inventree · matmair · Jan 19, 2024 · Jan 21, 2024 · Jan 21, 2024 · Jan 21, 2024
@@ -36,7 +36,7 @@ repos:
         files: src/backend/requirements-dev\.(in|txt)$
       - id: pip-compile
         name: pip-compile requirements.txt
-        args: [src/backend/requirements.in, -o, src/backend/requirements.txt, --no-strip-extras, --generate-hashes]
+        args: [src/backend/requirements.in, -o, src/backend/requirements.txt, --no-strip-extras]
         files: src/backend/requirements\.(in|txt)$
       - id: pip-compile
         name: pip-compile requirements.txt

@@ -22,7 +22,6 @@ API schema documentation is split into the following categories:
 
 | Category | Description |
 | --- | --- |
-| [Authorization and Authentication](./schema/auth.md) | Authorization and Authentication |
 | [Background Task Management](./schema/background-task.md) | Background Task Management |
 | [Barcode Scanning](./schema/barcode.md) | Barcode Scanning |
 | [Bill of Materials](./schema/bom.md) | Bill of Materials |

@@ -380,6 +380,7 @@ InvenTree provides allowance for additional sign-in options. The following optio
 | Environment Variable | Configuration File | Description | Default |
 | --- | --- | --- | --- |
 | INVENTREE_MFA_ENABLED | mfa_enabled | Enable or disable multi-factor authentication support for the InvenTree server | True |
+| MFA_SUPPORTED_TYPES | mfa_supported_types | List of supported multi-factor authentication types | recovery_codes,totp |
 
 ### Single Sign On
 

@@ -14,7 +14,6 @@
 
 # List of special paths we want to split out
 SPECIAL_PATHS = {
-    'auth': 'Authorization and Authentication',
     'background-task': 'Background Task Management',
     'barcode': 'Barcode Scanning',
     'bom': 'Bill of Materials',

@@ -91,7 +91,6 @@ line-ending = "auto"
 [tool.uv.pip]
 python-version = "3.9"
 no-strip-extras=true
-generate-hashes=true
 
 [tool.coverage.run]
 source = ["src/backend/InvenTree", "InvenTree"]

@@ -20,8 +20,11 @@
 
 import InvenTree.version
 import users.models
+from common.settings import get_global_setting
 from InvenTree import helpers
+from InvenTree.auth_overrides import registration_enabled
 from InvenTree.mixins import ListCreateAPI
+from InvenTree.sso import sso_registration_enabled
 from part.models import Part
 from plugin.serializers import MetadataSerializer
 from users.models import ApiToken
@@ -199,6 +202,13 @@ def list(self, request, *args, **kwargs):
 class InfoApiSerializer(serializers.Serializer):
     """InvenTree server information - some information might be blanked if called without elevated credentials."""
 
+    class SettingsSerializer(serializers.Serializer):
+        """Serializer for InfoApiSerializer."""
+
+        sso_registration = serializers.BooleanField()
+        registration_enabled = serializers.BooleanField()
+        password_forgotten_enabled = serializers.BooleanField()
+
     class CustomizeSerializer(serializers.Serializer):
         """Serializer for customize field."""
 
@@ -230,6 +240,7 @@ class CustomizeSerializer(serializers.Serializer):
     installer = serializers.CharField(read_only=True)
     target = serializers.CharField(read_only=True)
     django_admin = serializers.CharField(read_only=True)
+    settings = SettingsSerializer(read_only=True, many=False)
 
 
 class InfoView(APIView):
@@ -288,6 +299,13 @@ def get(self, request, *args, **kwargs):
             'django_admin': settings.INVENTREE_ADMIN_URL
             if (is_staff and settings.INVENTREE_ADMIN_ENABLED)
             else None,
+            'settings': {
+                'sso_registration': sso_registration_enabled(),
+                'registration_enabled': registration_enabled(),
+                'password_forgotten_enabled': get_global_setting(
+                    'LOGIN_ENABLE_PWD_FORGOT'
+                ),
+            },
         }
 
         return JsonResponse(data)

@@ -1,12 +1,15 @@
 """InvenTree API version information."""
 
 # InvenTree API version
-INVENTREE_API_VERSION = 309
+INVENTREE_API_VERSION = 310
 
 """Increment this API version number whenever there is a significant change to the API that any clients need to know about."""
 
 
 INVENTREE_API_TEXT = """
+v310 - 2025-01-29 : https://github.com/inventree/InvenTree/pull/6293
+    - Removes a considerable amount of old auth endpoints
+    - Introduces allauth based REST API
 
 v309 - 2025-02-02 : https://github.com/inventree/InvenTree/pull/9008
     - Bug fixes for the "Part" serializer

@@ -1,31 +1,25 @@
 """Overrides for allauth and adjacent packages to enforce InvenTree specific auth settings and restirctions."""
 
-from urllib.parse import urlencode
-
 from django import forms
 from django.conf import settings
 from django.contrib.auth.models import Group
+from django.core.exceptions import PermissionDenied
 from django.http import HttpResponseRedirect
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 
 import structlog
 from allauth.account.adapter import DefaultAccountAdapter
 from allauth.account.forms import LoginForm, SignupForm, set_form_field_order
-from allauth.core.exceptions import ImmediateHttpResponse
+from allauth.headless.adapter import DefaultHeadlessAdapter
+from allauth.headless.tokens.sessions import SessionTokenStrategy
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
-from allauth_2fa.adapter import OTPAdapter
-from allauth_2fa.forms import TOTPDeviceForm
-from allauth_2fa.utils import user_has_valid_totp_device
-from dj_rest_auth.registration.serializers import (
-    RegisterSerializer as DjRestRegisterSerializer,
-)
-from rest_framework import serializers
 
 import InvenTree.helpers_model
 import InvenTree.sso
 from common.settings import get_global_setting
 from InvenTree.exceptions import log_error
+from users.models import ApiToken
 
 logger = structlog.get_logger('inventree')
 
@@ -92,16 +86,6 @@ def clean(self):
         return cleaned_data
 
 
-class CustomTOTPDeviceForm(TOTPDeviceForm):
-    """Ensure that db registration is enabled."""
-
-    def __init__(self, user, metadata=None, **kwargs):
-        """Override to check if registration is open."""
-        if not settings.MFA_ENABLED:
-            raise forms.ValidationError(_('MFA Registration is disabled.'))
-        super().__init__(user, metadata, **kwargs)
-
-
 def registration_enabled():
     """Determine whether user registration is enabled."""
     if (
@@ -177,19 +161,7 @@ def save_user(self, request, user, form, commit=True):
         return user
 
 
-class CustomUrlMixin:
-    """Mixin to set urls."""
-
-    def get_email_confirmation_url(self, request, emailconfirmation):
-        """Custom email confirmation (activation) url."""
-        url = reverse('account_confirm_email', args=[emailconfirmation.key])
-
-        return InvenTree.helpers_model.construct_absolute_url(url)
-
-
-class CustomAccountAdapter(
-    CustomUrlMixin, RegistrationMixin, OTPAdapter, DefaultAccountAdapter
-):
+class CustomAccountAdapter(RegistrationMixin, DefaultAccountAdapter):
     """Override of adapter to use dynamic settings."""
 
     def send_mail(self, template_prefix, email, context):
@@ -207,16 +179,14 @@ def send_mail(self, template_prefix, email, context):
 
         return False
 
-    def get_email_confirmation_url(self, request, emailconfirmation):
-        """Construct the email confirmation url."""
-        url = super().get_email_confirmation_url(request, emailconfirmation)
-        url = InvenTree.helpers_model.construct_absolute_url(url)
-        return url
+    def send_password_reset_mail(self, user, email, context):
+        """Send the password reset mail."""
+        if not get_global_setting('LOGIN_ENABLE_PWD_FORGOT'):
+            raise PermissionDenied('Password reset is disabled')
+        return super().send_password_reset_mail(self, user, email, context)
 
 
-class CustomSocialAccountAdapter(
-    CustomUrlMixin, RegistrationMixin, DefaultSocialAccountAdapter
-):
+class CustomSocialAccountAdapter(RegistrationMixin, DefaultSocialAccountAdapter):
     """Override of adapter to use dynamic settings."""
 
     def is_auto_signup_allowed(self, request, sociallogin):
@@ -225,29 +195,6 @@ def is_auto_signup_allowed(self, request, sociallogin):
             return super().is_auto_signup_allowed(request, sociallogin)
         return False
 
-    # from OTPAdapter
-    def has_2fa_enabled(self, user):
-        """Returns True if the user has 2FA configured."""
-        return user_has_valid_totp_device(user)
-
-    def login(self, request, user):
-        """Ensure user is send to 2FA before login if enabled."""
-        # Require two-factor authentication if it has been configured.
-        if self.has_2fa_enabled(user):
-            # Cast to string for the case when this is not a JSON serializable
-            # object, e.g. a UUID.
-            request.session['allauth_2fa_user_id'] = str(user.id)
-
-            redirect_url = reverse('two-factor-authenticate')
-            # Add GET parameters to the URL if they exist.
-            if request.GET:
-                redirect_url += '?' + urlencode(request.GET)
-
-            raise ImmediateHttpResponse(response=HttpResponseRedirect(redirect_url))
-
-        # Otherwise defer to the original allauth adapter.
-        return super().login(request, user)
-
     def authentication_error(
         self, request, provider_id, error=None, exception=None, extra_context=None
     ):
@@ -264,15 +211,37 @@ def authentication_error(
         log_error(path, error_name=error, error_data=exception)
         logger.error("SSO error for provider '%s' - check admin error log", provider_id)
 
+    def get_connect_redirect_url(self, request, socialaccount):
+        """Redirect to the frontend after connecting an account."""
+        return request.build_absolute_uri(f'/{settings.FRONTEND_URL_BASE}/')
 
-# override dj-rest-auth
-class RegisterSerializer(DjRestRegisterSerializer):
-    """Registration requires email, password (twice) and username."""
 
-    email = serializers.EmailField()
+class CustomHeadlessAdapter(DefaultHeadlessAdapter):
+    """Override of adapter to use dynamic settings."""
 
-    def save(self, request):
-        """Override to check if registration is open."""
-        if registration_enabled():
-            return super().save(request)
-        raise forms.ValidationError(_('Registration is disabled.'))
+    def get_frontend_url(self, urlname, **kwargs):
+        """Get the frontend URL for the given URL name respecting the request."""
+        HEADLESS_FRONTEND_URLS = {
+            'account_confirm_email': 'verify-email/{key}',
+            'account_reset_password': 'reset-password',
+            'account_reset_password_from_key': 'set-password?key={key}',
+            'account_signup': 'register',
+            'socialaccount_login_error': 'social-login-error',
+        }
+        if urlname not in HEADLESS_FRONTEND_URLS:
+            raise ValueError(
+                f'URL name "{urlname}" not found in HEADLESS_FRONTEND_URLS'
+            )
+
+        return self.request.build_absolute_uri(
+            f'/{settings.FRONTEND_URL_BASE}/{HEADLESS_FRONTEND_URLS[urlname].format(**kwargs)}'
+        )
+
+
+class DRFTokenStrategy(SessionTokenStrategy):
+    """Strategy that InvenTrees own included Token model."""
+
+    def create_access_token(self, request):
+        """Create a new access token for the user."""
+        token, _ = ApiToken.objects.get_or_create(user=request.user)
+        return token.key
@@ -6,16 +6,13 @@
 from django.contrib.auth.middleware import PersistentRemoteUserMiddleware
 from django.http import HttpResponse
 from django.shortcuts import redirect
-from django.urls import Resolver404, include, path, resolve, reverse_lazy
+from django.urls import resolve, reverse_lazy
 from django.utils.deprecation import MiddlewareMixin
 
 import structlog
-from allauth_2fa.middleware import AllauthTwoFactorMiddleware, BaseRequire2FAMiddleware
 from error_report.middleware import ExceptionProcessor
 
-from common.settings import get_global_setting
 from InvenTree.cache import create_session_cache, delete_session_cache
-from InvenTree.urls import frontendpatterns
 from users.models import ApiToken
 
 logger = structlog.get_logger('inventree')
@@ -137,34 +134,6 @@ def __call__(self, request):
         return response
 
 
-url_matcher = path('', include(frontendpatterns))
-
-
-class Check2FAMiddleware(BaseRequire2FAMiddleware):
-    """Check if user is required to have MFA enabled."""
-
-    def require_2fa(self, request):
-        """Use setting to check if MFA should be enforced for frontend page."""
-        try:
-            if url_matcher.resolve(request.path[1:]):
-                return get_global_setting('LOGIN_ENFORCE_MFA')
-        except Resolver404:
-            pass
-        return False
-
-
-class CustomAllauthTwoFactorMiddleware(AllauthTwoFactorMiddleware):
-    """This function ensures only frontend code triggers the MFA auth cycle."""
-
-    def process_request(self, request):
-        """Check if requested url is frontend and enforce MFA check."""
-        try:
-            if not url_matcher.resolve(request.path[1:]):
-                super().process_request(request)
-        except Resolver404:
-            pass
-
-
 class InvenTreeRemoteUserMiddleware(PersistentRemoteUserMiddleware):
     """Middleware to check if HTTP-header based auth is enabled and to set it up."""