From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 17 Jun 2025 09:46:01 +0000 (+0000)
Subject: API: Return the user object for successfully authenticated people
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=060591f325199d73cd1f7822a4dde4b82a1fc4d1;p=pbs.git

API: Return the user object for successfully authenticated people

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/api/auth.py b/src/api/auth.py
index 7bf41388..7360be63 100644
--- a/src/api/auth.py
+++ b/src/api/auth.py
@@ -29,6 +29,8 @@ import socket
 from . import app
 from . import backend
 
+from .. import users
+
 # Fetch Kerberos configuration
 KERBEROS_KEYTAB    = backend.config.get("krb5", "keytab")
 KERBEROS_REALM     = backend.config.get("krb5", "realm", fallback="IPFIRE.ORG")
@@ -51,15 +53,36 @@ router = fastapi.APIRouter(
 # Class to extract the Bearer token from the request headers
 security = fastapi.security.HTTPBearer()
 
-def get_current_principal(
+async def get_current_principal(
 	credentials: fastapi.security.HTTPAuthorizationCredentials = fastapi.Depends(security)
-):
+) -> users.User:
 	"""
 		This is the main function to check whether a client is authenticated.
 		It will fetch the Bearer token from the request header and return the
 		principal.
 	"""
-	return get_principal(credentials.credentials)
+	# Fetch the principal
+	principal = get_principal(credentials.credentials)
+
+	# Do nothing further if we could not fetch any credentials
+	if not principal:
+		return
+
+	# Strip off the realm
+	principal, _, realm = principal.rpartition("@")
+
+	# Fail if the realm does not match
+	if not realm == KERBEROS_REALM:
+		raise fastapi.HTTPException(401)
+
+	# Fetch the user object
+	user = await backend.users.get_by_name(principal)
+
+	# Fail if no user could be found
+	if not user:
+		raise fastapi.HTTPException(401)
+
+	return user
 
 class AuthResponse(pydantic.BaseModel):
 	# Token Type