fix API token_auth and CSRF setup

2024-09-19 07:28:49 -04:00 · 2024-09-03 01:21:13 -07:00 · 2024-09-03 01:21:13 -07:00 · c1c55d6da7
commit c1c55d6da7
parent 9af260df16
2 changed files with 12 additions and 5 deletions
--- a/archivebox/api/auth.py
+++ b/archivebox/api/auth.py
@ -30,8 +30,8 @@ def auth_using_token(token, request: Optional[HttpRequest]=None) -> Optional[Abs

    if not user:
        print('[❌] Failed to authenticate API user using API Key:', request)
-
-    return None
+        return None
+    return cast(AbstractBaseUser, user)

 def auth_using_password(username, password, request: Optional[HttpRequest]=None) -> Optional[AbstractBaseUser]:
    """Given a username and password, check if they are valid and return the corresponding user"""
--- a/archivebox/api/v1_auth.py
+++ b/archivebox/api/v1_auth.py
@ -3,6 +3,8 @@ __package__ = 'archivebox.api'
 from typing import Optional

 from ninja import Router, Schema
+from django.utils import timezone
+from datetime import timedelta

 from api.models import APIToken
 from api.auth import auth_using_token, auth_using_password
@ -25,9 +27,14 @@ def get_api_token(request, auth_data: PasswordAuthSchema):
        request=request,
    )

-    if user:
-        # TODO: support multiple tokens in the future, for now we just have one per user
-        api_token, created = APIToken.objects.get_or_create(created_by_id=user.pk)
+    if user and user.is_superuser:
+        api_tokens = APIToken.objects.filter(created_by_id=user.pk, expires__gt=timezone.now())
+        if api_tokens.exists():
+            api_token = api_tokens.last()
+        else:
+            api_token = APIToken.objects.create(created_by_id=user.pk, expires=timezone.now() + timedelta(days=30))
+        
+        assert api_token.is_valid(), f"API token is not valid {api_token.abid}"

        return api_token.__json__()