authentik/passbook/api/auth.py

"""API Authentication"""
from base64 import b64decode
from typing import Any, Optional, Tuple, Union

from rest_framework.authentication import BaseAuthentication, get_authorization_header
from rest_framework.request import Request
from structlog import get_logger

from passbook.core.models import Token, TokenIntents, User

LOGGER = get_logger()


def token_from_header(raw_header: bytes) -> Optional[Token]:
    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
    auth_credentials = raw_header.decode()
    # Accept headers with Type format and without
    if " " in auth_credentials:
        auth_type, auth_credentials = auth_credentials.split()
        if auth_type.lower() != "basic":
            LOGGER.debug(
                "Unsupported authentication type, denying", type=auth_type.lower()
            )
            return None
    try:
        auth_credentials = b64decode(auth_credentials.encode()).decode()
    except UnicodeDecodeError:
        return None
    # Accept credentials with username and without
    if ":" in auth_credentials:
        _, password = auth_credentials.split(":")
    else:
        password = auth_credentials
    if password == "":
        return None
    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
    if not tokens.exists():
        LOGGER.debug("Token not found")
        return None
    return tokens.first()


class PassbookTokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Basic authentication"""

    def authenticate(self, request: Request) -> Union[Tuple[User, Any], None]:
        """Token-based authentication using HTTP Basic authentication"""
        auth = get_authorization_header(request)

        token = token_from_header(auth)
        if not token:
            return None

        return (token.user, None)

    def authenticate_header(self, request: Request) -> str:
        return 'Basic realm="passbook"'
api: add token authentication 2020-07-05 21:15:07 +00:00			`"""API Authentication"""`
			`from base64 import b64decode`
core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`from typing import Any, Optional, Tuple, Union`
api: add token authentication 2020-07-05 21:15:07 +00:00
			`from rest_framework.authentication import BaseAuthentication, get_authorization_header`
			`from rest_framework.request import Request`
core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`from structlog import get_logger`
api: add token authentication 2020-07-05 21:15:07 +00:00
			`from passbook.core.models import Token, TokenIntents, User`

core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`LOGGER = get_logger()`


			`def token_from_header(raw_header: bytes) -> Optional[Token]:`
			"""raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
			`auth_credentials = raw_header.decode()`
			`# Accept headers with Type format and without`
			`if " " in auth_credentials:`
			`auth_type, auth_credentials = auth_credentials.split()`
			`if auth_type.lower() != "basic":`
			`LOGGER.debug(`
			`"Unsupported authentication type, denying", type=auth_type.lower()`
			`)`
			`return None`
api: add fallback for proxies < 0.12 which send authorization without b64 2020-10-18 13:14:00 +00:00			`try:`
			`auth_credentials = b64decode(auth_credentials.encode()).decode()`
			`except UnicodeDecodeError:`
api: remove authentication fallback for pre-0.12 proxies 2020-10-26 10:00:19 +00:00			`return None`
core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`# Accept credentials with username and without`
			`if ":" in auth_credentials:`
			`_, password = auth_credentials.split(":")`
			`else:`
			`password = auth_credentials`
			`if password == "":`
			`return None`
			`tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)`
			`if not tokens.exists():`
			`LOGGER.debug("Token not found")`
			`return None`
			`return tokens.first()`

api: add token authentication 2020-07-05 21:15:07 +00:00
			`class PassbookTokenAuthentication(BaseAuthentication):`
			`"""Token-based authentication using HTTP Basic authentication"""`

			`def authenticate(self, request: Request) -> Union[Tuple[User, Any], None]:`
			`"""Token-based authentication using HTTP Basic authentication"""`
core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`auth = get_authorization_header(request)`
api: add token authentication 2020-07-05 21:15:07 +00:00
core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`token = token_from_header(auth)`
			`if not token:`
api: add token authentication 2020-07-05 21:15:07 +00:00			`return None`

core: add key field to token for easier rotation 2020-10-18 12:34:22 +00:00			`return (token.user, None)`
api: add token authentication 2020-07-05 21:15:07 +00:00
			`def authenticate_header(self, request: Request) -> str:`
			`return 'Basic realm="passbook"'`