Fix unsafe requests with remote user auth

2024-01-13 20:14:21 -08:00 · 2024-01-13 20:14:21 -08:00 · 62b8be1a10
commit 62b8be1a10
parent 2e2362e2df
2 changed files with 11 additions and 2 deletions
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@ -47,3 +47,11 @@ class HttpRemoteUserMiddleware(PersistentRemoteUserMiddleware):
    """

    header = settings.HTTP_REMOTE_USER_HEADER_NAME
+
+
+class PaperlessRemoteUserAuthentication(authentication.RemoteUserAuthentication):
+    """
+    REMOTE_USER authentication for DRF which overrides the default header.
+    """
+
+    header = settings.HTTP_REMOTE_USER_HEADER_NAME
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@ -429,8 +429,9 @@ HTTP_REMOTE_USER_HEADER_NAME = os.getenv(
 if ENABLE_HTTP_REMOTE_USER:
    MIDDLEWARE.append("paperless.auth.HttpRemoteUserMiddleware")
    AUTHENTICATION_BACKENDS.insert(0, "django.contrib.auth.backends.RemoteUserBackend")
-    REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].append(
-        "rest_framework.authentication.RemoteUserAuthentication",
+    REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"].insert(
+        0,
+        "paperless.auth.PaperlessRemoteUserAuthentication",
    )

 # X-Frame options for embedded PDF display: