[PUI] Login / Logout State Fixes (#6368)

* Fix API endpoint URLs * Adds "authenticated" field to root API endpoint * Load global status data separately - Create new global state manager - Load *after* login - Prevents auth popup dialog and failure messages * Add launch config for frontend dev * Update docs * Clear token auth if no token is defined * remove unneeded import * Revert format of InfoView endpoint * Remove "authenticated" from InfoView * Refactor is_staff token check - Using new get_token_from_request method * Cleanup code - return early * URL fixes - More fixes for incorrect api calls * Better tracking of authenticated status - track an internal flag in apiState * Prioritize token auth * Only fetch userState if authenticated * Force unauthenticated state on first launch * Updates to login procedure - Rename doClassicLogin to doBasicLogin (reflecting "basic" auth) - Add "loggedIn" attribute to sessionState - Cleanup procedure for securing a token * Abort early on checkLoginState - Prevent failed calls to user_me * Refactoring - Simpler to just track token state - No need for separate status tracker - Works much cleaner this way * Remove debug messages * Cleanup unused imports * Fix unused variable * Revert timeout to 2000ms * Rename doClassicLogout -> doLogout * Improvements for checkLoginState - Account for the presence of a CSRF session cookie - If available, use it to fetch a token * Clear CSRF cookie on logout - Forces logout from session - Tested, works well! - Clean up notifications * Cleanup setApiDefaults method * fix global logout (PUI -> CUI) --------- Co-authored-by: Matthias Mair <code@mjmair.com>
2025-09-18 08:31:33 +00:00 · 2024-02-02 12:02:55 +11:00
parent ec2a66e7a5
commit f97cdef9fc
22 changed files with 332 additions and 156 deletions
--- a/InvenTree/InvenTree/api.py
+++ b/InvenTree/InvenTree/api.py
@@ -120,36 +120,32 @@ class InfoView(AjaxView):
            'email_configured': is_email_configured(),
            'debug_mode': settings.DEBUG,
            'docker_mode': settings.DOCKER,
+            'default_locale': settings.LANGUAGE_CODE,
+            # Following fields are only available to staff users
            'system_health': check_system_health() if is_staff else None,
            'database': InvenTree.version.inventreeDatabase() if is_staff else None,
            'platform': InvenTree.version.inventreePlatform() if is_staff else None,
            'installer': InvenTree.version.inventreeInstaller() if is_staff else None,
            'target': InvenTree.version.inventreeTarget() if is_staff else None,
-            'default_locale': settings.LANGUAGE_CODE,
        }

        return JsonResponse(data)

    def check_auth_header(self, request):
        """Check if user is authenticated via a token in the header."""
-        # TODO @matmair: remove after refacgtor of Token check is done
-        headers = request.headers.get(
-            'Authorization', request.headers.get('authorization')
-        )
-        if not headers:
-            return False
+        from InvenTree.middleware import get_token_from_request

-        auth = headers.strip()
-        if not (auth.lower().startswith('token') and len(auth.split()) == 2):
-            return False
+        if token := get_token_from_request(request):
+            # Does the provided token match a valid user?
+            try:
+                token = ApiToken.objects.get(key=token)
+
+                # Check if the token is active and the user is a staff member
+                if token.active and token.user and token.user.is_staff:
+                    return True
+            except ApiToken.DoesNotExist:
+                pass

-        token_key = auth.split()[1]
-        try:
-            token = ApiToken.objects.get(key=token_key)
-            if token.active and token.user and token.user.is_staff:
-                return True
-        except ApiToken.DoesNotExist:
-            pass
        return False


--- a/InvenTree/InvenTree/middleware.py
+++ b/InvenTree/InvenTree/middleware.py
@@ -23,8 +23,6 @@ def get_token_from_request(request):
    auth_keys = ['Authorization', 'authorization']
    token_keys = ['token', 'bearer']

-    token = None
-
    for k in auth_keys:
        if auth_header := request.headers.get(k, None):
            auth_header = auth_header.strip().lower().split()
@@ -32,9 +30,9 @@ def get_token_from_request(request):
            if len(auth_header) > 1:
                if auth_header[0].strip().lower().replace(':', '') in token_keys:
                    token = auth_header[1]
-                    break
+                    return token

-    return token
+    return None


 class AuthRequiredMiddleware(object):
--- a/InvenTree/InvenTree/settings.py
+++ b/InvenTree/InvenTree/settings.py
@@ -445,9 +445,9 @@ REST_FRAMEWORK = {
    'EXCEPTION_HANDLER': 'InvenTree.exceptions.exception_handler',
    'DATETIME_FORMAT': '%Y-%m-%d %H:%M',
    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'users.authentication.ApiTokenAuthentication',
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
-        'users.authentication.ApiTokenAuthentication',
    ),
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination',
    'DEFAULT_PERMISSION_CLASSES': (