chore: disable API Basic Auth for security

tjcsl · Oct 4, 2024 · 96442bb · 96442bb
1 parent 5333e2e
commit 96442bb
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/intranet/apps/api/tests.py b/intranet/apps/api/tests.py
@@ -2,6 +2,7 @@
 import json
 import urllib.parse
 
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.urls import reverse
 from django.utils import timezone
@@ -189,17 +190,21 @@ def test_oauth_client_credentials_read_anonymous(self):
         self.assertEqual(response.status_code, 403)
 
     def test_no_credentials_read(self):
+        if "intranet.apps.api.authentication.ApiBasicAuthentication" in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]:
+            status_code = 401
+        else:
+            status_code = 403
         # Announcements should only be available to logged in users
         response = self.client.get(reverse("api_announcements_list_create"))
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, status_code)
 
         # Activity list should only be available to logged in users
         response = self.client.get(reverse("api_eighth_activity_list"))
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, status_code)
 
         # Block list should only be available to logged in users
         response = self.client.get(reverse("api_eighth_block_list"))
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, status_code)
 
     def test_api_root(self):
         # Should be able to read API root without authentication

diff --git a/intranet/settings/__init__.py b/intranet/settings/__init__.py
@@ -397,8 +397,8 @@
     PIPELINE["STYLESHEETS"].update(helpers.single_css_map(name))
 
 AUTHENTICATION_BACKENDS = [
-    "intranet.apps.auth.backends.PamAuthenticationBackend",
     "intranet.apps.auth.backends.MasterPasswordAuthenticationBackend",
+    "intranet.apps.auth.backends.PamAuthenticationBackend",
     "oauth2_provider.backends.OAuth2Backend",
     "django.contrib.auth.backends.ModelBackend",
 ]
@@ -600,7 +600,7 @@ def get_month_seconds():
     "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
     "PAGE_SIZE": 50,
     "DEFAULT_AUTHENTICATION_CLASSES": (
-        "intranet.apps.api.authentication.ApiBasicAuthentication",
+        # "intranet.apps.api.authentication.ApiBasicAuthentication",  # Disabled for security
         "intranet.apps.api.authentication.CsrfExemptSessionAuthentication",  # exempts CSRF checking on API
         "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
     ),