perf: 添加 check api 避免未认证

apps/authentication/api/confirm.py

@@ -13,7 +13,7 @@ from ..serializers import ConfirmSerializer
 
 
 class ConfirmBindORUNBindOAuth(RetrieveAPIView):
-    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
+    permission_classes = (IsValidUser, UserConfirmation.require(ConfirmType.ReLogin),)
 
     def retrieve(self, request, *args, **kwargs):
         return Response('ok')

apps/authentication/api/dingtalk.py

@@ -1,13 +1,13 @@
-from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.views import APIView
 
-from users.models import User
-from common.utils import get_logger
-from common.permissions import UserConfirmation
-from common.api import RoleUserMixin, RoleAdminMixin
-from authentication.const import ConfirmType
 from authentication import errors
+from authentication.const import ConfirmType
+from common.api import RoleUserMixin, RoleAdminMixin
+from common.permissions import UserConfirmation, IsValidUser
+from common.utils import get_logger
+from users.models import User
 
 logger = get_logger(__file__)
 
@@ -27,7 +27,7 @@ class DingTalkQRUnBindBase(APIView):
 
 
 class DingTalkQRUnBindForUserApi(RoleUserMixin, DingTalkQRUnBindBase):
-    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
+    permission_classes = (IsValidUser, UserConfirmation.require(ConfirmType.ReLogin),)
 
 
 class DingTalkQRUnBindForAdminApi(RoleAdminMixin, DingTalkQRUnBindBase):

apps/authentication/api/feishu.py

@@ -1,13 +1,13 @@
-from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.views import APIView
 
-from users.models import User
-from common.utils import get_logger
-from common.permissions import UserConfirmation
-from common.api import RoleUserMixin, RoleAdminMixin
-from authentication.const import ConfirmType
 from authentication import errors
+from authentication.const import ConfirmType
+from common.api import RoleUserMixin, RoleAdminMixin
+from common.permissions import UserConfirmation, IsValidUser
+from common.utils import get_logger
+from users.models import User
 
 logger = get_logger(__file__)
 
@@ -27,7 +27,7 @@ class FeiShuQRUnBindBase(APIView):
 
 
 class FeiShuQRUnBindForUserApi(RoleUserMixin, FeiShuQRUnBindBase):
-    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
+    permission_classes = (IsValidUser, UserConfirmation.require(ConfirmType.ReLogin),)
 
 
 class FeiShuQRUnBindForAdminApi(RoleAdminMixin, FeiShuQRUnBindBase):
@@ -38,7 +38,7 @@ class FeiShuEventSubscriptionCallback(APIView):
     """
     # https://open.feishu.cn/document/ukTMukTMukTM/uUTNz4SN1MjL1UzM
     """
-    permission_classes = ()
+    permission_classes = (IsValidUser,)
 
     def post(self, request: Request, *args, **kwargs):
         return Response(data=request.data)

apps/authentication/api/mfa.py

@@ -3,6 +3,7 @@
 
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as _
+from rest_framework import exceptions
 from rest_framework.generics import CreateAPIView
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
@@ -13,6 +14,7 @@ from common.utils import get_logger
 from users.models.user import User
 from .. import errors
 from .. import serializers
+from ..errors import SessionEmptyError
 from ..mixins import AuthMixin
 
 logger = get_logger(__name__)
@@ -56,6 +58,7 @@ class MFASendCodeApi(AuthMixin, CreateAPIView):
         if not mfa_backend or not mfa_backend.challenge_required:
             error = _('Current user not support mfa type: {}').format(mfa_type)
             raise ValidationError({'error': error})
+
         try:
             mfa_backend.send_challenge()
         except Exception as e:
@@ -66,6 +69,15 @@ class MFAChallengeVerifyApi(AuthMixin, CreateAPIView):
     permission_classes = (AllowAny,)
     serializer_class = serializers.MFAChallengeSerializer
 
+    def initial(self, request, *args, **kwargs):
+        super().initial(request, *args, **kwargs)
+        try:
+            user = self.get_user_from_session()
+        except SessionEmptyError:
+            user = None
+        if not user:
+            raise exceptions.NotAuthenticated()
+
     def perform_create(self, serializer):
         user = self.get_user_from_session()
         code = serializer.validated_data.get('code')

apps/authentication/api/sso.py

@@ -1,26 +1,27 @@
-from uuid import UUID
 from urllib.parse import urlencode
+from uuid import UUID
 
-from django.contrib.auth import login
 from django.conf import settings
+from django.contrib.auth import login
 from django.http.response import HttpResponseRedirect
+from rest_framework import serializers
 from rest_framework.decorators import action
-from rest_framework.response import Response
-from rest_framework.request import Request
 from rest_framework.permissions import AllowAny
+from rest_framework.request import Request
+from rest_framework.response import Response
 
-from common.utils.timezone import utc_now
-from common.const.http import POST, GET
 from common.api import JMSGenericViewSet
-from common.serializers import EmptySerializer
+from common.const.http import POST, GET
 from common.permissions import OnlySuperUser
+from common.serializers import EmptySerializer
 from common.utils import reverse
+from common.utils.timezone import utc_now
 from users.models import User
-from ..serializers import SSOTokenSerializer
-from ..models import SSOToken
+from ..errors import SSOAuthClosed
 from ..filters import AuthKeyQueryDeclaration
 from ..mixins import AuthMixin
-from ..errors import SSOAuthClosed
+from ..models import SSOToken
+from ..serializers import SSOTokenSerializer
 
 NEXT_URL = 'next'
 AUTH_KEY = 'authkey'
@@ -67,6 +68,9 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet):
         if not next_url or not next_url.startswith('/'):
             next_url = reverse('index')
 
+        if not authkey:
+            raise serializers.ValidationError("authkey is required")
+
         try:
             authkey = UUID(authkey)
             token = SSOToken.objects.get(authkey=authkey, expired=False)

apps/authentication/api/wecom.py

@@ -1,13 +1,13 @@
-from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.views import APIView
 
-from users.models import User
-from common.utils import get_logger
-from common.permissions import UserConfirmation
-from common.api import RoleUserMixin, RoleAdminMixin
-from authentication.const import ConfirmType
 from authentication import errors
+from authentication.const import ConfirmType
+from common.api import RoleUserMixin, RoleAdminMixin
+from common.permissions import UserConfirmation, IsValidUser
+from common.utils import get_logger
+from users.models import User
 
 logger = get_logger(__file__)
 
@@ -27,7 +27,7 @@ class WeComQRUnBindBase(APIView):
 
 
 class WeComQRUnBindForUserApi(RoleUserMixin, WeComQRUnBindBase):
-    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
+    permission_classes = (IsValidUser, UserConfirmation.require(ConfirmType.ReLogin),)
 
 
 class WeComQRUnBindForAdminApi(RoleAdminMixin, WeComQRUnBindBase):