feat: disable oauth and token creation while on demo mode

This commit is contained in:
Herculino Trotta
2026-06-27 18:02:03 -03:00
parent 7f5a91c11f
commit d0e9c05283
2 changed files with 27 additions and 3 deletions
+25 -3
View File
@@ -22,10 +22,29 @@ from drf_spectacular.views import (
SpectacularSwaggerView,
)
from allauth.socialaccount.providers.openid_connect.views import login, callback
from apps.common.decorators.demo import disabled_on_demo
from apps.common.oauth_views import (
authorization_server_metadata,
dynamic_client_registration,
)
from oauth2_provider import urls as _dot_urls
def _decorate_included(patterns, decorator):
"""Apply ``decorator`` to every view callback inside an included URLconf.
django.urls does not support decorating ``include()`` directly, so we wrap
each URLPattern's callback here. The OAuth2 endpoints issue credentials, so
gate them behind the same DEMO-mode guard used elsewhere.
"""
wrapped = []
for pattern in patterns:
pattern.callback = decorator(pattern.callback)
wrapped.append(pattern)
return wrapped
_oauth_patterns = _decorate_included(_dot_urls.urlpatterns, disabled_on_demo)
urlpatterns = [
@@ -43,15 +62,18 @@ urlpatterns = [
name="swagger-ui",
),
path("auth/", include("allauth.urls")), # allauth urls
path("oauth/", include("oauth2_provider.urls", namespace="oauth2_provider")),
path(
"oauth/",
include((_oauth_patterns, _dot_urls.app_name), namespace="oauth2_provider"),
),
path(
".well-known/oauth-authorization-server",
authorization_server_metadata,
disabled_on_demo(authorization_server_metadata),
name="oauth-authorization-server-metadata",
),
path(
"oauth/register/",
dynamic_client_registration,
disabled_on_demo(dynamic_client_registration),
name="oauth-dynamic-client-registration",
),
# path("auth/oidc/<str:provider_id>/login/", login, name="openid_connect_login"),
+2
View File
@@ -139,6 +139,7 @@ def _render_api_tokens(request, *, form=None, raw_token=None):
@only_htmx
@htmx_login_required
@disabled_on_demo
@require_http_methods(["POST"])
def api_token_add(request):
form = APITokenCreateForm(request.POST)
@@ -156,6 +157,7 @@ def api_token_add(request):
@only_htmx
@htmx_login_required
@disabled_on_demo
@require_http_methods(["DELETE"])
def api_token_revoke(request, token_id):
token = get_object_or_404(APIToken, id=token_id, user=request.user)