protect OpenAPI interface

2d8ecb36 · Antoine Gaudron-Desjardins · d335d892 · 2d8ecb36 · 2d8ecb36 · 2d8ecb36
Commit 2d8ecb36 authored 2 years ago by Antoine Gaudron-Desjardins
--- a/backend/db/crud.py
+++ b/backend/db/crud.py
@@ -382,6 +382,7 @@ def update_user(user: schemas.User, user_info: dict, db: Session):
    if existing_user:
        existing_user.cookie = user.cookie
        existing_user.expiration_date = expiration_date
+        existing_user.admin = "admin eatfast" in user_info["roles"]
        db.delete(user)
        db.add(existing_user)
        db.commit()
@@ -390,6 +391,7 @@ def update_user(user: schemas.User, user_info: dict, db: Session):
    else:
        user.username = full_name
        user.expiration_date = expiration_date
+        user.admin = "admin eatfast" in user_info["roles"]
        db.add(user)
        db.commit()
        db.refresh(user)

--- a/backend/db/models.py
+++ b/backend/db/models.py
 """
 Models of the database for magasin app
 """
-from sqlalchemy import Column, ForeignKey, Integer, DateTime, Float, Interval, String, Text, Time
+from sqlalchemy import Boolean, Column, ForeignKey, Integer, DateTime, Float, Interval, String, Text, Time
 from sqlalchemy.orm import relationship
 from db.database import Base
@@ -82,5 +82,6 @@ class Users(Base):
    username = Column(String(50))
    cookie = Column(String(50))
    expiration_date = Column(DateTime)
+    admin = Column(Boolean)
    comments = relationship("Comments")
    comments = relationship("CollaborativeRecords")
--- a/backend/db/schemas.py
+++ b/backend/db/schemas.py
@@ -138,3 +138,4 @@ class User(BaseModel):
    username: str
    cookie: str
    expiration_date: datetime
+    admin: Optional[bool] = Field(default=False, title="Set to true to allow access to the admin interface")
--- a/backend/main.py
+++ b/backend/main.py
-from fastapi import FastAPI
+from fastapi import Cookie, Depends, FastAPI
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import JSONResponse
+from fastapi.openapi.docs import get_swagger_ui_html
+from fastapi.openapi.utils import get_openapi
+from sqlalchemy.orm import Session
 from dotenv import load_dotenv
 from threading import Thread
 import os
-from db import database, models
+from db import database, models, crud
+from db.database import get_db
 from routers import *
 from video_capture import handle_cameras
-app = FastAPI(docs_url="/api/docs", openapi_url="/api/openapi.json")
+app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
 # load environment variables
 load_dotenv()
@@ -34,6 +39,21 @@ async def on_startup():
    t.start()
+# Docs OpenAPI
+@app.get("/api/openapi.json")
+async def get_open_api_endpoint(connect_id: str = Cookie(...), db: Session = Depends(get_db)):
+    user = crud.get_user(connect_id, db)
+    if user.admin:
+        return JSONResponse(get_openapi(title="FastAPI", version=1, routes=app.routes))
+@app.get("/api/docs")
+async def get_documentation(connect_id: str = Cookie(...), db: Session = Depends(get_db)):
+    user = crud.get_user(connect_id, db)
+    if user.admin:
+        return get_swagger_ui_html(openapi_url="/openapi.json", title="docs")
 # Integration of routers
 app.include_router(infos.router)
 app.include_router(records.router)