See #75: dedicated token for subsonic API access

2018-05-08 16:31:19 +02:00 · 2018-05-08 16:31:19 +02:00 · 9682299480
commit 9682299480
parent 99c02b4f7e
4 changed files with 47 additions and 0 deletions
--- a/api/funkwhale_api/users/models.py
+++ b/api/funkwhale_api/users/models.py
@ -2,6 +2,7 @@
 from __future__ import unicode_literals, absolute_import

 import uuid
+import secrets

 from django.conf import settings
 from django.contrib.auth.models import AbstractUser
@ -38,6 +39,13 @@ class User(AbstractUser):

    privacy_level = fields.get_privacy_field()

+    # Unfortunately, Subsonic API assumes a MD5/password authentication
+    # scheme, which is weak in terms of security, and not achievable
+    # anyway since django use stronger schemes for storing passwords.
+    # Users that want to use the subsonic API from external client
+    # should set this token and use it as their password in such clients
+    subsonic_api_token = models.CharField(
+        blank=True, null=True, max_length=255)

    def __str__(self):
        return self.username
@ -49,9 +57,15 @@ class User(AbstractUser):
        self.secret_key = uuid.uuid4()
        return self.secret_key

+    def update_subsonic_api_token(self):
+        self.subsonic_api_token = secrets.token_hex(32)
+        return self.subsonic_api_token
+
    def set_password(self, raw_password):
        super().set_password(raw_password)
        self.update_secret_key()
+        if self.subsonic_api_token:
+            self.update_subsonic_api_token()

    def get_activity_url(self):
        return settings.FUNKWHALE_URL + '/@{}'.format(self.username)