Support session/cookie based auth, see #1108

2020-05-18 12:03:30 +02:00 · 2020-05-18 12:03:30 +02:00 · 550dbe46cc
commit 550dbe46cc
parent a9ba323b13
14 changed files with 172 additions and 62 deletions
--- a/api/config/api_urls.py
+++ b/api/config/api_urls.py
@ -77,9 +77,11 @@ v1_patterns += [
        r"^history/",
        include(("funkwhale_api.history.urls", "history"), namespace="history"),
    ),
+    url(r"^", include(("funkwhale_api.users.api_urls", "users"), namespace="users"),),
+    # XXX: 1.0: remove this
    url(
        r"^users/",
-        include(("funkwhale_api.users.api_urls", "users"), namespace="users"),
+        include(("funkwhale_api.users.api_urls", "users"), namespace="users-nested"),
    ),
    url(
        r"^oauth/",
--- a/api/config/routing.py
+++ b/api/config/routing.py
@ -1,14 +1,19 @@
+from channels.auth import AuthMiddlewareStack
 from channels.routing import ProtocolTypeRouter, URLRouter
-from django.conf.urls import url

+from django.conf.urls import url
 from funkwhale_api.common.auth import TokenAuthMiddleware
 from funkwhale_api.instance import consumers

 application = ProtocolTypeRouter(
    {
        # Empty for now (http->django views is added by default)
-        "websocket": TokenAuthMiddleware(
-            URLRouter([url("^api/v1/activity$", consumers.InstanceActivityConsumer)])
+        "websocket": AuthMiddlewareStack(
+            TokenAuthMiddleware(
+                URLRouter(
+                    [url("^api/v1/activity$", consumers.InstanceActivityConsumer)]
+                )
+            )
        )
    }
 )
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@ -276,10 +276,12 @@ MIDDLEWARE = tuple(ADDITIONAL_MIDDLEWARES_BEFORE) + (
    "django.middleware.security.SecurityMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
    "corsheaders.middleware.CorsMiddleware",
-    "funkwhale_api.common.middleware.SPAFallbackMiddleware",
+    # needs to be before SPA middleware
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
+    # /end
+    "funkwhale_api.common.middleware.SPAFallbackMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "funkwhale_api.users.middleware.RecordActivityMiddleware",
@ -998,6 +1000,10 @@ THROTTLING_RATES = {
        "rate": THROTTLING_USER_RATES.get("oauth-revoke-token", "100/hour"),
        "description": "OAuth token deletion",
    },
+    "login": {
+        "rate": THROTTLING_USER_RATES.get("login", "30/hour"),
+        "description": "Login",
+    },
    "jwt-login": {
        "rate": THROTTLING_USER_RATES.get("jwt-login", "30/hour"),
        "description": "JWT token creation",