From 6347c18f8ab1939cf175dd257b9a889fae11fc4b Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Sun, 27 Nov 2022 11:15:40 +0000 Subject: [PATCH] Process review comments (PR2464) --- core/admin/mailu/api/common.py | 17 +++++++++++++---- core/admin/mailu/api/v1/domains.py | 4 ++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/core/admin/mailu/api/common.py b/core/admin/mailu/api/common.py index 1b69f4d7..331fdf4e 100644 --- a/core/admin/mailu/api/common.py +++ b/core/admin/mailu/api/common.py @@ -11,7 +11,8 @@ def fqdn_in_use(name): d = models.db.session.query(label('name', models.Domain.name)) a = models.db.session.query(label('name', models.Alternative.name)) r = models.db.session.query(label('name', models.Relay.name)) - if d.union_all(a).union_all(r).filter_by(name=name).count() > 0: + u = d.union_all(a).union_all(r).filter_by(name=name) + if models.db.session.query(u.exists()).scalar(): return True return False @@ -23,11 +24,19 @@ def api_token_authorization(func): if utils.limiter.should_rate_limit_ip(client_ip): abort(429, 'Too many attempts from your IP (rate-limit)' ) if not request.headers.get('Authorization'): - abort(401, 'A valid API token is expected which is provided as request header') - if not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token): + abort(401, 'A valid Bearer token is expected which is provided as request header') + #Client provides 'Authentication: Bearer ' + if (' ' in request.headers.get('Authorization') + and not hmac.compare_digest(request.headers.get('Authorization'), 'Bearer ' + v1.api_token)): utils.limiter.rate_limit_ip(client_ip) flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') - abort(403, 'A valid API token is expected which is provided as request header') + abort(403, 'A valid Bearer token is expected which is provided as request header') + #Client provides 'Authentication: ' + elif (' ' not in request.headers.get('Authorization') + and not hmac.compare_digest(request.headers.get('Authorization'), v1.api_token)): + utils.limiter.rate_limit_ip(client_ip) + flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.') + abort(403, 'A valid Bearer token is expected which is provided as request header') flask.current_app.logger.info(f'Valid API token provided by {client_ip}.') return func(*args, **kwds) return decorated_function diff --git a/core/admin/mailu/api/v1/domains.py b/core/admin/mailu/api/v1/domains.py index 4eabe22e..76554a02 100644 --- a/core/admin/mailu/api/v1/domains.py +++ b/core/admin/mailu/api/v1/domains.py @@ -401,10 +401,10 @@ class Alternative(Resource): """ Delete alternative (for domain) """ if not validators.domain(alt): return { 'code': 400, 'message': f'Alternative domain {alt} is not a valid domain'}, 400 - alternative = models.Alternative.query.filter_by(name=alt).first + alternative = models.Alternative.query.filter_by(name=alt).scalar() if not alternative: return { 'code': 404, 'message': f'Alternative domain {alt} does not exist'}, 404 - domain = alternative.domain + domain = alternative.domain_name db.session.delete(alternative) db.session.commit() return {'code': 200, 'message': f'Alternative {alt} for domain {domain} has been deleted'}, 200