diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py index cd79f4c8..e042a6f7 100644 --- a/src/backend/core/api/viewsets.py +++ b/src/backend/core/api/viewsets.py @@ -689,7 +689,7 @@ class DocumentViewSet( authentication_classes=[authentication.ServerToServerAuthentication], detail=False, methods=["post"], - permission_classes=[], + permission_classes=[permissions.IsAuthenticated], url_path="create-for-owner", ) @transaction.atomic diff --git a/src/backend/core/authentication/__init__.py b/src/backend/core/authentication/__init__.py index c5fa0c71..d5c6c4e3 100644 --- a/src/backend/core/authentication/__init__.py +++ b/src/backend/core/authentication/__init__.py @@ -6,6 +6,15 @@ from rest_framework.authentication import BaseAuthentication from rest_framework.exceptions import AuthenticationFailed +class AuthenticatedServer: + """ + Simple class to represent an authenticated server to be used along the + IsAuthenticated permission. + """ + + is_authenticated = True + + class ServerToServerAuthentication(BaseAuthentication): """ Custom authentication class for server-to-server requests. @@ -39,13 +48,16 @@ class ServerToServerAuthentication(BaseAuthentication): # Validate token format and existence auth_parts = auth_header.split(" ") if len(auth_parts) != 2 or auth_parts[0] != self.TOKEN_TYPE: - raise AuthenticationFailed("Invalid authorization header.") + # Do not raise here to leave the door open for other authentication methods + return None token = auth_parts[1] if token not in settings.SERVER_TO_SERVER_API_TOKENS: - raise AuthenticationFailed("Invalid server-to-server token.") + # Do not raise here to leave the door open for other authentication methods + return None - # Authentication is successful, but no user is authenticated + # Authentication is successful + return AuthenticatedServer(), token def authenticate_header(self, request): """Return the WWW-Authenticate header value."""