From f90bd4722c6e8588dace451eac0095a0fd4dc32e Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Thu, 23 Nov 2023 00:15:18 -0800 Subject: [PATCH] Include auth token and generate auth token --- docs/api.md | 6 ++- .../profile-edit-dialog.component.html | 21 ++++++++ .../profile-edit-dialog.component.scss | 4 ++ .../profile-edit-dialog.component.spec.ts | 49 +++++++++++++++++-- .../profile-edit-dialog.component.ts | 47 ++++++++++++++---- src-ui/src/app/data/user-profile.ts | 1 + .../src/app/services/profile.service.spec.ts | 8 +++ src-ui/src/app/services/profile.service.ts | 7 +++ src/documents/tests/test_api.py | 25 +++++++++- src/paperless/serialisers.py | 4 +- src/paperless/urls.py | 2 + src/paperless/views.py | 42 ++++++++++------ 12 files changed, 185 insertions(+), 31 deletions(-) diff --git a/docs/api.md b/docs/api.md index cbf94cf6a..8096b84e9 100644 --- a/docs/api.md +++ b/docs/api.md @@ -158,6 +158,10 @@ The REST api provides three different forms of authentication. 3. Token authentication + You can create (or re-create) an API token by opening the "My Profile" + link in the user dropdown found in the web UI and clicking the circular + arrow button. + Paperless also offers an endpoint to acquire authentication tokens. POST a username and password as a form or json string to @@ -169,7 +173,7 @@ The REST api provides three different forms of authentication. Authorization: Token ``` - Tokens can be managed and revoked in the paperless admin. + Tokens can also be managed in the Django admin. ## Searching for documents diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html index cfeb24b3b..d76ace8ba 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.html @@ -27,6 +27,27 @@ +
+ +
+
+ + + +
+ Copied! +
+
Warning: changing the token cannot be undone
+
diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.scss b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.scss index bda986f82..62eb6b8cf 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.scss +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.scss @@ -3,3 +3,7 @@ margin: 0 !important; // hack-ish, for animation } } + +.copied-badge { + right: 8em; +} diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts index 92cf0dcb1..1d8d4b975 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.spec.ts @@ -1,4 +1,9 @@ -import { ComponentFixture, TestBed } from '@angular/core/testing' +import { + ComponentFixture, + TestBed, + fakeAsync, + tick, +} from '@angular/core/testing' import { ProfileEditDialogComponent } from './profile-edit-dialog.component' import { ProfileService } from 'src/app/services/profile.service' @@ -6,9 +11,7 @@ import { FormsModule, ReactiveFormsModule } from '@angular/forms' import { NgbAccordionModule, NgbActiveModal, - NgbModal, NgbModalModule, - NgbModule, } from '@ng-bootstrap/ng-bootstrap' import { HttpClientModule } from '@angular/common/http' import { TextComponent } from '../input/text/text.component' @@ -16,12 +19,14 @@ import { PasswordComponent } from '../input/password/password.component' import { of, throwError } from 'rxjs' import { ToastService } from 'src/app/services/toast.service' import { By } from '@angular/platform-browser' +import { Clipboard } from '@angular/cdk/clipboard' const profile = { email: 'foo@bar.com', password: '*********', first_name: 'foo', last_name: 'bar', + auth_token: '123456789abcdef', } describe('ProfileEditDialogComponent', () => { @@ -29,6 +34,7 @@ describe('ProfileEditDialogComponent', () => { let fixture: ComponentFixture let profileService: ProfileService let toastService: ToastService + let clipboard: Clipboard beforeEach(() => { TestBed.configureTestingModule({ @@ -48,6 +54,7 @@ describe('ProfileEditDialogComponent', () => { }) profileService = TestBed.inject(ProfileService) toastService = TestBed.inject(ToastService) + clipboard = TestBed.inject(Clipboard) fixture = TestBed.createComponent(ProfileEditDialogComponent) component = fixture.componentInstance