Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mark passwords as sensitive variables #11652 #11653

Merged
merged 3 commits into from
Jan 23, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions arches/app/views/api/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
from django.core.exceptions import ObjectDoesNotExist, ValidationError
from django.core.files.base import ContentFile
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.debug import sensitive_variables
from django.utils import translation
from django.utils.decorators import method_decorator
from django_ratelimit.decorators import ratelimit
Expand Down Expand Up @@ -1127,6 +1128,7 @@ def get(self, request, plugin_id=None):


class SearchExport(View):
@sensitive_variables("user_cred")
@method_decorator(
ratelimit(
key="header:http-authorization", rate=settings.RATE_LIMIT, block=False
Expand Down
7 changes: 6 additions & 1 deletion arches/app/views/api/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
from django.contrib.auth import authenticate, login, logout
from django.utils.decorators import method_decorator
from django.utils.translation import gettext as _
from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
from django_ratelimit.decorators import ratelimit

from arches.app.models.system_settings import settings
Expand All @@ -18,7 +19,11 @@ class Login(LoginView, APIBase):
http_method_names = ["post"]

@method_decorator(
ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False)
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False),
)
)
def post(self, request):
if getattr(request, "limited", False):
Expand Down
95 changes: 58 additions & 37 deletions arches/app/views/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import base64
import io

from django.http import response
from arches.app.utils.external_oauth_backend import ExternalOauthAuthenticationBackend
import qrcode
import pyotp
Expand All @@ -33,6 +32,7 @@
from django.utils.decorators import method_decorator
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.debug import sensitive_post_parameters, sensitive_variables
from django.utils.html import strip_tags
from django.utils.translation import gettext as _
from django.utils.http import urlencode
Expand Down Expand Up @@ -88,19 +88,23 @@ def get(self, request):
)

@method_decorator(
ratelimit(
key="post:username",
rate=(
(
"{}/{}".format(
int(settings.RATE_LIMIT.split("/")[0]) * 2,
settings.RATE_LIMIT.split("/")[1],
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(
key="post:username",
rate=(
(
"{}/{}".format(
int(settings.RATE_LIMIT.split("/")[0]) * 2,
settings.RATE_LIMIT.split("/")[1],
)
)
)
if isinstance(settings.RATE_LIMIT, str)
else settings.RATE_LIMIT
if isinstance(settings.RATE_LIMIT, str)
else settings.RATE_LIMIT
),
block=False,
),
block=False,
)
)
def post(self, request):
Expand Down Expand Up @@ -202,13 +206,8 @@ def get(self, request):
confirmation_message = ""

if not settings.ENABLE_USER_SIGNUP:
raise (
Exception(
_(
"User signup has been disabled. Please contact your administrator."
)
)
)
msg = _("User signup has been disabled. Please contact your administrator.")
raise Exception(msg)

return render(
request,
Expand All @@ -223,6 +222,12 @@ def get(self, request):
},
)

@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
)
)
def post(self, request):
showform = True
confirmation_message = ""
Expand All @@ -231,13 +236,8 @@ def post(self, request):
form = ArchesUserCreationForm(postdata, enable_captcha=settings.ENABLE_CAPTCHA)

if not settings.ENABLE_USER_SIGNUP:
raise (
Exception(
_(
"User signup has been disabled. Please contact your administrator."
)
)
)
msg = _("User signup has been disabled. Please contact your administrator.")
raise Exception(msg)

if form.is_valid():
AES = AESCipher(settings.SECRET_KEY)
Expand Down Expand Up @@ -311,13 +311,8 @@ def post(self, request):
class ConfirmSignupView(View):
def get(self, request):
if not settings.ENABLE_USER_SIGNUP:
raise (
Exception(
_(
"User signup has been disabled. Please contact your administrator."
)
)
)
msg = _("User signup has been disabled. Please contact your administrator.")
raise Exception(msg)

link = request.GET.get("link", None)
AES = AESCipher(settings.SECRET_KEY)
Expand Down Expand Up @@ -369,7 +364,13 @@ def get(self, request):
}
return JSONResponse(messages)

@method_decorator(ratelimit(key="user", rate=settings.RATE_LIMIT, block=False))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="user", rate=settings.RATE_LIMIT, block=False),
)
)
def post(self, request):
messages = {
"invalid_password": None,
Expand Down Expand Up @@ -425,7 +426,13 @@ class PasswordResetConfirmView(auth_views.PasswordResetConfirmView):

@method_decorator(csrf_exempt, name="dispatch")
class UserProfileView(View):
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT),
)
)
def post(self, request):
username = request.POST.get("username", None)
password = request.POST.get("password", None)
Expand All @@ -446,7 +453,13 @@ def post(self, request):

@method_decorator(csrf_exempt, name="dispatch")
class GetClientIdView(View):
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT),
)
)
def post(self, request):
if settings.OAUTH_CLIENT_ID == "":
message = _("Make sure to set your OAUTH_CLIENT_ID in settings.py")
Expand All @@ -465,7 +478,13 @@ def post(self, request):

@method_decorator(csrf_exempt, name="dispatch")
class ServerSettingView(View):
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT),
)
)
def post(self, request):
if settings.OAUTH_CLIENT_ID == "":
message = _("Make sure to set your OAUTH_CLIENT_ID in settings.py")
Expand Down Expand Up @@ -573,6 +592,7 @@ def post(self, request):

@method_decorator(never_cache, name="dispatch")
class TwoFactorAuthenticationLoginView(View):
@method_decorator((sensitive_variables(), sensitive_post_parameters()))
def post(self, request):
username = request.POST.get("username", None)
password = request.POST.get("password", None)
Expand Down Expand Up @@ -718,6 +738,7 @@ def post(self, request):

@method_decorator(csrf_exempt, name="dispatch")
class Token(View):
@method_decorator(sensitive_variables())
def get(self, request):
if settings.DEBUG:
data = {
Expand Down
1 change: 1 addition & 0 deletions releases/8.0.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ Arches 8.0.0 Release Notes

### Additional highlights
- Add session-based REST APIs for login, logout [#11261](https://github.com/archesproject/arches/issues/11261)
- Auth views now filter out passwords from error reports when running in production [#11652](https://github.com/archesproject/arches/issues/11652)
- Improve handling of longer model names [#11317](https://github.com/archesproject/arches/issues/11317)
- New column `NodeGroup.grouping_node`: one-to-one field to the grouping node [#11613](https://github.com/archesproject/arches/issues/11613)
- Support more expressive plugin URLs [#11320](https://github.com/archesproject/arches/issues/11320)
Expand Down
Loading