Ensure api-tokens are only authorized if Invite Registration is enabled.

farmOS · Apr 23, 2020 · 18a342a · 18a342a
1 parent 9f755b8
commit 18a342a
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/backend/app/app/api/utils/security.py b/backend/app/app/api/utils/security.py
@@ -190,11 +190,12 @@ def get_api_key_farm_access(
 
 def get_api_token_farm_access(
     security_scopes: SecurityScopes,
+    settings=Depends(get_settings),
     api_token: str = Security(api_token_header),
 ):
-    if api_token is None:
-        return None
-    else:
+    # Right now, api-tokens are only used for Invite Farm Registration (if enabled)
+    # Don't authorize requests with valid api-tokens if this setting is not enabled.
+    if settings.AGGREGATOR_INVITE_FARM_REGISTRATION and api_token is not None:
         try:
             token_data = _validate_token(api_token)
         except (PyJWTError, ValidationError) as e:
@@ -212,6 +213,8 @@ def get_api_token_farm_access(
 
         return FarmAccess(scopes=token_data.scopes, farm_id_list=token_data.farm_id, all_farms=False)
 
+    return None
+
 
 def get_farm_access(
     user_access: dict = Depends(get_current_user_farm_access),