From 96442bb7cf0eae1be40d9b2aed62a1663c900307 Mon Sep 17 00:00:00 2001
From: Alan Zhu <2025azhu@tjhsst.edu>
Date: Tue, 17 Sep 2024 11:36:59 -0400
Subject: [PATCH] chore: disable API Basic Auth for security

---
 intranet/apps/api/tests.py    | 11 ++++++++---
 intranet/settings/__init__.py |  4 ++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/intranet/apps/api/tests.py b/intranet/apps/api/tests.py
index 0b20474992f..82a9c887fd3 100644
--- a/intranet/apps/api/tests.py
+++ b/intranet/apps/api/tests.py
@@ -2,6 +2,7 @@
 import json
 import urllib.parse
 
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.urls import reverse
 from django.utils import timezone
@@ -189,17 +190,21 @@ def test_oauth_client_credentials_read_anonymous(self):
         self.assertEqual(response.status_code, 403)
 
     def test_no_credentials_read(self):
+        if "intranet.apps.api.authentication.ApiBasicAuthentication" in settings.REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]:
+            status_code = 401
+        else:
+            status_code = 403
         # Announcements should only be available to logged in users
         response = self.client.get(reverse("api_announcements_list_create"))
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, status_code)
 
         # Activity list should only be available to logged in users
         response = self.client.get(reverse("api_eighth_activity_list"))
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, status_code)
 
         # Block list should only be available to logged in users
         response = self.client.get(reverse("api_eighth_block_list"))
-        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.status_code, status_code)
 
     def test_api_root(self):
         # Should be able to read API root without authentication
diff --git a/intranet/settings/__init__.py b/intranet/settings/__init__.py
index 3dd7ee6d7c3..1dafbb41c3f 100644
--- a/intranet/settings/__init__.py
+++ b/intranet/settings/__init__.py
@@ -397,8 +397,8 @@
     PIPELINE["STYLESHEETS"].update(helpers.single_css_map(name))
 
 AUTHENTICATION_BACKENDS = [
-    "intranet.apps.auth.backends.PamAuthenticationBackend",
     "intranet.apps.auth.backends.MasterPasswordAuthenticationBackend",
+    "intranet.apps.auth.backends.PamAuthenticationBackend",
     "oauth2_provider.backends.OAuth2Backend",
     "django.contrib.auth.backends.ModelBackend",
 ]
@@ -600,7 +600,7 @@ def get_month_seconds():
     "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
     "PAGE_SIZE": 50,
     "DEFAULT_AUTHENTICATION_CLASSES": (
-        "intranet.apps.api.authentication.ApiBasicAuthentication",
+        # "intranet.apps.api.authentication.ApiBasicAuthentication",  # Disabled for security
         "intranet.apps.api.authentication.CsrfExemptSessionAuthentication",  # exempts CSRF checking on API
         "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
     ),