Unauthenticated request handling #1907
Conversation
`REQUIRE_AUTH` setting is False by default. When enabled it requires users to be authenticated to access anything other than the base api endpoints like metadata, statistics, healthz etc
|
@sunu I'm having an issue when I try to run this locally with the |
|
@kjacks Arrh, should be fixed now! Do you think we can move the message to markdown so that it can be easily customised to be something not OCCRP specific without messing with the code? May be we can also decouple the homepage message from the auth handling part so that it can be used for other messages as well. What do you think? |
ui/src/components/Screen/Screen.jsx
Outdated
| const { location } = ownProps; | ||
|
|
||
| return ({ | ||
| isHomePage: location.pathname === '/', |
There was a problem hiding this comment.
You probably want to allow the /pages/ stuff, too, no? The content for it is all in /api/2/metadata...
There was a problem hiding this comment.
Ooh yes! Thank ya for pointing that out :)
aleph/views/__init__.py
Outdated
|
|
||
|
|
||
| def register_blueprint(app, blueprint, **kw): | ||
| if settings.REQUIRE_AUTH: |
There was a problem hiding this comment.
My intuition would be that this wants to live on authz somewhere to make it more coherent with the rest of the system. Maybe like a authz.can_browse_anonymous that gets require'd when no other check is conducted (and is also implicitly checked by can() etc. - analogous to session_write? Doing it at the blueprint layer introduces a whole new dimension to authz that's sort of invisible and unexpected.
There was a problem hiding this comment.
Ok, in hindsight that's definitely a much cleaner implementation. Thanks @pudo!
aleph/settings.py
Outdated
| @@ -85,6 +85,9 @@ | |||
| # No authentication. Everyone is admin. | |||
| SINGLE_USER = env.to_bool("ALEPH_SINGLE_USER") | |||
|
|
|||
| # Require authentication. No anonymous access | |||
| REQUIRE_AUTH = env.to_bool("ALEPH_REQUIRE_AUTH", False) | |||
Yes, it's something that we need to look at. As a first step though, this allows us to shut down potential intrusions quickly. It's a bit of a big hammer and there are certainly finer tools that we should be using but for now this will work for us. |
The best I can think of is IP based rate limiting for anonymous requests. The traffic we saw yesterday kept switching between tor exit nodes. So I'm not sure if IP based rate limiting will be effective in that case. Is there any other criteria we can use? |
aleph/settings.py
Outdated
| @@ -85,6 +85,9 @@ | |||
| # No authentication. Everyone is admin. | |||
| SINGLE_USER = env.to_bool("ALEPH_SINGLE_USER") | |||
|
|
|||
| # Require authentication. No anonymous access | |||
| REQUIRE_AUTH = env.to_bool("ALEPH_REQUIRE_AUTH", False) | |||
kjacks
changed the title
This is another way to display a warning message (only on the home page though). It was introduced in #1907 for a similar purpose (to inform users that anonymous access is temporarily disabled). As we now have two ways to set an app-wide message banner (via the `APP_BANNER` env variable and by configuring a messages endpoint), I think we can now remove this feature.
This is another way to display a warning message (only on the home page though). It was introduced in #1907 for a similar purpose (to inform users that anonymous access is temporarily disabled). As we now have two ways to set an app-wide message banner (via the `APP_BANNER` env variable and by configuring a messages endpoint), I think we can now remove this feature.
This is another way to display a warning message (only on the home page though). It was introduced in #1907 for a similar purpose (to inform users that anonymous access is temporarily disabled). As we now have two ways to set an app-wide message banner (via the `APP_BANNER` env variable and by configuring a messages endpoint), I think we can now remove this feature.
This is another way to display a warning message (only on the home page though). It was introduced in #1907 for a similar purpose (to inform users that anonymous access is temporarily disabled). As we now have two ways to set an app-wide message banner (via the `APP_BANNER` env variable and by configuring a messages endpoint), I think we can now remove this feature.
Require auth for all non-index routes for apps with
metadata.auth.auth_required == true.TODO: