mediacms icon indicating copy to clipboard operation
mediacms copied to clipboard
verified publisher icon mediacms-io

Setting GLOBAL_LOGIN_REQUIRED = TRUE breaks API

Open tschig opened this issue 3 years ago • 4 comments

Describe the issue I have set GLOBAL_LOGIN_REQUIRED to TRUE and after that, every request to the API gets a redirect to the login page as response:

C:\Users\justi>curl -v -X GET https://mediacms.example.com/api/v1/media/ -H "authorization: Basic base64(user:pass)"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying IP:443...
* Connected to mediacms.example.com (IP) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> GET /api/v1/media/ HTTP/1.1
> Host: mediacms.example.com
> User-Agent: curl/7.79.1
> Accept: */*
> authorization: Basic base64(user:pass)
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: Content-Length,Content-Range
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< Date: Sun, 20 Feb 2022 15:47:44 GMT
< Location: /accounts/login/?next=/api/v1/media/
< Referrer-Policy: same-origin
< Server: nginx/1.14.2
< Vary: Cookie
< X-Content-Type-Options: nosniff
<
* Connection #0 to host mediacms.example.com left intact

To Reproduce Steps to reproduce the issue:

  1. Set GLOBAL_LOGIN_REQUIRED = true
  2. Perform any API Request

Expected behavior REST Endpoint takes provided authorization header and logs in the user.

tschig avatar Feb 20 '22 15:02 tschig

I don't have the time to debug this, adding this link for reference with ways this could work: https://www.django-rest-framework.org/api-guide/authentication/

mgogoulos avatar Feb 24 '22 13:02 mgogoulos

that's because of the LOGIN_REQUIRED_IGNORE_PATHS list set in cms/settings.py:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
    ]

just add a regex for the api endpoint and that's enough:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
        r'/api/v[0-9]+/',
    ]

masavini avatar Jul 21 '22 00:07 masavini

hey @masavini thanks for this! Do you want to create a PR so I can test it and merge it? Thanks!

mgogoulos avatar Jul 21 '22 10:07 mgogoulos

just did it (and tested, as well)! #483

masavini avatar Jul 21 '22 11:07 masavini

that's because of the LOGIN_REQUIRED_IGNORE_PATHS list set in cms/settings.py:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
    ]

just add a regex for the api endpoint and that's enough:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
        r'/api/v[0-9]+/',
    ]

... are you suggesting to not use authentication to access the API? It's very wrong imho.

Sgar80 avatar Oct 27 '22 13:10 Sgar80

@Sgar80

... are you suggesting to not use authentication to access the API?

yes, API use another authentication system.

masavini avatar Oct 27 '22 15:10 masavini

merged

mgogoulos avatar Nov 29 '22 08:11 mgogoulos