fixture.detectChanges() @@ -68,6 +75,7 @@ describe('ProfileEditDialogComponent', () => { password: profile.password, first_name: 'foo2', last_name: profile.last_name, + auth_token: profile.auth_token, } const updateSpy = jest.spyOn(profileService, 'update') const errorSpy = jest.spyOn(toastService, 'showError') @@ -151,4 +159,39 @@ describe('ProfileEditDialogComponent', () => { ) expect(component.saveDisabled).toBeFalsy() }) + + it('should support auth token copy', fakeAsync(() => { + const getSpy = jest.spyOn(profileService, 'get') + getSpy.mockReturnValue(of(profile)) + component.ngOnInit() + const copySpy = jest.spyOn(clipboard, 'copy') + component.copyAuthToken() + expect(copySpy).toHaveBeenCalledWith(profile.auth_token) + expect(component.copied).toBeTruthy() + tick(3000) + expect(component.copied).toBeFalsy() + })) + + it('should support generate token, display error if needed', () => { + const getSpy = jest.spyOn(profileService, 'get') + getSpy.mockReturnValue(of(profile)) + + const generateSpy = jest.spyOn(profileService, 'generateAuthToken') + const errorSpy = jest.spyOn(toastService, 'showError') + generateSpy.mockReturnValueOnce( + throwError(() => new Error('failed to generate')) + ) + component.generateAuthToken() + expect(errorSpy).toHaveBeenCalled() + + generateSpy.mockClear() + const newToken = '789101112hijk' + generateSpy.mockReturnValueOnce(of(newToken)) + component.generateAuthToken() + expect(generateSpy).toHaveBeenCalled() + expect(component.form.get('auth_token').value).not.toEqual( + profile.auth_token + ) + expect(component.form.get('auth_token').value).toEqual(newToken) + }) }) diff --git a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts index f75938b3f..d9e31b522 100644 --- a/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts +++ b/src-ui/src/app/components/common/profile-edit-dialog/profile-edit-dialog.component.ts @@ -4,6 +4,7 @@ import { NgbActiveModal } from '@ng-bootstrap/ng-bootstrap' import { ProfileService } from 'src/app/services/profile.service' import { ToastService } from 'src/app/services/toast.service' import { Subject, takeUntil } from 'rxjs' +import { Clipboard } from '@angular/cdk/clipboard' @Component({ selector: 'pngx-profile-edit-dialog', @@ -22,6 +23,7 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { password_confirm: new FormControl({ value: null, disabled: true }), first_name: new FormControl(''), last_name: new FormControl(''), + auth_token: new FormControl(''), }) private currentPassword: string @@ -34,10 +36,13 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { private emailConfirm: string public showEmailConfirm: boolean = false + public copied: boolean = false + constructor( private profileService: ProfileService, public activeModal: NgbActiveModal, - private toastService: ToastService + private toastService: ToastService, + private clipboard: Clipboard ) {} ngOnInit(): void { @@ -70,17 +75,17 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { return this.error?.password_confirm || this.error?.email_confirm } - onEmailKeyUp(event: KeyboardEvent) { + onEmailKeyUp(event: KeyboardEvent): void { this.newEmail = (event.target as HTMLInputElement)?.value this.onEmailChange() } - onEmailConfirmKeyUp(event: KeyboardEvent) { + onEmailConfirmKeyUp(event: KeyboardEvent): void { this.emailConfirm = (event.target as HTMLInputElement)?.value this.onEmailChange() } - onEmailChange() { + onEmailChange(): void { this.showEmailConfirm = this.currentEmail !== this.newEmail if (this.showEmailConfirm) { this.form.get('email_confirm').enable() @@ -96,19 +101,18 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { } } - onPasswordKeyUp(event: KeyboardEvent) { + onPasswordKeyUp(event: KeyboardEvent): void { this.newPassword = (event.target as HTMLInputElement)?.value this.onPasswordChange() } - onPasswordConfirmKeyUp(event: KeyboardEvent) { + onPasswordConfirmKeyUp(event: KeyboardEvent): void { this.passwordConfirm = (event.target as HTMLInputElement)?.value this.onPasswordChange() } - onPasswordChange() { + onPasswordChange(): void { this.showPasswordConfirm = this.currentPassword !