diff --git a/src/paperless/auth.py b/src/paperless/auth.py index ba9320b5d..6ca97d608 100644 --- a/src/paperless/auth.py +++ b/src/paperless/auth.py @@ -52,6 +52,17 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware): header = settings.HTTP_REMOTE_USER_HEADER_NAME + def process_request(self, request: HttpRequest) -> None: + # If remote user auth is enabled only for the frontend, not the API, + # then we need dont want to authenticate the user for API requests. + if ( + "/api/" in request.path + and "paperless.auth.PaperlessRemoteUserAuthentication" + not in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"] + ): + return + return super().process_request(request) + class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication): """ diff --git a/src/paperless/tests/test_remote_user.py b/src/paperless/tests/test_remote_user.py index c5d7a6db4..ac45056e4 100644 --- a/src/paperless/tests/test_remote_user.py +++ b/src/paperless/tests/test_remote_user.py @@ -88,6 +88,46 @@ class TestRemoteUser(DirectoriesMixin, APITestCase): self.assertEqual(response.status_code, status.HTTP_200_OK) + def test_remote_user_api_disabled(self): + """ + GIVEN: + - Configured user + - Remote user auth is disabled for the API + WHEN: + - API call is made to get documents + THEN: + - Call fails + """ + + with mock.patch.dict( + os.environ, + { + "PAPERLESS_ENABLE_HTTP_REMOTE_USER": "True", + "PAPERLESS_ENABLE_HTTP_REMOTE_USER_API": "False", + }, + ): + _parse_remote_user_settings() + + response = self.client.get("/api/documents/") + + # 403 testing locally, 401 on ci... + self.assertIn( + response.status_code, + [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN], + ) + + response = self.client.get( + "/api/documents/", + headers={ + "Remote-User": self.user.username, + }, + ) + + self.assertIn( + response.status_code, + [status.HTTP_401_UNAUTHORIZED, status.HTTP_403_FORBIDDEN], + ) + def test_remote_user_header_setting(self): """ GIVEN: