Merge #3232

3232: simplify the logic, add an extra check on the API auth handler r=mergify[bot] a=nextgens ## What type of PR? enhancement ## What does this PR do? simplify the logic of API authentication, ensure that the API token is at least 3 characters ### Related issue(s) ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com> Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
2025-03-03 14:52:36 +02:00 · 2024-06-09 09:47:25 +00:00 · 2024-06-09 09:47:25 +00:00 · c18eb3a33c
commit c18eb3a33c
parent 6a08a6ed14 12ccdebd20
3 changed files with 5 additions and 12 deletions
--- a/core/admin/mailu/api/common.py
+++ b/core/admin/mailu/api/common.py
@ -24,19 +24,11 @@ def api_token_authorization(func):
        if utils.limiter.should_rate_limit_ip(client_ip):
            abort(429, 'Too many attempts from your IP (rate-limit)' )
        if not request.headers.get('Authorization'):
-            abort(401, 'A valid Bearer token is expected which is provided as request header')
-        #Client provides 'Authentication: Bearer <token>'
-        if (' ' in request.headers.get('Authorization')
-                and not hmac.compare_digest(request.headers.get('Authorization'), 'Bearer ' + v1.api_token)):
+            abort(401, 'A valid Authorization header is mandatory')
+        if len(v1.api_token) < 4 or not hmac.compare_digest(request.headers.get('Authorization').removeprefix('Bearer '), v1.api_token):
            utils.limiter.rate_limit_ip(client_ip)
            flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.')
-            abort(403, 'A valid Bearer token is expected which is provided as request header')
-        #Client provides 'Authentication: <token>'
-        elif (' ' not in request.headers.get('Authorization')
-                and not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token)):
-            utils.limiter.rate_limit_ip(client_ip)
-            flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.')
-            abort(403, 'A valid Bearer token is expected which is provided as request header')
+            abort(403, 'Invalid API token')
        flask.current_app.logger.info(f'Valid API token provided by {client_ip}.')
        return func(*args, **kwds)
    return decorated_function
--- a/docs/api.rst
+++ b/docs/api.rst
@ -12,7 +12,7 @@ It can also be manually configured via mailu.env:

 * ``API`` - Expose the API interface (value: true, false)
 * ``WEB_API`` - Path to the API interface
-* ``API_TOKEN`` - API token for authentication
+* ``API_TOKEN`` - API token for authentication (with minimum length of 3 characters)

 For more information refer to the detailed descriptions in the
 :ref:`configuration reference <advanced_settings>`.
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -218,6 +218,7 @@ Advanced settings
 The ``AUTH_REQUIRE_TOKENS`` (default: False) setting controls whether thick clients can authenticate using passwords or whether they are forced to use tokens/application specific passwords.

 The ``API_TOKEN`` (default: None) setting configures the authentication token.
+The minimum length is 3 characters.
 This token must be passed as request header to the API as authentication token.
 This is a mandatory setting for using the RESTful API.