Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new Django setting to restrict allauth endpoints that are exposed #1670

Merged
merged 2 commits into from
Jul 31, 2023
Merged

Add new Django setting to restrict allauth endpoints that are exposed #1670

merged 2 commits into from
Jul 31, 2023

Conversation

mvandenburgh
Copy link
Member

Currently, we use allauth's regular "account" provider for user management in dev, and its github "socialaccount" provider for prod. However, we expose endpoints for both of these auth flows in prod and dev. This means that someone can sign up using the regular "account" provider in production, bypassing github entirely. In practice, this hasn't happened before because we don't advertise these URLs publicy; however if you know the URL, a user could navigate to https://api.dandiarchive.org/accounts/signup/ directly and sign up.

This PR adds a new setting ENABLE_GITHUB_OAUTH. If enabled, only the github socialaccount provider endpoints are exposed. If disabled, only the "account" provider endpoints are exposed.

@mvandenburgh
Restrict allauth endpoints based on new setting
a6aae4a 
Currently, we use allauth's regular "account" provider for user
management in dev, and its github "socialaccount" provider for
prod. However, we expose endpoints for both auth flows in
prod and dev. This commit adds a new setting `ENABLE_GITHUB_OAUTH`.
If enabled, only the github socialaccount provider endpoints are
exposed. If disabled, only the "account" provider endpoints are
exposed.
@mvandenburgh
Install github allauth app conditionally
e5fb801 
This app only needs to be installed if github oauth is enabled.
jjnesbitt
jjnesbitt approved these changes Jul 31, 2023
View reviewed changes
Copy link
Member

@jjnesbitt jjnesbitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! Tested this locally and can confirm I don't see any github oauth URLs, while manually changing the setting shows only the github oauth login flow.

I haven't tested the full Github login flow with this change, but to my knowledge it should remain unchanged.

@danlamanna
Copy link
Contributor

Related #1644

@mvandenburgh mvandenburgh added patch Increment the patch version when merged release Create a release when this pr is merged labels Jul 31, 2023
@mvandenburgh mvandenburgh merged commit d1c6a47 into master Jul 31, 2023
@mvandenburgh mvandenburgh deleted the restrict-allauth-endpoints-per-deployment branch July 31, 2023 19:30
@dandibot
Copy link
Member

🚀 PR was released in v0.3.51 🚀

@dandibot dandibot added the released This issue/pull request has been released. label Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjnesbitt jjnesbitt jjnesbitt approved these changes

@danlamanna danlamanna danlamanna approved these changes

Assignees
No one assigned
Labels
patch Increment the patch version when merged release Create a release when this pr is merged released This issue/pull request has been released.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mvandenburgh @danlamanna @dandibot @jjnesbitt