app: re-enable authorization checks on static files

Image files (.png) are still granted unauthorized access, however all other files require that the request be authorized.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-05-20 17:07:48 -04:00
parent c335b62d26
commit 5d783a743a
1 changed files with 10 additions and 1 deletions

View File

@ -56,6 +56,7 @@ RESERVED_ENDPOINTS = [
# 50 MiB Max Standard Body Size # 50 MiB Max Standard Body Size
MAX_BODY_SIZE = 50 * 1024 * 1024 MAX_BODY_SIZE = 50 * 1024 * 1024
EXCLUDED_ARGS = ["_", "token", "access_token", "connection_id"] EXCLUDED_ARGS = ["_", "token", "access_token", "connection_id"]
AUTHORIZED_EXTS = [".png"]
DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log" DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log"
class MutableRouter(tornado.web.ReversibleRuleRouter): class MutableRouter(tornado.web.ReversibleRuleRouter):
@ -383,7 +384,7 @@ class AuthorizedFileHandler(tornado.web.StaticFileHandler):
def prepare(self) -> None: def prepare(self) -> None:
auth: AuthComp = self.server.lookup_component('authorization', None) auth: AuthComp = self.server.lookup_component('authorization', None)
if auth is not None and self.request.method != "GET": if auth is not None and self._check_need_auth():
self.current_user = auth.check_authorized(self.request) self.current_user = auth.check_authorized(self.request)
def options(self, *args, **kwargs) -> None: def options(self, *args, **kwargs) -> None:
@ -401,6 +402,14 @@ class AuthorizedFileHandler(tornado.web.StaticFileHandler):
traceback.format_exception(*kwargs['exc_info'])) traceback.format_exception(*kwargs['exc_info']))
self.finish({'error': err}) self.finish({'error': err})
def _check_need_auth(self) -> bool:
if self.request.method != "GET":
return True
ext = os.path.splitext(self.request.path)[-1].lower()
if ext in AUTHORIZED_EXTS:
return False
return True
class DynamicRequestHandler(AuthorizedRequestHandler): class DynamicRequestHandler(AuthorizedRequestHandler):
def initialize( def initialize(
self, self,