From f82c7e4a730377d085089e88dafea094e60c4203 Mon Sep 17 00:00:00 2001
From: Tanner Collin <git@tannercollin.com>
Date: Thu, 27 Feb 2020 22:44:55 +0000
Subject: [PATCH] Hide door card list behind auth token

---
 apiserver/apiserver/api/views.py       | 4 ++++
 apiserver/apiserver/secrets.py.example | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py
index 3040abe..9ad53c4 100644
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@@ -317,6 +317,10 @@ class PingView(views.APIView):
 
 class DoorViewSet(viewsets.ViewSet, List):
     def list(self, request):
+        auth_token = request.META.get('HTTP_AUTHORIZATION', '')
+        if auth_token != secrets.DOOR_API_TOKEN:
+            raise exceptions.PermissionDenied()
+
         cards = models.Card.objects.filter(active_status='card_active')
         active_member_cards = {}
 
diff --git a/apiserver/apiserver/secrets.py.example b/apiserver/apiserver/secrets.py.example
index 836b9c6..88c959f 100644
--- a/apiserver/apiserver/secrets.py.example
+++ b/apiserver/apiserver/secrets.py.example
@@ -27,6 +27,12 @@ LDAP_API_URL = ''
 # spaceport/ldapserver/secrets.py
 LDAP_API_KEY = ''
 
+# Door cards API token
+# Set this to random characters
+# For example, use the output of this:
+# head /dev/urandom | base32 | head -c 40
+DOOR_API_TOKEN = ''
+
 # Backup API tokens
 # These tokens allow each user to download a backup of member data.
 # Don't mess up the data structure!