fix session auth and restrict it only to access_token view

2024-09-17 23:23:35 -04:00
parent eda5ea7d1a
commit c8dd80530a
4 changed files with 20 additions and 3 deletions
--- a/api/tacticalrmm/ee/sso/urls.py
+++ b/api/tacticalrmm/ee/sso/urls.py
@@ -8,4 +8,5 @@ urlpatterns = [
    path("", include("allauth.urls")),
    path("ssoproviders/", views.GetAddSSOProvider.as_view()),
    path("ssoproviders/<int:pk>/", views.GetUpdateDeleteSSOProvider.as_view()),
+    path("ssoproviders/token/", views.GetAccessToken.as_view()),
 ]
--- a/api/tacticalrmm/ee/sso/views.py
+++ b/api/tacticalrmm/ee/sso/views.py
@@ -7,6 +7,9 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 from accounts.permissions import AccountsPerms
 from rest_framework.permissions import IsAuthenticated
+from rest_framework.authentication import SessionAuthentication
+from knox.views import LoginView as KnoxLoginView
+from django.contrib.auth import logout

 class SocialAppSerializer(ModelSerializer):
    server_url = ReadOnlyField(source="settings.server_url")
@@ -102,3 +105,16 @@ class GetUpdateDeleteSSOProvider(APIView):
        provider.delete()
        return Response("ok")

+
+class GetAccessToken(KnoxLoginView):
+  permission_classes = [IsAuthenticated]
+  authentication_classes = [SessionAuthentication]
+
+  def post(self, request, format=None):
+      response = super().post(request, format=None)
+      response.data["username"] = request.user.username
+
+      #invalid user session since we have an access token now
+      logout(request)
+      return Response(response.data)
+        
--- a/api/tacticalrmm/tacticalrmm/middleware.py
+++ b/api/tacticalrmm/tacticalrmm/middleware.py
@@ -72,7 +72,7 @@ class AuditMiddleware:
                    # gather and save debug info
                    debug_info["url"] = request.path
                    debug_info["method"] = request.method
-                    debug_info["view_class"] = view_func.cls.__name__
+                    debug_info["view_class"] = view_func.cls.__name__ if hasattr(view_func, "cls") else None
                    debug_info["view_func"] = view_Name
                    debug_info["view_args"] = view_args
                    debug_info["view_kwargs"] = view_kwargs
--- a/api/tacticalrmm/tacticalrmm/settings.py
+++ b/api/tacticalrmm/tacticalrmm/settings.py
@@ -135,7 +135,6 @@ REST_FRAMEWORK = {
    "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
    "DEFAULT_AUTHENTICATION_CLASSES": (
        "knox.auth.TokenAuthentication",
-        "allauth.account.auth_backends.AuthenticationBackend",
        "tacticalrmm.auth.APIAuthentication",
    ),
    "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
@@ -199,9 +198,9 @@ CHANNEL_LAYERS = {

 # settings for django all auth
 HEADLESS_ONLY = True
+SOCIALACCOUNT_ONLY = True
 ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
 ACCOUNT_EMAIL_VERIFICATION = 'none'
-SOCIALACCOUNT_ONLY = True
 SOCIALACCOUNT_EMAIL_AUTHENTICATION = True
 SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True
 SOCIALACCOUNT_EMAIL_VERIFICATION = True
@@ -212,6 +211,7 @@ SOCIALACCOUNT_PROVIDERS = {
    }
 }

+AUTHENTICATION_BACKENDS = ("allauth.account.auth_backends.AuthenticationBackend",)
 SESSION_COOKIE_SECURE = True

 # silence cache key length warnings