diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py index c0ddd0b..65b6300 100644 --- a/apiserver/apiserver/api/views.py +++ b/apiserver/apiserver/api/views.py @@ -446,7 +446,7 @@ class PingView(views.APIView): class DoorViewSet(viewsets.ViewSet, List): def list(self, request): auth_token = request.META.get('HTTP_AUTHORIZATION', '') - if auth_token != 'Bearer ' + secrets.DOOR_API_TOKEN: + if secrets.DOOR_API_TOKEN and auth_token != 'Bearer ' + secrets.DOOR_API_TOKEN: raise exceptions.PermissionDenied() cards = models.Card.objects.filter(active_status='card_active') @@ -488,7 +488,7 @@ class DoorViewSet(viewsets.ViewSet, List): class LockoutViewSet(viewsets.ViewSet, List): def list(self, request): auth_token = request.META.get('HTTP_AUTHORIZATION', '') - if auth_token != 'Bearer ' + secrets.DOOR_API_TOKEN: + if secrets.DOOR_API_TOKEN and auth_token != 'Bearer ' + secrets.DOOR_API_TOKEN: raise exceptions.PermissionDenied() cards = models.Card.objects.filter(active_status='card_active') diff --git a/apiserver/apiserver/secrets.py.example b/apiserver/apiserver/secrets.py.example index 8196956..7a18316 100644 --- a/apiserver/apiserver/secrets.py.example +++ b/apiserver/apiserver/secrets.py.example @@ -1,4 +1,6 @@ # Spaceport secrets file, don't commit to version control! +# +# Note: all values are optional, features are excluded if left blank # /admin/ route obfuscation # Set this to random characters diff --git a/apiserver/apiserver/settings.py b/apiserver/apiserver/settings.py index aa8def4..f6c7090 100644 --- a/apiserver/apiserver/settings.py +++ b/apiserver/apiserver/settings.py @@ -25,7 +25,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = secrets.DJANGO_SECRET_KEY +SECRET_KEY = secrets.DJANGO_SECRET_KEY or 'OaOBN2E+brpoRyDMlTD9eTE5PgBtkkl+L7Bzt6pQ5Qr3GS82SH' # SECURITY WARNING: don't run with debug turned on in production! DEBUG_ENV = os.environ.get('DEBUG', False) diff --git a/apiserver/apiserver/urls.py b/apiserver/apiserver/urls.py index d6165b7..9e5ca02 100644 --- a/apiserver/apiserver/urls.py +++ b/apiserver/apiserver/urls.py @@ -7,9 +7,6 @@ from rest_auth.views import LoginView, LogoutView from .api import views from . import secrets, settings -IPN_ROUTE = r'^ipn/{}/'.format(secrets.IPN_RANDOM) -ADMIN_ROUTE = '{}/admin/'.format(secrets.ADMIN_RANDOM) - router = routers.DefaultRouter() router.register(r'door', views.DoorViewSet, basename='door') router.register(r'lockout', views.LockoutViewSet, basename='lockout') @@ -31,7 +28,6 @@ router.register(r'charts/spaceactivity', views.SpaceActivityViewSet, basename='s urlpatterns = [ path('', include(router.urls)), - path(ADMIN_ROUTE, admin.site.urls), url(r'^rest-auth/login/$', LoginView.as_view(), name='rest_login'), url(r'^spaceport-auth/login/$', views.SpaceportAuthView.as_view(), name='spaceport_auth'), url(r'^rest-auth/logout/$', LogoutView.as_view(), name='rest_logout'), @@ -44,9 +40,16 @@ urlpatterns = [ url(r'^ping/', views.PingView.as_view(), name='ping'), url(r'^paste/', views.PasteView.as_view(), name='paste'), url(r'^backup/', views.BackupView.as_view(), name='backup'), - url(IPN_ROUTE, views.IpnView.as_view(), name='ipn'), ] +if secrets.IPN_RANDOM: + IPN_ROUTE = r'^ipn/{}/'.format(secrets.IPN_RANDOM) + urlpatterns.append(url(IPN_ROUTE, views.IpnView.as_view(), name='ipn')) + +if secrets.ADMIN_RANDOM: + ADMIN_ROUTE = '{}/admin/'.format(secrets.ADMIN_RANDOM) + urlpatterns.append(path(ADMIN_ROUTE, admin.site.urls)) + if settings.DEBUG: urlpatterns += [ path('api-auth/', include('rest_framework.urls')),