update auth view to require real username (#1999)

bihealth · Oct 8, 2024 · ef83023 · ef83023
1 parent a98c2fa
commit ef83023
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 16 deletions.
diff --git a/irodsbackend/tests/test_views.py b/irodsbackend/tests/test_views.py
@@ -7,8 +7,6 @@
 
 from test_plus.test import TestCase
 
-from irodsbackend.views import TOKEN_USER_NAME
-
 # Projectroles dependency
 from projectroles.tests.test_views_api import (
     SODARAPIViewTestMixin,
@@ -72,22 +70,22 @@ def test_post_token(self):
         """Test POST with knox token"""
         knox_token = self.get_token(self.user)
         response = self.client.post(
-            self.url, **self._get_auth_header(TOKEN_USER_NAME, knox_token)
+            self.url, **self._get_auth_header(LOCAL_USER_NAME, knox_token)
         )
         self.assertEqual(response.status_code, 200)
 
     def test_post_token_invalid(self):
         """Test POST with invalid knox token (should fail)"""
         self.get_token(self.user)  # Making sure the user has A token
         response = self.client.post(
-            self.url, **self._get_auth_header(TOKEN_USER_NAME, EMPTY_KNOX_TOKEN)
+            self.url, **self._get_auth_header(LOCAL_USER_NAME, EMPTY_KNOX_TOKEN)
         )
         self.assertEqual(response.status_code, 401)
 
-    def test_post_token_username(self):
-        """Test POST with knox token and regular username (should fail)"""
+    def test_post_token_invalid_username(self):
+        """Test POST with username not matching token (should fail)"""
         knox_token = self.get_token(self.user)
         response = self.client.post(
-            self.url, **self._get_auth_header(LOCAL_USER_NAME, knox_token)
+            self.url, **self._get_auth_header('invalid_user', knox_token)
         )
         self.assertEqual(response.status_code, 401)
diff --git a/irodsbackend/views.py b/irodsbackend/views.py
@@ -35,7 +35,6 @@
 )
 BASIC_AUTH_LOG_PREFIX = 'Basic auth'
 BASIC_AUTH_NOT_ENABLED_MSG = 'IRODS_SODAR_AUTH not enabled'
-TOKEN_USER_NAME = '__token__'
 
 
 class BaseIrodsAjaxView(SODARBaseProjectAjaxView):
@@ -253,22 +252,26 @@ def post(self, request, *args, **kwargs):
             return JsonResponse(
                 {'detail': 'Auth header not included'}, status=400
             )
+        user_name = None
         user = None
         auth = request.META['HTTP_AUTHORIZATION'].split()
         if len(auth) == 2 and auth[0].lower() == 'basic':
-            uname, passwd = base64.b64decode(auth[1]).decode().split(':')
-            # For token user, auth against Knox token
-            if uname == TOKEN_USER_NAME:
+            user_name, password = base64.b64decode(auth[1]).decode().split(':')
+            logger.debug(
+                'Requesting auth with user name "{}"'.format(user_name)
+            )
+            # First try with password
+            user = authenticate(username=user_name, password=password)
+            # If not successful, try password as Knox token
+            if not user:  #
                 token_auth = TokenAuthentication()
                 try:
                     user, _ = token_auth.authenticate_credentials(
-                        passwd.encode('utf-8')
+                        password.encode('utf-8')
                     )
                 except Exception as ex:
-                    logger.error('Token auth failed: {}'.format(ex))
-            else:  # For local user, do standard password auth
-                user = authenticate(username=uname, password=passwd)
-        if user and user.is_authenticated:
+                    logger.debug('Auth with token failed: {}'.format(ex))
+        if user and user.is_authenticated and user.username == user_name:
             logger.info(
                 '{} successful: {}'.format(
                     BASIC_AUTH_LOG_PREFIX, request.user.username