From a6aae4a75420e185fe4e060c75a52bc599ded780 Mon Sep 17 00:00:00 2001 From: Mike VanDenburgh Date: Mon, 31 Jul 2023 14:37:40 -0400 Subject: [PATCH 1/2] Restrict allauth endpoints based on new setting Currently, we use allauth's regular "account" provider for user management in dev, and its github "socialaccount" provider for prod. However, we expose endpoints for both auth flows in prod and dev. This commit adds a new setting `ENABLE_GITHUB_OAUTH`. If enabled, only the github socialaccount provider endpoints are exposed. If disabled, only the "account" provider endpoints are exposed. --- dandiapi/settings.py | 5 +++++ dandiapi/urls.py | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/dandiapi/settings.py b/dandiapi/settings.py index cca029390..9b80eaa90 100644 --- a/dandiapi/settings.py +++ b/dandiapi/settings.py @@ -129,6 +129,9 @@ def mutate_configuration(configuration: type[ComposedConfiguration]): # Automatically approve new users by default AUTO_APPROVE_USERS = True + # Disable github oauth by default + ENABLE_GITHUB_OAUTH = False + class DevelopmentConfiguration(DandiMixin, DevelopmentBaseConfiguration): # This makes pydantic model schema allow URLs with localhost in them. @@ -174,6 +177,8 @@ def mutate_configuration(configuration: type[ComposedConfiguration]): # We're configuring sentry by hand since we need to pass custom options (traces_sampler). configuration.INSTALLED_APPS.remove('composed_configuration.sentry.apps.SentryConfig') + ENABLE_GITHUB_OAUTH = True + # All login attempts in production should go straight to GitHub LOGIN_URL = '/accounts/github/login/' diff --git a/dandiapi/urls.py b/dandiapi/urls.py index fa3670e24..18b4e4b6e 100644 --- a/dandiapi/urls.py +++ b/dandiapi/urls.py @@ -100,7 +100,6 @@ def to_url(self, value): ), path('api/search/genotypes/', search_genotypes), path('api/search/species/', search_species), - path('accounts/', include('allauth.urls')), path('admin/', admin.site.urls), path('dashboard/', DashboardView.as_view(), name='dashboard-index'), path('dashboard/user//', user_approval_view, name='user-approval'), @@ -112,6 +111,13 @@ def to_url(self, value): path('redoc/', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'), ] +if settings.ENABLE_GITHUB_OAUTH: + # Include github oauth endpoints only + urlpatterns += [path('accounts/', include('allauth.socialaccount.providers.github.urls'))] +else: + # Include "account" endpoints only (i.e. endpoints needed for username/password login flow) + urlpatterns += [path('accounts/', include('allauth.account.urls'))] + if settings.DEBUG: import debug_toolbar From e5fb801023e83b356303910b3fa10b9fff96a47c Mon Sep 17 00:00:00 2001 From: Mike VanDenburgh Date: Mon, 31 Jul 2023 14:49:51 -0400 Subject: [PATCH 2/2] Install github allauth app conditionally This app only needs to be installed if github oauth is enabled. --- dandiapi/settings.py | 13 ++++++++----- dandiapi/urls.py | 8 ++++++-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/dandiapi/settings.py b/dandiapi/settings.py index 9b80eaa90..d0b57860e 100644 --- a/dandiapi/settings.py +++ b/dandiapi/settings.py @@ -39,11 +39,14 @@ def mutate_configuration(configuration: type[ComposedConfiguration]): 'dandiapi.zarr.apps.ZarrConfig', ] + configuration.INSTALLED_APPS - # Install additional apps - configuration.INSTALLED_APPS += [ - 'guardian', - 'allauth.socialaccount.providers.github', - ] + # Install guardian + configuration.INSTALLED_APPS += ['guardian'] + + # Install github provider only if github oauth is enabled + if configuration.ENABLE_GITHUB_OAUTH: + configuration.INSTALLED_APPS += [ + 'allauth.socialaccount.providers.github', + ] # Authentication configuration.AUTHENTICATION_BACKENDS += ['guardian.backends.ObjectPermissionBackend'] diff --git a/dandiapi/urls.py b/dandiapi/urls.py index 18b4e4b6e..993a3f3fb 100644 --- a/dandiapi/urls.py +++ b/dandiapi/urls.py @@ -113,10 +113,14 @@ def to_url(self, value): if settings.ENABLE_GITHUB_OAUTH: # Include github oauth endpoints only - urlpatterns += [path('accounts/', include('allauth.socialaccount.providers.github.urls'))] + urlpatterns.append( + path('accounts/', include('allauth.socialaccount.providers.github.urls')), + ) else: # Include "account" endpoints only (i.e. endpoints needed for username/password login flow) - urlpatterns += [path('accounts/', include('allauth.account.urls'))] + urlpatterns.append( + path('accounts/', include('allauth.account.urls')), + ) if settings.DEBUG: import debug_toolbar