Merge branch 'admin-token' into 'master'

Implement admin ID for automated tests See merge request litecord/litecord!90
Fix not comparing admin token to passed token
2022-10-19 21:21:43 +00:00 · 2022-10-19 23:13:44 +02:00 · 2022-10-19 23:10:28 +02:00
3 changed files with 27 additions and 21 deletions
--- a/config.example.py
+++ b/config.example.py
@ -18,10 +18,6 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """

 import os
-from logbook import Logger
-
-
-log = Logger(__name__)


 MODE = "Development"
@ -76,22 +72,8 @@ class Config:
    #: Shared secret for LVSP
    LVSP_SECRET = ""

-    #: Admin credentials for automated testing
-    #  The token is the value to pass in the Authorization header, and the ID
-    #  is the user ID to use when it is passed.
-    ADMIN_ID = os.getenv("ADMIN_ID")
-    ADMIN_TOKEN = os.getenv("ADMIN_TOKEN")
-
-    if None in {ADMIN_ID, ADMIN_TOKEN} and not ADMIN_ID == ADMIN_TOKEN:
-        log.warning(
-            "Not both admin ID ({}) and token ({}) configured; ignoring",
-            ADMIN_ID,
-            ADMIN_TOKEN,
-        )
-        ADMIN_ID = ADMIN_TOKEN = None
-
-    if ADMIN_ID is not None:
-        ADMIN_ID = int(ADMIN_ID)
+    ADMIN_ID = None
+    ADMIN_TOKEN = None


 class Development(Config):
@ -104,6 +86,12 @@ class Development(Config):
        "database": "litecord",
    }

+    ADMIN_ID = os.getenv("ADMIN_ID")
+    ADMIN_TOKEN = os.getenv("ADMIN_TOKEN")
+
+    if ADMIN_ID is not None:
+        ADMIN_ID = int(ADMIN_ID)
+

 class Production(Config):
    DEBUG = False
--- a/litecord/auth.py
+++ b/litecord/auth.py
@ -19,6 +19,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.

 import base64
 import binascii
+from hmac import compare_digest

 import bcrypt
 from itsdangerous import TimestampSigner, BadSignature
@ -47,7 +48,9 @@ async def raw_token_check(token: str, db=None) -> int:
    Forbidden
        If token validation fails.
    """
-    if app.config["ADMIN_TOKEN"] is not None:
+    if app.config["ADMIN_TOKEN"] is not None and compare_digest(
+        token, app.config["ADMIN_TOKEN"]
+    ):
        return app.config["ADMIN_ID"]

    db = db or app.db
--- a/run.py
+++ b/run.py
@ -122,7 +122,22 @@ redirect_logging()

 def make_app():
    app = Quart(__name__)
+
    app.config.from_object(f"config.{config.MODE}")
+
+    admin_id, admin_token = app.config["ADMIN_ID"], app.config["ADMIN_TOKEN"]
+    if None in {admin_id, admin_token} and not admin_id == admin_token:
+        log.warning(
+            "Not both admin ID ({}) and token ({}) configured; ignoring",
+            admin_id,
+            admin_token,
+        )
+        admin_id = admin_token = None
+
+    # update config if the variables were updated
+    app.config["ADMIN_ID"] = admin_id
+    app.config["ADMIN_TOKEN"] = admin_token
+
    is_debug = app.config.get("DEBUG", False)
    app.debug = is_debug
Author	SHA1	Message	Date
Bluenix	7dd8838f02	Merge branch 'admin-token' into 'master' Implement admin ID for automated tests See merge request litecord/litecord!90	2022-10-19 21:21:43 +00:00
Bluenix	83179f21ab	Fix not comparing admin token to passed token	2022-10-19 23:13:44 +02:00
Bluenix	210f1ab1d5	Move admin token warning into app start	2022-10-19 23:10:28 +02:00