f01bc20d44
* api: allow API requests as managed outpost's account when using secret_key Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: load secret key from env Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outposts: make listener IP configurable Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost/proxy: run outpost in background and pass requests conditionally Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * outpost: unify branding to embedded Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web/admin: fix embedded outpost not being editable Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * web: fix mismatched host detection Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * tests/e2e: fix LDAP test not including user for embedded outpost Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * tests/e2e: fix user matching Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * api: add tests for secret_key auth Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * root: load environment variables using github.com/Netflix/go-env Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
36 lines
1.1 KiB
Python
36 lines
1.1 KiB
Python
"""Channels base classes"""
|
|
from channels.exceptions import DenyConnection
|
|
from channels.generic.websocket import JsonWebsocketConsumer
|
|
from rest_framework.exceptions import AuthenticationFailed
|
|
from structlog.stdlib import get_logger
|
|
|
|
from authentik.api.authentication import bearer_auth
|
|
from authentik.core.models import User
|
|
|
|
LOGGER = get_logger()
|
|
|
|
|
|
class AuthJsonConsumer(JsonWebsocketConsumer):
|
|
"""Authorize a client with a token"""
|
|
|
|
user: User
|
|
|
|
def connect(self):
|
|
headers = dict(self.scope["headers"])
|
|
if b"authorization" not in headers:
|
|
LOGGER.warning("WS Request without authorization header")
|
|
raise DenyConnection()
|
|
|
|
raw_header = headers[b"authorization"]
|
|
|
|
try:
|
|
user = bearer_auth(raw_header)
|
|
# user is only None when no header was given, in which case we deny too
|
|
if not user:
|
|
raise DenyConnection()
|
|
except AuthenticationFailed as exc:
|
|
LOGGER.warning("Failed to authenticate", exc=exc)
|
|
raise DenyConnection()
|
|
|
|
self.user = user
|