== this.newPassword - console.log(this.currentPassword, this.newPassword, this.passwordConfirm) if (this.showPasswordConfirm) { this.form.get('password_confirm').enable() @@ -124,7 +128,7 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { } } - save() { + save(): void { const profile = Object.assign({}, this.form.value) this.networkActive = true this.profileService @@ -142,7 +146,30 @@ export class ProfileEditDialogComponent implements OnInit, OnDestroy { }) } - cancel() { + cancel(): void { this.activeModal.close() } + + generateAuthToken(): void { + this.profileService.generateAuthToken().subscribe({ + next: (token: string) => { + console.log(token) + this.form.patchValue({ auth_token: token }) + }, + error: (error) => { + this.toastService.showError( + $localize`Error generating auth token`, + error + ) + }, + }) + } + + copyAuthToken(): void { + this.clipboard.copy(this.form.get('auth_token').value) + this.copied = true + setTimeout(() => { + this.copied = false + }, 3000) + } } diff --git a/src-ui/src/app/data/user-profile.ts b/src-ui/src/app/data/user-profile.ts index fe9004526..94012925a 100644 --- a/src-ui/src/app/data/user-profile.ts +++ b/src-ui/src/app/data/user-profile.ts @@ -3,4 +3,5 @@ export interface PaperlessUserProfile { password?: string first_name?: string last_name?: string + auth_token?: string } diff --git a/src-ui/src/app/services/profile.service.spec.ts b/src-ui/src/app/services/profile.service.spec.ts index 8e637bb12..f19a1312e 100644 --- a/src-ui/src/app/services/profile.service.spec.ts +++ b/src-ui/src/app/services/profile.service.spec.ts @@ -43,4 +43,12 @@ describe('ProfileService', () => { email: 'foo@bar.com', }) }) + + it('supports generating new auth token', () => { + service.generateAuthToken().subscribe() + const req = httpTestingController.expectOne( + `${environment.apiBaseUrl}profile/generate_auth_token/` + ) + expect(req.request.method).toEqual('POST') + }) }) diff --git a/src-ui/src/app/services/profile.service.ts b/src-ui/src/app/services/profile.service.ts index d52f4c7be..de5aeb7a4 100644 --- a/src-ui/src/app/services/profile.service.ts +++ b/src-ui/src/app/services/profile.service.ts @@ -24,4 +24,11 @@ export class ProfileService { profile ) } + + generateAuthToken(): Observable { + return this.http.post( + `${environment.apiBaseUrl}${this.endpoint}/generate_auth_token/`, + {} + ) + } } diff --git a/src/documents/tests/test_api.py b/src/documents/tests/test_api.py index 71bfdc5ff..166c8dc5b 100644 --- a/src/documents/tests/test_api.py +++ b/src/documents/tests/test_api.py @@ -27,6 +27,7 @@ from guardian.shortcuts import assign_perm from guardian.shortcuts import get_perms from guardian.shortcuts import get_users_with_perms from rest_framework import status +from rest_framework.authtoken.models import Token from rest_framework.test import APITestCase from whoosh.writing import AsyncWriter @@ -5823,7 +5824,6 @@ class TestApiProfile(DirectoriesMixin, APITestCase): self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data["email"], self.user.email) - self.assertEqual(response.data["password"], "**********") self.assertEqual(response.data["first_name"], self.user.first_name) self.assertEqual(response.data["last_name"], self.user.last_name) @@ -5852,3 +5852,26 @@ class TestApiProfile(DirectoriesMixin, APITestCase): self.assertEqual(user.email, user_data["email"]) self.assertEqual(user.first_name, user_data["first_name"]) self.assertEqual(user.last_name, user_data["last_name"]) + + def test_update_auth_token(self): + """ + GIVEN: + - Configured user + WHEN: + - API call is made to generate auth token + THEN: + - Token is created the first time, updated the second + """ + + self.assertEqual(len(Token.objects.all()), 0) + + response = self.client.post(f"{self.ENDPOINT}generate_auth_token/") + self.assertEqual(response.status_code, status.HTTP_200_OK) + token1 = Token.objects.filter(user=self.user).first() + self.assertIsNotNone(token1) + + response = self.client.post(f"{self.ENDPOINT}generate_auth_token/") + self.assertEqual(response.status_code, status.HTTP_200_OK) + token2 = Token.objects.filter(user=self.user).first() + + self.assertNotEqual(token1.key, token2.key) diff --git a/src/paperless/serialisers.py b/src/paperless/serialisers.py index 572722e13..36ba0171e 100644 --- a/src/paperless/serialisers.py +++ b/src/paperless/serialisers.py @@ -101,7 +101,8 @@ class GroupSerializer(serializers.ModelSerializer): class ProfileSerializer(serializers.ModelSerializer): email = serializers.EmailField(allow_null=False) - password = ObfuscatedUserPasswordField(required=False) + password = ObfuscatedUserPasswordField(required=False, allow_null=False) + auth_token = serializers.SlugRelatedField(read_only=True, slug_field="key") class Meta: model = User @@ -110,4 +111,5 @@ class ProfileSerializer(serializers.ModelSerializer): "password", "first_name", "last_name", + "auth_token", ) diff --git a/src/paperless/urls.py b/src/paperless/urls.py index 4371bc983..67fddbee0 100644 --- a/src/paperless/urls.py +++ b/src/paperless/urls.py @@ -35,6 +35,7 @@ from documents.views import UiSettingsView from documents.views import UnifiedSearchViewSet from paperless.consumers import StatusConsumer from paperless.views import FaviconView +from paperless.views import GenerateAuthTokenView from paperless.views import GroupViewSet from paperless.views import ProfileView from paperless.views import UserViewSet @@ -120,6 +121,7 @@ urlpatterns = [ BulkEditObjectPermissionsView.as_view(), name="bulk_edit_object_permissions", ), + path("profile/generate_auth_token/", GenerateAuthTokenView.as_view()), re_path( "^profile/", ProfileView.as_view(), diff --git a/src/paperless/views.py b/src/paperless/views.py index aac8dfac2..aab2eb570 100644 --- a/src/paperless/views.py +++ b/src/paperless/views.py @@ -7,6 +7,7 @@ from django.db.models.functions import Lower from django.http import HttpResponse from django.views.generic import View from django_filters.rest_framework import DjangoFilterBackend +from rest_framework.authtoken.models import Token from rest_framework.filters import OrderingFilter from rest_framework.generics import GenericAPIView from rest_framework.pagination import PageNumberPagination @@ -111,20 +112,17 @@ class GroupViewSet(ModelViewSet): class ProfileView(GenericAPIView): + """ + User profile view, only available when logged in + """ + permission_classes = [IsAuthenticated] serializer_class = ProfileSerializer def get(self, request, *args, **kwargs): user = self.request.user if hasattr(self.request, "user") else None - - return Response( - { - "email": user.email, - "password": "**********", - "first_name": user.first_name, - "last_name": user.last_name, - }, - ) + serializer = self.get_serializer(data=request.data) + return Response(serializer.to_representation(user)) def patch(self, request, *args, **kwargs): serializer = self.get_serializer(data=request.data) @@ -139,11 +137,25 @@ class ProfileView(GenericAPIView): for key, value in serializer.validated_data.items(): setattr(user, key, value) user.save() + + return Response(serializer.to_representation(user)) + + +class GenerateAuthTokenView(GenericAPIView): + """ + Generates (or re-generates) an auth token, requires a logged in user + unlike the default DRF endpoint + """ + + permission_classes = [IsAuthenticated] + + def post(self, request, *args, **kwargs): + user = self.request.user if hasattr(self.request, "user") else None + + existing_token = Token.objects.filter(user=user).first() + if existing_token is not None: + existing_token.delete() + token = Token.objects.create(user=user) return Response( - { - "email": user.email, - "password": "**********", - "first_name": user.first_name, - "last_name": user.last_name, - }, + token.key, )