fix: Disable guest accounts (#1203)

devsoc-unsw · Nov 11, 2024 · 3a4ce84 · 3a4ce84
1 parent 37d4e0f
commit 3a4ce84
Show file tree

Hide file tree

Showing 8 changed files with 40 additions and 18 deletions.
diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -12,6 +12,7 @@ dnspython==2.6.1
 fastapi==0.110.2
 fuzzywuzzy==0.18.0
 h11==0.14.0
+hiredis==3.0.0
 hypothesis==6.61.0
 idna==3.7
 immutabledict==4.2.0

diff --git a/backend/server/routers/auth.py b/backend/server/routers/auth.py
@@ -11,7 +11,7 @@
 from server.db.helpers.users import delete_user, insert_new_user
 
 from .utility.sessions.errors import ExpiredRefreshTokenError, ExpiredSessionTokenError, OldRefreshTokenError
-from .utility.sessions.interface import create_new_guest_token_pair, get_session_info_from_refresh_token, get_session_info_from_session_token, logout_session, setup_new_csesoc_session, create_new_csesoc_token_pair, setup_new_guest_session
+from .utility.sessions.interface import create_new_guest_token_pair, get_session_info_from_refresh_token, get_session_info_from_session_token, logout_session, setup_new_csesoc_session, create_new_csesoc_token_pair
 
 from .utility.sessions.middleware import HTTPBearer401, set_secure_cookie
 from .utility.oidc.requests import DecodedIDToken, exchange_and_validate, generate_oidc_auth_url, get_userinfo_and_validate, refresh_and_validate, revoke_token, validate_authorization_response
@@ -100,21 +100,6 @@ def _try_get_session_info_for_logout(session_token: SessionToken, refresh_token:
 
 
 
-
-@router.post('/guest_login')
-def create_guest_session(res: Response) -> IdentityPayload:
-    # create new login session for user in db, generating new tokens
-    uid = insert_new_guest_user()
-    new_session_token, session_expiry, new_refresh_token, refresh_expiry = setup_new_guest_session(uid)
-
-    # TODO-OLLI(pm): setting up proper logging
-
-    # set the cookies and return the identity
-    set_secure_cookie(res, REFRESH_TOKEN_COOKIE, new_refresh_token, refresh_expiry)
-    return IdentityPayload(session_token=new_session_token, exp=session_expiry, uid=uid)
-
-
-
 @router.post("/refresh", response_model=IdentityPayload)
 def refresh(res: Response, refresh_token: Annotated[Optional[RefreshToken], Cookie(alias=REFRESH_TOKEN_COOKIE)] = None) -> IdentityPayload:
     # refresh flow - returns a new identity given the circles refresh token

diff --git a/backend/server/routers/dev.py b/backend/server/routers/dev.py
@@ -0,0 +1,23 @@
+from fastapi import APIRouter, Response
+
+from server.routers.auth import REFRESH_TOKEN_COOKIE, IdentityPayload, insert_new_guest_user
+from server.routers.utility.sessions.interface import setup_new_guest_session
+from server.routers.utility.sessions.middleware import set_secure_cookie
+
+
+router = APIRouter(
+    prefix="/dev",
+    tags=["dev"],
+)
+
+@router.post('/guest_login')
+def create_guest_session(res: Response) -> IdentityPayload:
+    # create new login session for user in db, generating new tokens
+    uid = insert_new_guest_user()
+    new_session_token, session_expiry, new_refresh_token, refresh_expiry = setup_new_guest_session(uid)
+
+    # TODO-OLLI(pm): setting up proper logging
+
+    # set the cookies and return the identity
+    set_secure_cookie(res, REFRESH_TOKEN_COOKIE, new_refresh_token, refresh_expiry)
+    return IdentityPayload(session_token=new_session_token, exp=session_expiry, uid=uid)
diff --git a/backend/server/server.py b/backend/server/server.py
@@ -2,6 +2,7 @@
 Configure the FastAPI server
 """
 
+import os
 from contextlib import asynccontextmanager
 from data.config import LIVE_YEAR
 from fastapi import FastAPI
@@ -55,6 +56,9 @@ async def on_setup_and_shutdown(_app: FastAPI):
 app.include_router(followups.router)
 # TODO: hide this behind a feature flag?
 # app.include_router(ctf.router)
+if os.getenv("APP_ENV") == "dev":
+    from server.routers import dev
+    app.include_router(dev.router)
 
 
 @app.get("/")

diff --git a/backend/server/tests/user/utility.py b/backend/server/tests/user/utility.py
@@ -20,7 +20,7 @@ def clear():
     setup_redis_sessionsdb()
 
 def get_token():
-    return requests.post('http://127.0.0.1:8000/auth/guest_login', timeout=5000).json()["session_token"]
+    return requests.post('http://127.0.0.1:8000/dev/guest_login', timeout=5000).json()["session_token"]
 
 def get_token_headers(token: str):
     return {"Authorization": f"Bearer {token}"}
diff --git a/frontend/src/pages/Login/Login.tsx b/frontend/src/pages/Login/Login.tsx
@@ -45,7 +45,9 @@ const Login = () => {
               <h2>Login to Circles</h2>
               <p>For current UNSW Students</p>
               <S.LoginButton onClick={initiateCSEAuth}>Login with zID</S.LoginButton>
-              <S.GuestButton onClick={guestLogin}>Continue as guest</S.GuestButton>
+              <S.GuestButton onClick={guestLogin} disabled>
+                Continue as guest (coming soon)
+              </S.GuestButton>
             </S.Login>
           </S.Right>
         </S.Wrapper>

diff --git a/frontend/src/pages/Login/styles.ts b/frontend/src/pages/Login/styles.ts
@@ -107,6 +107,10 @@ const GuestButton = styled.button`
   margin: 20px;
   cursor: pointer;
   transition: all 0.3s;
+  &:disabled {
+    opacity: 0.5;
+    cursor: not-allowed;
+  }
   &:hover {
     ${({ theme }) =>
       theme.loginSplash &&

diff --git a/setup_env.py b/setup_env.py
@@ -70,6 +70,9 @@ def main() -> None:
 
     if env.in_production:
         backend_env["FORWARDED_ALLOWED_IPS"] = "*"
+        backend_env["APP_ENV"] = "prod"
+    else:
+        backend_env["APP_ENV"] = "dev"
 
     # mongodb - backend + mongodb
     mongo_username = env.get_variable("MONGODB_USERNAME", "name")