calibre-web/cps/usermanagement.py

108 lines
3.7 KiB
Python
Raw Normal View History

# -*- coding: utf-8 -*-
# This file is part of the Calibre-Web (https://github.com/janeczku/calibre-web)
# Copyright (C) 2018-2020 OzzieIsaacs
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from functools import wraps
from sqlalchemy.sql.expression import func
from werkzeug.security import check_password_hash
2021-07-30 09:43:26 +00:00
from flask_login import login_required, login_user
2023-02-04 10:09:16 +00:00
from flask import request, Response
2021-07-30 09:43:26 +00:00
2023-02-04 10:09:16 +00:00
from . import lm, ub, config, constants, services, logger
2023-02-04 10:09:16 +00:00
log = logger.create()
def login_required_if_no_ano(func):
@wraps(func)
def decorated_view(*args, **kwargs):
if config.config_anonbrowse == 1:
return func(*args, **kwargs)
return login_required(func)(*args, **kwargs)
return decorated_view
2023-02-04 10:09:16 +00:00
def requires_basic_auth_if_no_ano(f):
@wraps(f)
def decorated(*args, **kwargs):
auth = request.authorization
if not auth or auth.type != 'basic':
2023-02-04 13:51:41 +00:00
if config.config_anonbrowse != 1:
user = load_user_from_reverse_proxy_header(request)
if user:
return f(*args, **kwargs)
2023-02-04 13:51:41 +00:00
return _authenticate()
else:
return f(*args, **kwargs)
if config.config_login_type == constants.LOGIN_LDAP and services.ldap:
login_result, error = services.ldap.bind_user(auth.username, auth.password)
if login_result:
2023-02-04 13:51:41 +00:00
user = _fetch_user_by_name(auth.username)
login_user(user)
return f(*args, **kwargs)
elif login_result is not None:
2023-02-04 13:51:41 +00:00
log.error(error)
return _authenticate()
user = _load_user_from_auth_header(auth.username, auth.password)
2023-02-04 13:51:41 +00:00
if not user:
return _authenticate()
2023-02-04 10:09:16 +00:00
return f(*args, **kwargs)
return decorated
2023-02-04 13:51:41 +00:00
def _load_user_from_auth_header(username, password):
user = _fetch_user_by_name(username)
2023-02-04 10:09:16 +00:00
if bool(user and check_password_hash(str(user.password), password)):
2023-02-04 13:51:41 +00:00
login_user(user)
return user
2023-02-04 10:09:16 +00:00
else:
ip_address = request.headers.get('X-Forwarded-For', request.remote_addr)
2023-02-04 13:51:41 +00:00
log.warning('OPDS Login failed for user "%s" IP-address: %s', username, ip_address)
return None
2023-02-04 10:09:16 +00:00
2023-02-04 13:51:41 +00:00
def _authenticate():
2023-02-04 10:09:16 +00:00
return Response(
'Could not verify your access level for that URL.\n'
'You have to login with proper credentials', 401,
{'WWW-Authenticate': 'Basic realm="Login Required"'})
def _fetch_user_by_name(username):
return ub.session.query(ub.User).filter(func.lower(ub.User.name) == username.lower()).first()
@lm.user_loader
def load_user(user_id):
2023-02-04 13:51:41 +00:00
user = ub.session.query(ub.User).filter(ub.User.id == int(user_id)).first()
return user
@lm.request_loader
def load_user_from_reverse_proxy_header(req):
if config.config_allow_reverse_proxy_header_login:
rp_header_name = config.config_reverse_proxy_login_header_name
if rp_header_name:
2023-02-04 13:51:41 +00:00
rp_header_username = req.headers.get(rp_header_name)
if rp_header_username:
user = _fetch_user_by_name(rp_header_username)
if user:
2021-07-30 09:43:26 +00:00
login_user(user)
return user
2023-02-04 10:09:16 +00:00
return None