search

mediacms-io / mediacms

MediaCMS is a modern, fully featured open source video and media CMS, written in Python/Django and React, featuring a REST API.
https://mediacms.io
GNU Affero General Public License v3.0
2.7k stars 498 forks source link

Setting GLOBAL_LOGIN_REQUIRED = TRUE breaks API #418

Closed tschig closed 1 year ago

tschig commented 2 years ago

Describe the issue I have set GLOBAL_LOGIN_REQUIRED to TRUE and after that, every request to the API gets a redirect to the login page as response:

C:\Users\justi>curl -v -X GET https://mediacms.example.com/api/v1/media/ -H "authorization: Basic base64(user:pass)"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying IP:443...
* Connected to mediacms.example.com (IP) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> GET /api/v1/media/ HTTP/1.1
> Host: mediacms.example.com
> User-Agent: curl/7.79.1
> Accept: */*
> authorization: Basic base64(user:pass)
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: Content-Length,Content-Range
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
< Date: Sun, 20 Feb 2022 15:47:44 GMT
< Location: /accounts/login/?next=/api/v1/media/
< Referrer-Policy: same-origin
< Server: nginx/1.14.2
< Vary: Cookie
< X-Content-Type-Options: nosniff
<
* Connection #0 to host mediacms.example.com left intact

To Reproduce Steps to reproduce the issue:

  1. Set GLOBAL_LOGIN_REQUIRED = true
  2. Perform any API Request

Expected behavior REST Endpoint takes provided authorization header and logs in the user.

mgogoulos commented 2 years ago

I don't have the time to debug this, adding this link for reference with ways this could work: https://www.django-rest-framework.org/api-guide/authentication/

masavini commented 2 years ago

that's because of the LOGIN_REQUIRED_IGNORE_PATHS list set in cms/settings.py:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
    ]

just add a regex for the api endpoint and that's enough:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
        r'/api/v[0-9]+/',
    ]
mgogoulos commented 2 years ago

hey @masavini thanks for this! Do you want to create a PR so I can test it and merge it? Thanks!

masavini commented 2 years ago

just did it (and tested, as well)!

483

Sgar80 commented 1 year ago

that's because of the LOGIN_REQUIRED_IGNORE_PATHS list set in cms/settings.py:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
    ]

just add a regex for the api endpoint and that's enough:

LOGIN_REQUIRED_IGNORE_PATHS = [
        r'/accounts/login/$',
        r'/accounts/logout/$',
        r'/accounts/signup/$',
        r'/api/v[0-9]+/',
    ]

... are you suggesting to not use authentication to access the API? It's very wrong imho.

masavini commented 1 year ago

@Sgar80

... are you suggesting to not use authentication to access the API?

yes, API use another authentication system.

mgogoulos commented 1 year ago

merged