Commit Graph

18 Commits

Author SHA1 Message Date
Nigel Kukard
24f94abc32 fix(auth:basic): improved API basic auth handling to avoid exceptions
Currently passing an invalid Basic auth header (random string base64 encoded) would result in an
exception being raised due to a `username, password = auth_header.split()`.

I refactored the code in this decorator by checking explicitly that we are doing basic authentication
then by checking the number of entries returned by the split.

I also added exception handling for invalid UTF-8 code sequences.

Tested with a fuzzer.

Tested with valid and invalid credentials.

This fixes #1447.
2023-03-14 23:19:40 +00:00
corubba
e920bf5009 Fix broken code
PR #1089 is the culprit, as was already predicted in the review.
2022-12-19 09:37:01 +01:00
RGanor
81f158d9bc
enh: Enforce Record Restrictions in API (#1089)
Co-authored-by: Tom <tom@tom.com>
2022-06-18 14:20:49 +02:00
TomSebty
1926b862b8
feat: Option to forbid the creation of domain if it exists as a record (#1127)
When enabled, forbids the creation of a domain if it exists as a record in one of its parent domains (administrators and operators are not limited though).
2022-06-17 17:50:51 +02:00
jbe-dw
33f1c6ad61
Merge pull request #1027 from mirko/add-WWW-Authenticate-header-for-dyndns
dyndns: Respond with HTTP header 'WWW-Authenticate' to unauthed requests
2022-04-07 13:31:03 +02:00
zoeller-freinet
07f0d215a7 PDNS-API: factor in 'dnssec_admins_only' basic setting (#1055)
`GET cryptokeys/{cryptokey_id}` returns the private key, which justifies
that the setting is honored in this case.
2021-12-06 22:38:16 +01:00
Jérôme BECOT
d2f35a4059 fix: Check user zone create/delete permission
Co-authored-by: zoeller-freinet <86965592+zoeller-freinet@users.noreply.github.com>
2021-12-05 14:16:45 +01:00
root
940551e99e feat: Associate an API Key with accounts (#1044) 2021-12-03 14:12:11 +00:00
steschuser
bf83662108
allow users to remove domain (#952) 2021-10-30 21:21:45 +02:00
Mirko Vogt
282c630eb8 dyndns: Respond with HTTP header 'WWW-Authenticate' to unauthed requests
The common procedure for HTTP Basic Auth is that a client does /not/
immediately send out credentials via an 'Authorization'-header, but to
wait until the server tells the client to do so - which the server
indicates via the 'WWW-Authenticate'-header.

PowerDNS-Admin (and flask in general), though, abort the whole
communication if no Authorization header was found in the initial
request - resulting in '200 "badauth"'.

While this might work for /some/ HTTP clients - which right away add an
Authorization header crafted from provided credentials (via args or
extracted from given URL), this is /not/ standard and /not/ common.

Hence add the 'WWW-Authenticate'-header for every unauthenticated call
checking for dyndns authorisation.

Note, though, this changes the status code from 200 to 401 in this case,
which - given the explanation why 200 was chosen in the first place -
might cause side effects.
2021-10-20 15:12:17 +00:00
jodygilbert
98db953820
Allow user role to view history (#890) 2021-03-27 19:33:11 +01:00
jbe-dw
dd0a5f6326
feat: Allow sync domain with basic auth (#861) 2021-01-16 20:37:11 +01:00
WhatshallIbreaktoday
c6e0293177
Tweaks to allow user apikey usage with powerdns terraform provider (#845) 2020-12-07 22:06:37 +01:00
Kees Bos
4d391ccb34 Extend api with account and user management 2020-01-27 14:04:15 +00:00
Khanh Ngo
7739bf7cfc
Add user email verification 2019-12-21 21:43:03 +07:00
Khanh Ngo
c1fae6f3dd
Update README and LGTM fixes 2019-12-08 18:23:36 +07:00
Khanh Ngo
6af94df00a
LGTM fixes. Remove unused import and variables 2019-12-07 20:20:40 +07:00
Khanh Ngo
8ea00b9484
Refactoring the code
- Use Flask blueprint
- Split model and views into smaller parts
- Bug fixes
- API adjustment
2019-12-02 10:32:03 +07:00