Fix content_api.items which depends on legacy auth

SDESK-7484

Author: eos87

content_api/app/__init__.py

@@ -24,13 +24,12 @@
 from eve.io.mongo.mongo import MongoJSONEncoder
 
 from superdesk.flask import Config
+from content_api.tokens.auth import LegacyTokenAuth
 from superdesk.datalayer import SuperdeskDataLayer
 from superdesk.factory.elastic_apm import setup_apm
 from superdesk.validator import SuperdeskValidator
 from superdesk.factory.app import SuperdeskEve, set_error_handlers, get_media_storage_class
 
-from content_api.tokens.auth import SyncMockTokenAuth
-
 
 def get_app(config=None):
     """
@@ -64,7 +63,7 @@ def get_app(config=None):
     media_storage = get_media_storage_class(app_config)
 
     app = SuperdeskEve(
-        auth=SyncMockTokenAuth,
+        auth=LegacyTokenAuth,
         settings=app_config,
         data=SuperdeskDataLayer,
         media=media_storage,
@@ -82,6 +81,8 @@ def get_app(config=None):
         except AttributeError:
             pass
 
+    app.async_app.start()
+
     return app
 
 

content_api/tokens/auth.py

@@ -1,22 +1,36 @@
-from quart_babel import _
 from eve.auth import TokenAuth
 
-
 from superdesk.utc import utcnow
-from superdesk.core.types.web import Request
 from superdesk.errors import SuperdeskApiError
+from superdesk.core.types.web import AuthRule, Request
 from superdesk.core.auth.user_auth import UserAuthProtocol
+from superdesk.core.auth.rules import endpoint_intrinsic_auth_rule
 from superdesk.publish.subscriber_token import SubscriberTokenService, SubscriberToken
 
 
-# TODO-ASYNC: remove this once everything is async in `content_api`
-# This is just a mock auth to avoid the app from breaking
-class SyncMockTokenAuth(TokenAuth):
+# TODO-ASYNC: Needed to avoid the content_api items endpoint from crashing
+# as it relies on the `user` stored in the `g` object. Once items are migrated
+# we should remove this
+class LegacyTokenAuth(TokenAuth):
     def check_auth(self, token, allowed_roles, resource, method):
-        return True
+        """Try to find auth token and if valid put subscriber id into ``g.user``."""
+        from superdesk.flask import g
+
+        data = SubscriberTokenService().mongo.find_one(token)
+        if not data:
+            return False
+        now = utcnow()
+        if data.get("expiry") and data.get("expiry") < now:
+            SubscriberTokenService().mongo.delete_one({"_id": token})
+            return False
+        g.user = str(data.get("subscriber"))
+        return g.user
 
 
 class SubscriberTokenAuth(UserAuthProtocol):
+    def get_default_auth_rules(self) -> list[AuthRule]:
+        return [endpoint_intrinsic_auth_rule]
+
     def get_token_from_request(self, request: Request) -> str | None:
         """
         Extracts the token from `Authorization` header. Code taken partly
@@ -36,7 +50,7 @@ async def authenticate(self, request: Request) -> None:
         Tries to find the auth token in the request and if valid put subscriber id into ``g.user``.
         """
         token_service = SubscriberTokenService()
-        token_missing_exception = SuperdeskApiError.forbiddenError(message=_("Authorization token missing."))
+        token_missing_exception = SuperdeskApiError.forbiddenError(message="Authorization token missing.")
         token_id = self.get_token_from_request(request)
 
         if token_id is None:
@@ -57,7 +71,7 @@ async def check_token_validity(self, token: SubscriberToken) -> None:
 
         if token.expiry and token.expiry < utcnow():
             await SubscriberTokenService().delete(token)
-            raise SuperdeskApiError.forbiddenError(message=_("Authorization token expired."))
+            raise SuperdeskApiError.forbiddenError(message="Authorization token expired.")
 
     async def start_session(self, request: Request, token: SubscriberToken) -> None:  # type: ignore[override]
         """

superdesk/utils.py

@@ -361,7 +361,7 @@ def get_cors_headers(methods="*"):
 
     return [
         ("Access-Control-Allow-Origin", get_app_config("CLIENT_URL")),
-        ("Access-Control-Allow-Headers", ",".join(get_app_config("X_HEADERS"))),
+        ("Access-Control-Allow-Headers", ",".join(get_app_config("X_HEADERS") or [])),
         ("Access-Control-Allow-Credentials", "true"),
         ("Access-Control-Allow-Methods", methods),
     ]