auth providers
This commit is contained in:
Mateusz Gruszczyński
@@ -86,8 +86,14 @@ PROXY_FIX_X_HOST = _env_int("PYTORRENT_PROXY_FIX_X_HOST", 1, 0)
|
||||
PROXY_FIX_X_PORT = _env_int("PYTORRENT_PROXY_FIX_X_PORT", 1, 0)
|
||||
PROXY_FIX_X_PREFIX = _env_int("PYTORRENT_PROXY_FIX_X_PREFIX", 1, 0)
|
||||
|
||||
def _env_csv(name: str) -> list[str]:
|
||||
return [item.strip().rstrip("/") for item in os.getenv(name, "").split(",") if item.strip()]
|
||||
|
||||
_SOCKETIO_CORS = os.getenv("PYTORRENT_SOCKETIO_CORS_ALLOWED_ORIGINS", "").strip()
|
||||
SOCKETIO_CORS_ALLOWED_ORIGINS = None if not _SOCKETIO_CORS else [item.strip() for item in _SOCKETIO_CORS.split(",") if item.strip()]
|
||||
# Note: API origin checks are separate from Socket.IO CORS. When unset, reuse the Socket.IO allowlist for operator-friendly reverse proxy setups.
|
||||
_API_ALLOWED_ORIGINS = _env_csv("PYTORRENT_API_ALLOWED_ORIGINS")
|
||||
API_ALLOWED_ORIGINS = _API_ALLOWED_ORIGINS or _env_csv("PYTORRENT_SOCKETIO_CORS_ALLOWED_ORIGINS")
|
||||
|
||||
TRAFFIC_HISTORY_RETENTION_DAYS = _env_int("PYTORRENT_TRAFFIC_HISTORY_RETENTION_DAYS", 90, 1)
|
||||
JOBS_RETENTION_DAYS = _env_int("PYTORRENT_JOBS_RETENTION_DAYS", 30, 1)
|
||||
|
||||
@@ -16,6 +16,7 @@ from ..config import (
|
||||
AUTH_PROXY_AUTO_CREATE_PERMISSION,
|
||||
AUTH_PROXY_AUTO_CREATE_ROLE,
|
||||
AUTH_PROXY_USER_HEADER,
|
||||
API_ALLOWED_ORIGINS,
|
||||
)
|
||||
from ..db import connect, default_user_id, utcnow
|
||||
|
||||
@@ -171,14 +172,29 @@ def visible_profile_ids(user_id: int | None = None) -> set[int] | None:
|
||||
|
||||
|
||||
|
||||
def _origin_key(value: str) -> str:
|
||||
parsed = urlparse(str(value or "").strip())
|
||||
if not parsed.scheme or not parsed.netloc:
|
||||
return ""
|
||||
return f"{parsed.scheme.lower()}://{parsed.netloc.lower()}"
|
||||
|
||||
|
||||
def _request_origin() -> str:
|
||||
return _origin_key(f"{request.scheme}://{request.host}")
|
||||
|
||||
|
||||
def same_origin_request() -> bool:
|
||||
"""Return False only when an unsafe request clearly comes from another origin."""
|
||||
"""Return False only when an unsafe API request clearly comes from an untrusted origin."""
|
||||
origin = request.headers.get("Origin") or request.headers.get("Referer")
|
||||
if not origin:
|
||||
return True
|
||||
try:
|
||||
parsed = urlparse(origin)
|
||||
return parsed.scheme == request.scheme and parsed.netloc == request.host
|
||||
source_origin = _origin_key(origin)
|
||||
if not source_origin:
|
||||
return False
|
||||
if source_origin == _request_origin():
|
||||
return True
|
||||
return source_origin in set(API_ALLOWED_ORIGINS)
|
||||
except Exception:
|
||||
return False
|
||||
|
||||
|
||||
Reference in New Issue
Block a user