self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-06-29 00:41:33 +02:00
Code Issues Releases Activity

Introduce AUTH_REQUIRE_TOKENS

Browse Source
This commit is contained in:
Florent Daigniere
2023-10-27 13:39:36 +02:00
parent efcf7a1581
commit 435508be1e
4 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
core/admin/mailu/configuration.py
View File

@ -72,6 +72,7 @@ DEFAULT_CONFIG = {
'LOGO_URL': None, 'LOGO_URL': None,
'LOGO_BACKGROUND': None, 'LOGO_BACKGROUND': None,
# Advanced settings # Advanced settings
'AUTH_REQUIRE_TOKENS': False,
'API': False, 'API': False,
'WEB_API': '/api', 'WEB_API': '/api',
'API_TOKEN': None, 'API_TOKEN': None,

8
core/admin/mailu/internal/nginx.py
View File

@ -50,8 +50,12 @@ def check_credentials(user, password, ip, protocol=None, auth_port=None, source_
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badip: token-{token.id}: {token.comment or ""!r}') app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badip: token-{token.id}: {token.comment or ""!r}')
return False # we can return directly here since the token is valid return False # we can return directly here since the token is valid
if user.check_password(password): if user.check_password(password):
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password') if app.config['AUTH_REQUIRE_TOKENS'] and protocol != 'web':
return True app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: password but AUTH_REQUIRE_TOKENS=True')
return False
else:
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: success: password')
return True
app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}') app.logger.info(f'Login attempt for: {user}/{protocol}/{auth_port} from: {ip}/{source_port}: failed: badauth: {utils.truncated_pw_hash(password)}')
return False return False

6
docs/configuration.rst
View File

@ -214,7 +214,11 @@ Depending on your particular deployment you most probably will want to change th
Advanced settings Advanced settings
----------------- -----------------
The ``API_TOKEN`` (default: None) configures the authentication token. The ``AUTH_REQUIRE_TOKENS`` (default: False) setting controls whether thick clients can
authenticate using passwords or whether they are forced to use tokens/application
specific passwords.
The ``API_TOKEN`` (default: None) setting configures the authentication token.
This token must be passed as request header to the API as authentication token. This token must be passed as request header to the API as authentication token.
This is a mandatory setting for using the RESTful API. This is a mandatory setting for using the RESTful API.

1
towncrier/newsfragments/3004.misc Normal file
View File

@ -0,0 +1 @@
Introduce AUTH_REQUIRE_TOKENS to enforce that thick clients use tokens instead of passwords