Merge pull request #1670 from dandi/restrict-allauth-endpoints-per-de…

…ployment
dandi · Jul 31, 2023 · d1c6a47 · d1c6a47
2 parents e652ab2 + e5fb801
commit d1c6a47
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 6 deletions.
diff --git a/dandiapi/settings.py b/dandiapi/settings.py
@@ -39,11 +39,14 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
             'dandiapi.zarr.apps.ZarrConfig',
         ] + configuration.INSTALLED_APPS
 
-        # Install additional apps
-        configuration.INSTALLED_APPS += [
-            'guardian',
-            'allauth.socialaccount.providers.github',
-        ]
+        # Install guardian
+        configuration.INSTALLED_APPS += ['guardian']
+
+        # Install github provider only if github oauth is enabled
+        if configuration.ENABLE_GITHUB_OAUTH:
+            configuration.INSTALLED_APPS += [
+                'allauth.socialaccount.providers.github',
+            ]
 
         # Authentication
         configuration.AUTHENTICATION_BACKENDS += ['guardian.backends.ObjectPermissionBackend']
@@ -129,6 +132,9 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
     # Automatically approve new users by default
     AUTO_APPROVE_USERS = True
 
+    # Disable github oauth by default
+    ENABLE_GITHUB_OAUTH = False
+
 
 class DevelopmentConfiguration(DandiMixin, DevelopmentBaseConfiguration):
     # This makes pydantic model schema allow URLs with localhost in them.
@@ -174,6 +180,8 @@ def mutate_configuration(configuration: type[ComposedConfiguration]):
         # We're configuring sentry by hand since we need to pass custom options (traces_sampler).
         configuration.INSTALLED_APPS.remove('composed_configuration.sentry.apps.SentryConfig')
 
+    ENABLE_GITHUB_OAUTH = True
+
     # All login attempts in production should go straight to GitHub
     LOGIN_URL = '/accounts/github/login/'
 

diff --git a/dandiapi/urls.py b/dandiapi/urls.py
@@ -100,7 +100,6 @@ def to_url(self, value):
     ),
     path('api/search/genotypes/', search_genotypes),
     path('api/search/species/', search_species),
-    path('accounts/', include('allauth.urls')),
     path('admin/', admin.site.urls),
     path('dashboard/', DashboardView.as_view(), name='dashboard-index'),
     path('dashboard/user/<str:username>/', user_approval_view, name='user-approval'),
@@ -112,6 +111,17 @@ def to_url(self, value):
     path('redoc/', schema_view.with_ui('redoc', cache_timeout=0), name='schema-redoc'),
 ]
 
+if settings.ENABLE_GITHUB_OAUTH:
+    # Include github oauth endpoints only
+    urlpatterns.append(
+        path('accounts/', include('allauth.socialaccount.providers.github.urls')),
+    )
+else:
+    # Include "account" endpoints only (i.e. endpoints needed for username/password login flow)
+    urlpatterns.append(
+        path('accounts/', include('allauth.account.urls')),
+    )
+
 if settings.DEBUG:
     import debug_toolbar