From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Tue, 26 Dec 2023 22:22:41 +0000 (-0800)
Subject: Fix: Disable auto-login for API token requests (#5094)
X-Git-Tag: v2.2.0~1^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5576a073a5b0308147945bd7cc45152d14972b67;p=thirdparty%2Fpaperless-ngx.git

Fix: Disable auto-login for API token requests (#5094)
---

diff --git a/src/paperless/auth.py b/src/paperless/auth.py
index 2285d0526a..a23b01cb48 100644
--- a/src/paperless/auth.py
+++ b/src/paperless/auth.py
@@ -2,12 +2,16 @@ from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.middleware import PersistentRemoteUserMiddleware
 from django.contrib.auth.models import User
+from django.http import HttpRequest
 from django.utils.deprecation import MiddlewareMixin
 from rest_framework import authentication
 
 
 class AutoLoginMiddleware(MiddlewareMixin):
-    def process_request(self, request):
+    def process_request(self, request: HttpRequest):
+        # Dont use auto-login with token request
+        if request.path.startswith("/api/token/") and request.method == "POST":
+            return None
         try:
             request.user = User.objects.get(username=settings.AUTO_LOGIN_USERNAME)
             auth.login(
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 30986aaa05..2df9b83ea7 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -297,8 +297,8 @@ if DEBUG:
 REST_FRAMEWORK = {
     "DEFAULT_AUTHENTICATION_CLASSES": [
         "rest_framework.authentication.BasicAuthentication",
-        "rest_framework.authentication.SessionAuthentication",
         "rest_framework.authentication.TokenAuthentication",
+        "rest_framework.authentication.SessionAuthentication",
     ],
     "DEFAULT_VERSIONING_CLASS": "rest_framework.versioning.AcceptHeaderVersioning",
     "DEFAULT_VERSION": "1",