bypass profile select

2026-05-25 10:22:14 +02:00
parent 2e2d747fa2
commit 109811c024
4 changed files with 34 additions and 4 deletions
--- a/pytorrent/config.py
+++ b/pytorrent/config.py
@@ -96,6 +96,8 @@ _API_ALLOWED_ORIGINS = _env_csv("PYTORRENT_API_ALLOWED_ORIGINS")
 API_ALLOWED_ORIGINS = _API_ALLOWED_ORIGINS or _env_csv("PYTORRENT_SOCKETIO_CORS_ALLOWED_ORIGINS")
 # Note: Optional auth bypass for trusted direct-IP/local access. Values can be hosts or host:port pairs.
 AUTH_BYPASS_HOSTS = {item.lower() for item in _env_csv("PYTORRENT_AUTH_BYPASS_HOSTS")}
+# Note: Trusted auth-bypass requests act as this existing active user.
+AUTH_BYPASS_USER = os.getenv("PYTORRENT_AUTH_BYPASS_USER", "admin").strip() or "admin"

 TRAFFIC_HISTORY_RETENTION_DAYS = _env_int("PYTORRENT_TRAFFIC_HISTORY_RETENTION_DAYS", 90, 1)
 JOBS_RETENTION_DAYS = _env_int("PYTORRENT_JOBS_RETENTION_DAYS", 30, 1)
--- a/pytorrent/services/auth.py
+++ b/pytorrent/services/auth.py
@@ -18,6 +18,7 @@ from ..config import (
    AUTH_PROXY_USER_HEADER,
    API_ALLOWED_ORIGINS,
    AUTH_BYPASS_HOSTS,
+    AUTH_BYPASS_USER,
 )
 from ..db import connect, default_user_id, utcnow

@@ -82,9 +83,26 @@ def auth_bypassed_request() -> bool:
    return _host_matches_bypass(request.host)


+
+def bypass_user_id() -> int:
+    """Return the configured active user id used for trusted auth-bypass requests."""
+    username = str(AUTH_BYPASS_USER or "admin").strip() or "admin"
+    with connect() as conn:
+        row = conn.execute("SELECT id FROM users WHERE username=? AND is_active=1", (username,)).fetchone()
+        if row:
+            return int(row["id"])
+        # Note: Keep direct-IP access usable after old installs, but never choose an inactive fallback.
+        row = conn.execute("SELECT id FROM users WHERE username='admin' AND is_active=1").fetchone()
+        if row:
+            return int(row["id"])
+        row = conn.execute("SELECT id FROM users WHERE id=? AND is_active=1", (default_user_id(),)).fetchone()
+        return int(row["id"]) if row else 0
+
 def current_user_id() -> int:
-    if not enabled() or auth_bypassed_request():
+    if not enabled():
        return default_user_id()
+    if auth_bypassed_request():
+        return bypass_user_id()
    api_user_id = getattr(g, "api_user_id", None)
    if api_user_id:
        return int(api_user_id)
@@ -385,8 +403,10 @@ def authenticate_external_user() -> dict[str, Any] | None:
 def ensure_request_user() -> int:
    # Note: Socket.IO events do not go through Flask before_request like normal REST calls,
    # so external proxy auth must be resolved explicitly during the Socket.IO handshake/events.
-    if not enabled() or auth_bypassed_request():
+    if not enabled():
        return default_user_id()
+    if auth_bypassed_request():
+        return bypass_user_id()
    uid = current_user_id()
    if uid:
        return uid