feat: do not allow user_id_only login for admins (#2904)

2025-01-23 15:01:54 +02:00 · 2025-01-23 15:01:54 +02:00 · f845bfe651
commit f845bfe651
parent b6bdf50ed7
6 changed files with 115 additions and 29 deletions
--- a/tests/api/test_admin_api.py
+++ b/tests/api/test_admin_api.py
@ -1,6 +1,6 @@
 import pytest
+from httpx import AsyncClient

-from lnbits.core.models import User
 from lnbits.settings import Settings


@ -11,19 +11,25 @@ async def test_admin_get_settings_permission_denied(client, from_user):


@pytest.mark.anyio
-async def test_admin_get_settings(client, superuser):
-    response = await client.get(f"/admin/api/v1/settings?usr={superuser.id}")
+async def test_admin_get_settings(client: AsyncClient, superuser_token: str):
+    response = await client.get(
+        "/admin/api/v1/settings",
+        headers={"Authorization": f"Bearer {superuser_token}"},
+    )
    assert response.status_code == 200
    result = response.json()
    assert "super_user" not in result


@pytest.mark.anyio
-async def test_admin_update_settings(client, superuser: User, settings: Settings):
+async def test_admin_update_settings(
+    client: AsyncClient, superuser_token: str, settings: Settings
+):
    new_site_title = "UPDATED SITETITLE"
    response = await client.put(
-        f"/admin/api/v1/settings?usr={superuser.id}",
+        "/admin/api/v1/settings",
        json={"lnbits_site_title": new_site_title},
+        headers={"Authorization": f"Bearer {superuser_token}"},
    )
    assert response.status_code == 200
    result = response.json()
@ -33,9 +39,13 @@ async def test_admin_update_settings(client, superuser: User, settings: Settings


@pytest.mark.anyio
-async def test_admin_update_noneditable_settings(client, superuser):
+async def test_admin_update_noneditable_settings(
+    client: AsyncClient,
+    superuser_token: str,
+):
    response = await client.put(
-        f"/admin/api/v1/settings?usr={superuser.id}",
+        "/admin/api/v1/settings",
        json={"super_user": "UPDATED"},
+        headers={"Authorization": f"Bearer {superuser_token}"},
    )
    assert response.status_code == 400
--- a/tests/api/test_auth.py
+++ b/tests/api/test_auth.py
@ -18,12 +18,15 @@ from lnbits.core.models import AccessTokenPayload, User
 from lnbits.core.models.misc import SimpleItem
 from lnbits.core.models.users import (
    AccessControlList,
+    Account,
    ApiTokenRequest,
    DeleteTokenRequest,
    EndpointAccess,
+    LoginUsr,
    UpdateAccessControlList,
    UserAcls,
 )
+from lnbits.core.services.users import create_user_account
 from lnbits.core.views.user_api import api_users_reset_password
 from lnbits.helpers import create_access_token
 from lnbits.settings import AuthMethods, Settings
@ -76,6 +79,54 @@ async def test_login_alan_usr(user_alan: User, http_client: AsyncClient):
    assert alan["email"] == user_alan.email


+@pytest.mark.anyio
+async def test_login_usr_not_allowed_for_admin_without_credentials(
+    http_client: AsyncClient, settings: Settings
+):
+    # Register a new user
+    account = Account(id=uuid4().hex)
+    await create_user_account(account)
+
+    # Login with user ID
+    login_data = LoginUsr(usr=account.id)
+    response = await http_client.post("/api/v1/auth/usr", json=login_data.dict())
+    http_client.cookies.clear()
+    assert response.status_code == 200, "User logs in OK."
+    access_token = response.json().get("access_token")
+    assert access_token is not None, "Expected access token after login."
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    # Simulate the user being an admin without credentials
+    settings.lnbits_admin_users = [account.id]
+
+    # Attempt to login with user ID for admin
+    response = await http_client.post("/api/v1/auth/usr", json=login_data.dict())
+
+    assert response.status_code == 401
+    assert (
+        response.json().get("detail") == "Admin users cannot login with user id only."
+    )
+
+    response = await http_client.get("/admin/api/v1/settings", headers=headers)
+    assert response.status_code == 403
+    assert (
+        response.json().get("detail") == "Admin users must have credentials configured."
+    )
+
+    # User only access should not be allowed
+    response = await http_client.get(
+        f"/admin/api/v1/settings?usr={settings.super_user}"
+    )
+    print("### response", response.text)
+    assert response.status_code == 403
+    assert (
+        response.json().get("detail") == "User id only access for admins is forbidden."
+    )
+
+    response = await http_client.get("/api/v1/status", headers=headers)
+    assert response.status_code == 200, "Admin user can access regular endpoints."
+
+
@pytest.mark.anyio
 async def test_login_usr_not_allowed(
    user_alan: User, http_client: AsyncClient, settings: Settings