From 4837a05c71fd23872643e27ee1301b848628c2f6 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 18 Apr 2024 18:50:13 +0200 Subject: [PATCH 1/3] simplify the logic --- core/admin/mailu/api/common.py | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/core/admin/mailu/api/common.py b/core/admin/mailu/api/common.py index 331fdf4e..72e6c269 100644 --- a/core/admin/mailu/api/common.py +++ b/core/admin/mailu/api/common.py @@ -24,19 +24,11 @@ def api_token_authorization(func): if utils.limiter.should_rate_limit_ip(client_ip): abort(429, 'Too many attempts from your IP (rate-limit)' ) if not request.headers.get('Authorization'): - abort(401, 'A valid Bearer token is expected which is provided as request header') - #Client provides 'Authentication: Bearer ' - if (' ' in request.headers.get('Authorization') - and not hmac.compare_digest(request.headers.get('Authorization'), 'Bearer ' + v1.api_token)): + abort(401, 'A valid Authorization header is mandatory') + if (not hmac.compare_digest(request.headers.get('Authorization').removeprefix('Bearer '), v1.api_token)): utils.limiter.rate_limit_ip(client_ip) flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') - abort(403, 'A valid Bearer token is expected which is provided as request header') - #Client provides 'Authentication: ' - elif (' ' not in request.headers.get('Authorization') - and not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token)): - utils.limiter.rate_limit_ip(client_ip) - flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') - abort(403, 'A valid Bearer token is expected which is provided as request header') + abort(403, 'Invalid API token') flask.current_app.logger.info(f'Valid API token provided by {client_ip}.') return func(*args, **kwds) return decorated_function From 2db75921a2f49fca8bfbb79efd1b762336f1d920 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 20 Apr 2024 08:46:47 +0200 Subject: [PATCH 2/3] Ensure we have an api_token --- core/admin/mailu/api/common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/admin/mailu/api/common.py b/core/admin/mailu/api/common.py index 72e6c269..6dc75a88 100644 --- a/core/admin/mailu/api/common.py +++ b/core/admin/mailu/api/common.py @@ -25,7 +25,7 @@ def api_token_authorization(func): abort(429, 'Too many attempts from your IP (rate-limit)' ) if not request.headers.get('Authorization'): abort(401, 'A valid Authorization header is mandatory') - if (not hmac.compare_digest(request.headers.get('Authorization').removeprefix('Bearer '), v1.api_token)): + if len(v1.api_token) < 4 or not hmac.compare_digest(request.headers.get('Authorization').removeprefix('Bearer '), v1.api_token): utils.limiter.rate_limit_ip(client_ip) flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') abort(403, 'Invalid API token') From 12ccdebd20b81efb6c48cfb565a839520983b4e8 Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Sun, 9 Jun 2024 09:44:42 +0000 Subject: [PATCH 3/3] Update documentation with new length requirement for API_TOKEN --- docs/api.rst | 2 +- docs/configuration.rst | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/api.rst b/docs/api.rst index f1c01b85..c483b798 100644 --- a/docs/api.rst +++ b/docs/api.rst @@ -12,7 +12,7 @@ It can also be manually configured via mailu.env: * ``API`` - Expose the API interface (value: true, false) * ``WEB_API`` - Path to the API interface -* ``API_TOKEN`` - API token for authentication +* ``API_TOKEN`` - API token for authentication (with minimum length of 3 characters) For more information refer to the detailed descriptions in the :ref:`configuration reference `. diff --git a/docs/configuration.rst b/docs/configuration.rst index 50a576fd..f0eb6c96 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -218,6 +218,7 @@ Advanced settings The ``AUTH_REQUIRE_TOKENS`` (default: False) setting controls whether thick clients can authenticate using passwords or whether they are forced to use tokens/application specific passwords. The ``API_TOKEN`` (default: None) setting configures the authentication token. +The minimum length is 3 characters. This token must be passed as request header to the API as authentication token. This is a mandatory setting for using the RESTful API.