Fix: Disable auto-login for API token requests (#5094)

diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index 2285d0526a868e3a439da69391aefc2484ecb69f..a23b01cb48f35b21f24b03880fb5a50c70683f75 100644 (file)
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -2,12 +2,16 @@ from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.middleware import PersistentRemoteUserMiddleware
 from django.contrib.auth.models import User
+from django.http import HttpRequest
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
 
 
 class AutoLoginMiddleware(MiddlewareMixin):
-    def process_request(self, request):
+    def process_request(self, request: HttpRequest):
+        # Dont use auto-login with token request
+        if request.path.startswith("/api/token/") and request.method == "POST":
+            return None
         try:
             request.user = User.objects.get(username=settings.AUTO_LOGIN_USERNAME)
             auth.login(

diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 30986aaa05ad6e4453a822e15039144b3baf415a..2df9b83ea7b2bee8c5a4f0f650d5197ff9c55cff 100644 (file)
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -297,8 +297,8 @@ if DEBUG:
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": [
         "rest_framework.authentication.BasicAuthentication",
-        "rest_framework.authentication.SessionAuthentication",
         "rest_framework.authentication.TokenAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
     ],
     "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.AcceptHeaderVersioning",
     "DEFAULT_VERSION": "1",