Commit 058fd28d authored by Tanner Prestegard's avatar Tanner Prestegard Committed by GraceDB
Browse files

Prevent certificate or basic auth on AJAX requests to the API

Discovered that AJAX requests to the API from the web view were
using certificates in people's browsers even if they were logged
out of the Django session.  So when they wanted to view the page
as a public user they still saw some extra information.

No security risk since they needed to have a valid certificate
anyway, but a bit annoying.
parent e6e2a9f3
...@@ -22,6 +22,7 @@ logger = logging.getLogger(__name__) ...@@ -22,6 +22,7 @@ logger = logging.getLogger(__name__)
class GraceDbBasicAuthentication(authentication.BasicAuthentication): class GraceDbBasicAuthentication(authentication.BasicAuthentication):
allow_ajax = False
api_only = True api_only = True
def authenticate(self, request, *args, **kwargs): def authenticate(self, request, *args, **kwargs):
...@@ -33,6 +34,11 @@ class GraceDbBasicAuthentication(authentication.BasicAuthentication): ...@@ -33,6 +34,11 @@ class GraceDbBasicAuthentication(authentication.BasicAuthentication):
if self.api_only and not is_api_request(request.path): if self.api_only and not is_api_request(request.path):
return None return None
# Don't allow this auth type for AJAX requests, since we don't want it
# to work for API requests made by the web views.
if request.is_ajax() and not self.allow_ajax:
return None
# Call base class authenticate() method # Call base class authenticate() method
return super(GraceDbBasicAuthentication, self).authenticate(request) return super(GraceDbBasicAuthentication, self).authenticate(request)
...@@ -62,6 +68,7 @@ class GraceDbX509Authentication(authentication.BaseAuthentication): ...@@ -62,6 +68,7 @@ class GraceDbX509Authentication(authentication.BaseAuthentication):
Authentication based on X509 certificate subject. Authentication based on X509 certificate subject.
Certificate should be verified by Apache already. Certificate should be verified by Apache already.
""" """
allow_ajax = False
api_only = True api_only = True
www_authenticate_realm = 'api' www_authenticate_realm = 'api'
subject_dn_header = getattr(settings, 'X509_SUBJECT_DN_HEADER', subject_dn_header = getattr(settings, 'X509_SUBJECT_DN_HEADER',
...@@ -75,6 +82,13 @@ class GraceDbX509Authentication(authentication.BaseAuthentication): ...@@ -75,6 +82,13 @@ class GraceDbX509Authentication(authentication.BaseAuthentication):
if self.api_only and not is_api_request(request.path): if self.api_only and not is_api_request(request.path):
return None return None
# Don't allow this auth type for AJAX requests - this is because
# users with certificates in their browser can still authenticate via
# this mechanism in the web view (since it makes API queries), even
# when they are not logged in.
if request.is_ajax() and not self.allow_ajax:
return None
# Try to get credentials from request headers. # Try to get credentials from request headers.
user_cert_dn = self.get_cert_dn_from_request(request) user_cert_dn = self.get_cert_dn_from_request(request)
...@@ -166,6 +180,7 @@ class GraceDbX509CertInfosAuthentication(GraceDbX509Authentication): ...@@ -166,6 +180,7 @@ class GraceDbX509CertInfosAuthentication(GraceDbX509Authentication):
Authentication based on X509 "infos" header. Authentication based on X509 "infos" header.
Certificate should be verified by Traefik already. Certificate should be verified by Traefik already.
""" """
allow_ajax = False
api_only = True api_only = True
infos_header = getattr(settings, 'X509_INFOS_HEADER', infos_header = getattr(settings, 'X509_INFOS_HEADER',
'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS') 'HTTP_X_FORWARDED_TLS_CLIENT_CERT_INFOS')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment