Added /user/auth subroute for basic auth

01d24773 · Thorge Petersen · 71f1933e · 01d24773 · 01d24773 · 01d24773
Commit 01d24773 authored 9 months ago by Thorge Petersen
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+### Added
+
+- Added `/user/auth` Subroute: This new endpoint serves as an internal authentication endpoint to validate CKAN users against the CKAN user database. It supports HTTP Basic Authentication, allowing Nginx to forward authentication requests to CKAN.
+
 ### Fixed

 - Resolved display issues of the resource view and share icons.

--- a/ckanext/odsh/plugin.py
+++ b/ckanext/odsh/plugin.py
@@ -73,6 +73,8 @@ class OdshPlugin(p.SingletonPlugin, DefaultTranslation, tk.DefaultDatasetForm):
        bp_user = user.blueprint
        bp_user.add_url_rule(u'/user', endpoint='user_index',
                             view_func=user.index, strict_slashes=False)
+        bp_user.add_url_rule(u'/user/auth', endpoint='user_auth',
+                             view_func=user.auth, strict_slashes=False)
        # bp_user.add_url_rule(u'/user/register', view_func=user.register)

        # Dashboard

--- a/ckanext/odsh/views/user.py
+++ b/ckanext/odsh/views/user.py
 import ckan.plugins.toolkit as toolkit
 import ckan.authz as authz
 from ckan.common import g
-from flask import Blueprint
+import ckan.lib.authenticator as authenticator
+from flask import Blueprint, request, Response                                                                                                                           
 import ckan.views.user as ckan_user_view
 import logging

@@ -33,3 +34,26 @@ def read(id=None):
    if not g.user:
        return ckan_user_view.login()
    return ckan_user_view.read(id)
+
+
+def auth():
+    auth = request.authorization
+    if not auth:
+        return Response('Unauthorized', 401, {'WWW-Authenticate': 'Basic realm="Login Required"'})
+
+    username = auth.username
+    password = auth.password
+
+    if _authenticate(username, password):
+        return Response('Authorized', 200)
+    else:
+        return Response('Unauthorized', 401, {'WWW-Authenticate': 'Basic realm="Login Required"'})
+
+
+def _authenticate(username, password):
+    identity = {'login': username, 'password': password}
+    user = authenticator.ckan_authenticator(identity)
+
+    if user:
+        return user
+    return None