From 8dc733812b95385ce27255d2ca159ab214bbad94 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 19 Oct 2023 13:25:51 +0000
Subject: [PATCH] web: Add decorator to require clients to do SPNEGO

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/web/base.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/web/base.py b/src/web/base.py
index 3bfff3c1..815beda9 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -390,6 +390,26 @@ class APIMixin(KerberosAuthMixin, BackendMixin):
 		return message
 
 
+def negotiate(method):
+	"""
+		Requires clients to use SPNEGO
+	"""
+	@functools.wraps(method)
+	def wrapper(self, *args, **kwargs):
+		if not self.current_user:
+			# Send the Negotiate header
+			self.add_header("WWW-Authenticate", "Negotiate")
+
+			# Respond with 401
+			self.set_status(401)
+			self.finish()
+
+			return None
+
+		return method(self, *args, **kwargs)
+
+	return wrapper
+
 class ratelimit(object):
 	"""
 		A decorator class which limits how often a function can be called
-- 
2.47.3