Merge #3007

3007: Introduce AUTH_REQUIRE_TOKENS r=nextgens a=nextgens ## What type of PR? enhancement ## What does this PR do? Introduce AUTH_REQUIRE_TOKENS to enforce that thick clients use tokens instead of passwords ### Related issue(s) ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2025-01-18 03:21:36 +02:00 · 2023-10-27 20:15:12 +00:00 · 2023-10-27 20:15:12 +00:00 · 26e5618cbc
commit 26e5618cbc
parent 7f84516108 2494a344a7
4 changed files with 13 additions and 3 deletions
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@ -72,6 +72,7 @@ DEFAULT_CONFIG = {
    'LOGO_URL': None,
    'LOGO_BACKGROUND': None,
    # Advanced settings
+    'AUTH_REQUIRE_TOKENS': False,
    'API': False,
    'WEB_API': '/api',
    'API_TOKEN': None,
--- a/core/admin/mailu/internal/nginx.py
+++ b/core/admin/mailu/internal/nginx.py
@ -50,6 +50,10 @@ def check_credentials(user, password, ip, protocol=None, auth_port=None, source_
                    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badip: token-{token.id}: {token.comment or ""!r}')
                    return False # we can return directly here since the token is valid
    if user.check_password(password):
+        if app.config['AUTH_REQUIRE_TOKENS'] and protocol != 'web':
+            app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: password ok, but a token is required')
+            return False
+        else:
            app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')
            return True
    app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -214,7 +214,11 @@ Depending on your particular deployment you most probably will want to change th
 Advanced settings
 -----------------

-The ``API_TOKEN`` (default: None) configures the authentication token.
+The ``AUTH_REQUIRE_TOKENS`` (default: False) setting controls whether thick clients can
+ authenticate using passwords or whether they are forced to use tokens/application
+ specific passwords.
+
+The ``API_TOKEN`` (default: None) setting configures the authentication token.
 This token must be passed as request header to the API as authentication token.
 This is a mandatory setting for using the RESTful API.

--- a/towncrier/newsfragments/3007.misc
+++ b/towncrier/newsfragments/3007.misc
@ -0,0 +1 @@
+Introduce AUTH_REQUIRE_TOKENS to enforce that thick clients use tokens instead of passwords
				`@ -0,0 +1 @@`
				`Introduce AUTH_REQUIRE_TOKENS to enforce that thick clients use tokens instead of passwords`