Remove deprecated API_CLIENTS option and Bearer API authentication

See 917f9ecd

Remove deprecated API_CLIENTS option and Bearer API authentication
faa8a699 · Julian · d6f63c8d · faa8a699 · faa8a699 · faa8a699
Commit faa8a699 authored 3 years ago by Julian
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -10,10 +10,6 @@ def basic_auth(username, password):
 class TestAPIAuth(UffdTestCase):
 	def setUpApp(self):
-		self.app.config['API_CLIENTS'] = {
-			'testtoken1': {'scopes': ['testscope']},
-			'testtoken2': {},
-		}
 		self.app.config['API_CLIENTS_2'] = {
 			'test1': {'client_secret': 'testsecret1', 'scopes': ['getusers', 'testscope']},
 			'test2': {'client_secret': 'testsecret2'},
@@ -56,26 +52,6 @@ class TestAPIAuth(UffdTestCase):
 		r = self.client.get(path=url_for('testendpoint3'), headers=[basic_auth('test2', 'testsecret2')], follow_redirects=True)
 		self.assertEqual(r.status_code, 403)
-	def test_bearer(self):
-		r = self.client.get(path=url_for('testendpoint1'), headers=[('Authorization', 'Bearer testtoken1')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint2'), headers=[('Authorization', 'Bearer testtoken1')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint3'), headers=[('Authorization', 'Bearer testtoken1')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint1'), headers=[('Authorization', 'Bearer testtoken2')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-		r = self.client.get(path=url_for('testendpoint2'), headers=[('Authorization', 'Bearer testtoken2')], follow_redirects=True)
-		self.assertEqual(r.status_code, 200)
-	def test_bearer_invalid_credentials(self):
-		r = self.client.get(path=url_for('testendpoint1'), headers=[('Authorization', 'Bearer testtoken-none')], follow_redirects=True)
-		self.assertEqual(r.status_code, 401)
-	def test_bearer_missing_scope(self):
-		r = self.client.get(path=url_for('testendpoint3'), headers=[('Authorization', 'Bearer testtoken2')], follow_redirects=True)
-		self.assertEqual(r.status_code, 401)
 	def test_no_auth(self):
 		r = self.client.get(path=url_for('testendpoint1'), follow_redirects=True)
 		self.assertEqual(r.status_code, 401)
--- a/uffd/api/views.py
+++ b/uffd/api/views.py
@@ -22,20 +22,8 @@ def apikey_required(scope=None):
 					return 'Unauthorized', 401, {'WWW-Authenticate': ['Basic realm="api"']}
 				if scope is not None and scope not in client.get('scopes', []):
 					return 'Forbidden', 403
-			# To be removed in uffd v2
-			elif 'Authorization' in request.headers and request.headers['Authorization'].startswith('Bearer '):
-				token = request.headers['Authorization'][7:].strip()
-				client = None
-				for client_token, data in current_app.config['API_CLIENTS'].items():
-					if secrets.compare_digest(client_token, token):
-						client = data
-				if client is None:
-					return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="invalid_token"'}
-				client_scopes = ['getusers'] + client.get('scopes', [])
-				if scope is not None and scope not in client_scopes:
-					return 'Unauthorized', 401, {'WWW-Authenticate': 'Bearer error="insufficient_scope",scope="%s"'%scope}
 			else:
-				return 'Unauthorized', 401, {'WWW-Authenticate': ['Bearer', 'Basic realm="api"']}
+				return 'Unauthorized', 401, {'WWW-Authenticate': ['Basic realm="api"']}
 			return func(*args, **kwargs)
 		return decorator
 	return wrapper

--- a/uffd/default_config.cfg
+++ b/uffd/default_config.cfg
@@ -60,11 +60,6 @@ OAUTH2_CLIENTS={
 	# Set 'login_message' (or suffixed with a language code like 'login_message_de') to display a custom message on the login form.
 }
-# Deprecated, will be removed in uffd v2
-API_CLIENTS={
-	#'token': {'scopes': ['checkpassword']}
-}
 API_CLIENTS_2={
 	#'test_client_id' : {'client_secret': 'random_secret', 'scopes': ['users', 'checkpassword']},
 	# Scopes: