inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-04-30 20:46:47 +00:00
Code

Files under /media require session to be authenticated

Browse Source 
References:

- https://docs.djangoproject.com/en/3.2/howto/deployment/wsgi/apache-auth/
- https://stackoverflow.com/questions/46421589/nginx-location-and-django-auth
- https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
- https://pawamoy.github.io/posts/django-auth-server-for-shiny/
This commit is contained in:
Oliver Walters 2021-06-16 21:30:25 +10:00
parent 058fc57ff1
commit acd7322ff0
3 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
InvenTree/InvenTree/urls.py
View File

@ -37,6 +37,7 @@ from django.conf.urls.static import static
from django.views.generic.base import RedirectView from django.views.generic.base import RedirectView
from rest_framework.documentation import include_docs_urls from rest_framework.documentation import include_docs_urls
from .views import auth_request
from .views import IndexView, SearchView, DatabaseStatsView from .views import IndexView, SearchView, DatabaseStatsView
from .views import SettingsView, EditUserView, SetPasswordView from .views import SettingsView, EditUserView, SetPasswordView
from .views import CurrencySettingsView, CurrencyRefreshView from .views import CurrencySettingsView, CurrencyRefreshView
@ -155,6 +156,8 @@ urlpatterns = [
url(r'^search/', SearchView.as_view(), name='search'), url(r'^search/', SearchView.as_view(), name='search'),
url(r'^stats/', DatabaseStatsView.as_view(), name='stats'), url(r'^stats/', DatabaseStatsView.as_view(), name='stats'),
url(r'^auth/?', auth_request),
url(r'^api/', include(apipatterns)), url(r'^api/', include(apipatterns)),
url(r'^api-doc/', include_docs_urls(title='InvenTree API')), url(r'^api-doc/', include_docs_urls(title='InvenTree API')),

15
InvenTree/InvenTree/views.py
View File

@ -10,7 +10,7 @@ from __future__ import unicode_literals
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from django.template.loader import render_to_string from django.template.loader import render_to_string
from django.http import JsonResponse, HttpResponseRedirect from django.http import HttpResponse, JsonResponse, HttpResponseRedirect
from django.urls import reverse_lazy from django.urls import reverse_lazy
from django.conf import settings from django.conf import settings
@ -36,6 +36,19 @@ from .helpers import str2bool
from rest_framework import views from rest_framework import views
def auth_request(request):
"""
Simple 'auth' endpoint used to determine if the user is authenticated.
Useful for (for example) redirecting authentication requests through
django's permission framework.
"""
if request.user.is_authenticated:
return HttpResponse(status=200)
else:
return HttpResponse(status=403)
class TreeSerializer(views.APIView): class TreeSerializer(views.APIView):
""" JSON View for serializing a Tree object. """ JSON View for serializing a Tree object.

19
docker/nginx.conf
View File

@ -1,3 +1,4 @@
server { server {
# Listen for connection on (internal) port 80 # Listen for connection on (internal) port 80
@ -37,12 +38,20 @@ server {
# Redirect any requests for media files # Redirect any requests for media files
location /media/ { location /media/ {
alias /var/www/media/; alias /var/www/media/;
autoindex on;
# Caching settings # Media files require user authentication
expires 30d; auth_request /auth;
add_header Pragma public; }
add_header Cache-Control "public";
# Use the 'user' API endpoint for auth
location /auth {
internal;
proxy_pass http://inventree-server:8000/auth/;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
} }
} }