From faa8a699d393233542c31dff0dc110a38ad26560 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@cccv.de>
Date: Tue, 1 Feb 2022 23:01:14 +0100
Subject: [PATCH] Remove deprecated API_CLIENTS option and Bearer API
 authentication

See 917f9ec
---
 tests/test_api.py       | 24 ------------------------
 uffd/api/views.py       | 14 +-------------
 uffd/default_config.cfg |  5 -----
 3 files changed, 1 insertion(+), 42 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index e9549e32..a77e302d 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -10,10 +10,6 @@ def basic_auth(username, password):
 
 class TestAPIAuth(UffdTestCase):
 	def setUpApp(self):
-		self.app.config['API_CLIENTS'] = {
-			'testtoken1': {'scopes': ['testscope']},
-			'testtoken2': {},
-		}
 		self.app.config['API_CLIENTS_2'] = {
 			'test1': {'client_secret': 'testsecret1', 'scopes': ['getusers', 'testscope']},
 			'test2': {'client_secret': 'testsecret2'},
@@ -56,26 +52,6 @@ class TestAPIAuth(UffdTestCase):
 		r = self.client.get(path=url_for('testendpoint3'), headers=[basic_auth('test2', 'testsecret2')], follow_redirects=True)
 		self.assertEqual(r.status_code, 403)
 
-	def test_bearer(self):
-		r = self.client.get(path=url_for('testendpoint1'), headers=[('Authorization', 'Bearer testtoken1')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint2'), headers=[('Authorization', 'Bearer testtoken1')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint3'), headers=[('Authorization', 'Bearer testtoken1')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint1'), headers=[('Authorization', 'Bearer testtoken2')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint2'), headers=[('Authorization', 'Bearer testtoken2')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-
-	def test_bearer_invalid_credentials(self):
-		r = self.client.get(path=url_for('testendpoint1'), headers=[('Authorization', 'Bearer testtoken-none')], follow_redirects=True)
-		self.assertEqual(r.status_code, 401)
-
-	def test_bearer_missing_scope(self):
-		r = self.client.get(path=url_for('testendpoint3'), headers=[('Authorization', 'Bearer testtoken2')], follow_redirects=True)
-		self.assertEqual(r.status_code, 401)
-
 	def test_no_auth(self):
 		r = self.client.get(path=url_for('testendpoint1'), follow_redirects=True)
 		self.assertEqual(r.status_code, 401)
diff --git a/uffd/api/views.py b/uffd/api/views.py
index 9b6dba63..cf793deb 100644
--- a/uffd/api/views.py
+++ b/uffd/api/views.py
@@ -22,20 +22,8 @@ def apikey_required(scope=None):
 					return 'Unauthorized', 401, {'WWW-Authenticate': ['Basic realm="api"']}
 				if scope is not None and scope not in client.get('scopes', []):
 					return 'Forbidden', 403
-			# To be removed in uffd v2
-			elif 'Authorization' in request.headers and request.headers['Authorization'].startswith('Bearer '):
-				token = request.headers['Authorization'][7:].strip()
-				client = None
-				for client_token, data in current_app.config['API_CLIENTS'].items():
-					if secrets.compare_digest(client_token, token):
-						client = data
-				if client is None:
-					return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'}
-				client_scopes = ['getusers'] + client.get('scopes', [])
-				if scope is not None and scope not in client_scopes:
-					return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="insufficient_scope",scope="%s"'%scope}
 			else:
-				return 'Unauthorized', 401, {'WWW-Authenticate': ['Bearer', 'Basic realm="api"']}
+				return 'Unauthorized', 401, {'WWW-Authenticate': ['Basic realm="api"']}
 			return func(*args, **kwargs)
 		return decorator
 	return wrapper
diff --git a/uffd/default_config.cfg b/uffd/default_config.cfg
index 22018830..f869cc67 100644
--- a/uffd/default_config.cfg
+++ b/uffd/default_config.cfg
@@ -60,11 +60,6 @@ OAUTH2_CLIENTS={
 	# Set 'login_message' (or suffixed with a language code like 'login_message_de') to display a custom message on the login form.
 }
 
-# Deprecated, will be removed in uffd v2
-API_CLIENTS={
-	#'token': {'scopes': ['checkpassword']}
-}
-
 API_CLIENTS_2={
 	#'test_client_id' : {'client_secret': 'random_secret', 'scopes': ['users', 'checkpassword']},
 	# Scopes:
-- 
GitLab