fix session auth and restrict it only to access_token view

api/tacticalrmm/ee/sso/urls.py

@@ -8,4 +8,5 @@ urlpatterns = [
     path("", include("allauth.urls")),
     path("ssoproviders/", views.GetAddSSOProvider.as_view()),
     path("ssoproviders/<int:pk>/", views.GetUpdateDeleteSSOProvider.as_view()),
+    path("ssoproviders/token/", views.GetAccessToken.as_view()),
 ]

api/tacticalrmm/ee/sso/views.py

@@ -7,6 +7,9 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 from accounts.permissions import AccountsPerms
 from rest_framework.permissions import IsAuthenticated
+from rest_framework.authentication import SessionAuthentication
+from knox.views import LoginView as KnoxLoginView
+from django.contrib.auth import logout
 
 class SocialAppSerializer(ModelSerializer):
     server_url = ReadOnlyField(source="settings.server_url")
@@ -102,3 +105,16 @@ class GetUpdateDeleteSSOProvider(APIView):
         provider.delete()
         return Response("ok")
 
+
+class GetAccessToken(KnoxLoginView):
+  permission_classes = [IsAuthenticated]
+  authentication_classes = [SessionAuthentication]
+
+  def post(self, request, format=None):
+      response = super().post(request, format=None)
+      response.data["username"] = request.user.username
+
+      #invalid user session since we have an access token now
+      logout(request)
+      return Response(response.data)
+        

api/tacticalrmm/tacticalrmm/middleware.py

@@ -72,7 +72,7 @@ class AuditMiddleware:
                     # gather and save debug info
                     debug_info["url"] = request.path
                     debug_info["method"] = request.method
-                    debug_info["view_class"] = view_func.cls.__name__
+                    debug_info["view_class"] = view_func.cls.__name__ if hasattr(view_func, "cls") else None
                     debug_info["view_func"] = view_Name
                     debug_info["view_args"] = view_args
                     debug_info["view_kwargs"] = view_kwargs

api/tacticalrmm/tacticalrmm/settings.py

@@ -135,7 +135,6 @@ REST_FRAMEWORK = {
     "DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "knox.auth.TokenAuthentication",
-        "allauth.account.auth_backends.AuthenticationBackend",
         "tacticalrmm.auth.APIAuthentication",
     ),
     "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
@@ -199,9 +198,9 @@ CHANNEL_LAYERS = {
 
 # settings for django all auth
 HEADLESS_ONLY = True
+SOCIALACCOUNT_ONLY = True
 ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
 ACCOUNT_EMAIL_VERIFICATION = 'none'
-SOCIALACCOUNT_ONLY = True
 SOCIALACCOUNT_EMAIL_AUTHENTICATION = True
 SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True
 SOCIALACCOUNT_EMAIL_VERIFICATION = True
@@ -212,6 +211,7 @@ SOCIALACCOUNT_PROVIDERS = {
     }
 }
 
+AUTHENTICATION_BACKENDS = ("allauth.account.auth_backends.AuthenticationBackend",)
 SESSION_COOKIE_SECURE = True
 
 # silence cache key length warnings