Security: disallow API remote-user auth if disabled (#6739)

2025-11-03 19:17:13 -05:00 · 2024-05-15 13:18:50 -07:00 · 2024-05-15 13:18:50 -07:00 · ed05b40ba4
commit ed05b40ba4
parent 97eec44647
2 changed files with 44 additions and 0 deletions
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@ -52,6 +52,17 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):

    header = settings.HTTP_REMOTE_USER_HEADER_NAME

+    def process_request(self, request: HttpRequest) -> None:
+        # If remote user auth is enabled only for the frontend, not the API,
+        # then we need dont want to authenticate the user for API requests.
+        if (
+            "/api/" in request.path
+            and "paperless.auth.PaperlessRemoteUserAuthentication"
+            not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
+        ):
+            return
+        return super().process_request(request)
+

 class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
    """
--- a/src/paperless/tests/test_remote_user.py
+++ b/src/paperless/tests/test_remote_user.py
@ -2,6 +2,7 @@ import os
 from unittest import mock

 from django.contrib.auth.models import User
+from django.test import override_settings
 from rest_framework import status
 from rest_framework.test import APITestCase

@ -88,6 +89,38 @@ class TestRemoteUser(DirectoriesMixin, APITestCase):

            self.assertEqual(response.status_code, status.HTTP_200_OK)

+    @override_settings(
+        REST_FRAMEWORK={
+            "DEFAULT_AUTHENTICATION_CLASSES": [
+                "rest_framework.authentication.BasicAuthentication",
+                "rest_framework.authentication.TokenAuthentication",
+                "rest_framework.authentication.SessionAuthentication",
+            ],
+        },
+    )
+    def test_remote_user_api_disabled(self):
+        """
+        GIVEN:
+            - Configured user
+            - Remote user auth enabled for frontend but disabled for the API
+            - Note that REST_FRAMEWORK['DEFAULT_AUTHENTICATION_CLASSES'] is set in settings.py in production
+        WHEN:
+            - API call is made to get documents
+        THEN:
+            - Call fails
+        """
+        response = self.client.get(
+            "/api/documents/",
+            headers={
+                "Remote-User": self.user.username,
+            },
+        )
+
+        self.assertIn(
+            response.status_code,
+            [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN],
+        )
+
    def test_remote_user_header_setting(self):
        """
        GIVEN: