self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-08-10 22:31:47 +02:00
Code Issues Releases Activity

Merge #3232

Browse Source 
3232: simplify the logic, add an extra check on the API auth handler r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

simplify the logic of API authentication, ensure that the API token is at least 3 characters

### Related issue(s)

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [ ] In case of feature or enhancement: documentation updated accordingly
- [ ] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
Co-authored-by: Dimitri Huisman <diman@huisman.xyz>
This commit is contained in:
bors-mailu[bot]
2024-06-09 09:47:25 +00:00
committed by GitHub
parent 6a08a6ed14 12ccdebd20
commit c18eb3a33c
3 changed files with 5 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
core/admin/mailu/api/common.py
View File

@@ -24,19 +24,11 @@ def api_token_authorization(func):
if utils.limiter.should_rate_limit_ip(client_ip):
abort(429, 'Too many attempts from your IP (rate-limit)' )
if not request.headers.get('Authorization'):
abort(401, 'A valid Bearer token is expected which is provided as request header')
#Client provides 'Authentication: Bearer <token>'
if (' ' in request.headers.get('Authorization')
and not hmac.compare_digest(request.headers.get('Authorization'), 'Bearer ' + v1.api_token)):
abort(401, 'A valid Authorization header is mandatory')
if len(v1.api_token) < 4 or not hmac.compare_digest(request.headers.get('Authorization').removeprefix('Bearer '), v1.api_token):
utils.limiter.rate_limit_ip(client_ip)
flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.')
abort(403, 'A valid Bearer token is expected which is provided as request header')
#Client provides 'Authentication: <token>'
elif (' ' not in request.headers.get('Authorization')
and not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token)):
utils.limiter.rate_limit_ip(client_ip)
flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.')
abort(403, 'A valid Bearer token is expected which is provided as request header')
abort(403, 'Invalid API token')
flask.current_app.logger.info(f'Valid API token provided by {client_ip}.')
return func(*args, **kwds)
return decorated_function