diff --git a/core/admin/mailu/api/common.py b/core/admin/mailu/api/common.py index 331fdf4e..6dc75a88 100644 --- a/core/admin/mailu/api/common.py +++ b/core/admin/mailu/api/common.py @@ -24,19 +24,11 @@ def api_token_authorization(func): if utils.limiter.should_rate_limit_ip(client_ip): abort(429, 'Too many attempts from your IP (rate-limit)' ) if not request.headers.get('Authorization'): - abort(401, 'A valid Bearer token is expected which is provided as request header') - #Client provides 'Authentication: Bearer ' - if (' ' in request.headers.get('Authorization') - and not hmac.compare_digest(request.headers.get('Authorization'), 'Bearer ' + v1.api_token)): + abort(401, 'A valid Authorization header is mandatory') + if len(v1.api_token) < 4 or not hmac.compare_digest(request.headers.get('Authorization').removeprefix('Bearer '), v1.api_token): utils.limiter.rate_limit_ip(client_ip) flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') - abort(403, 'A valid Bearer token is expected which is provided as request header') - #Client provides 'Authentication: ' - elif (' ' not in request.headers.get('Authorization') - and not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token)): - utils.limiter.rate_limit_ip(client_ip) - flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') - abort(403, 'A valid Bearer token is expected which is provided as request header') + abort(403, 'Invalid API token') flask.current_app.logger.info(f'Valid API token provided by {client_ip}.') return func(*args, **kwds) return decorated_function diff --git a/docs/api.rst b/docs/api.rst index f1c01b85..c483b798 100644 --- a/docs/api.rst +++ b/docs/api.rst @@ -12,7 +12,7 @@ It can also be manually configured via mailu.env: * ``API`` - Expose the API interface (value: true, false) * ``WEB_API`` - Path to the API interface -* ``API_TOKEN`` - API token for authentication +* ``API_TOKEN`` - API token for authentication (with minimum length of 3 characters) For more information refer to the detailed descriptions in the :ref:`configuration reference `. diff --git a/docs/configuration.rst b/docs/configuration.rst index 50a576fd..f0eb6c96 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -218,6 +218,7 @@ Advanced settings The ``AUTH_REQUIRE_TOKENS`` (default: False) setting controls whether thick clients can authenticate using passwords or whether they are forced to use tokens/application specific passwords. The ``API_TOKEN`` (default: None) setting configures the authentication token. +The minimum length is 3 characters. This token must be passed as request header to the API as authentication token. This is a mandatory setting for using the RESTful API.