin(ABIDModelAdmin):
    
    paginator = AccelleratedPaginator

+    def change_view(self, request, object_id, form_url="", extra_context=None):
+        self.request = request
+        return super().change_view(request, object_id, form_url, extra_context)
+
    @admin.display(
        description='Snapshot Info'
    )
@ -672,12 +637,6 @@ class ArchiveResultAdmin(ABIDModelAdmin):
            result.snapshot.url[:128],
        )

-    def API(self, obj):
-        try:
-            return get_abid_info(self, obj)
-        except Exception as e:
-            raise e
-            return str(e)

    @admin.display(
        description='Snapshot Tags'
@ -735,7 +694,7 @@ class ArchiveResultAdmin(ABIDModelAdmin):
 class APITokenAdmin(ABIDModelAdmin):
    list_display = ('created', 'abid', 'created_by', 'token_redacted', 'expires')
    sort_fields = ('abid', 'created', 'created_by', 'expires')
-    readonly_fields = ('abid', 'created')
+    readonly_fields = ('created', 'modified', 'API')
    search_fields = ('id', 'abid', 'created_by__username', 'token')
    fields = ('created_by', 'token', 'expires', *readonly_fields)

@ -747,4 +706,4 @@ class APITokenAdmin(ABIDModelAdmin):
 class CustomWebhookAdmin(WebhookAdmin, ABIDModelAdmin):
    list_display = ('created', 'created_by', 'abid', *WebhookAdmin.list_display)
    sort_fields = ('created', 'created_by', 'abid', 'referenced_model', 'endpoint', 'last_success', 'last_error')
-    readonly_fields = ('abid', 'created', *WebhookAdmin.readonly_fields)
+    readonly_fields = ('created', 'modified', 'API', *WebhookAdmin.readonly_fields)