mirror of
https://github.com/eitchtee/WYGIWYH.git
synced 2026-07-06 04:45:10 +02:00
Compare commits
101 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| fee40fd527 | |||
| f59e53f6dc | |||
| 2b379987ac | |||
| 4b8ccf426d | |||
| 4805ce9e04 | |||
| 845a8d846b | |||
| 1497500c4f | |||
| 9e9e60ccec | |||
| ca14f77f41 | |||
| 0fb37a59fa | |||
| e74d9177df | |||
| 106d721279 | |||
| d0e9c05283 | |||
| 4e16831f4d | |||
| 7f5a91c11f | |||
| 009a7038c8 | |||
| 4273c541c5 | |||
| 5c4cb16a0a | |||
| 9641e169f2 | |||
| 25ff0214ab | |||
| 0f9d333834 | |||
| ae115cca15 | |||
| bb23ac6df9 | |||
| 7db0fcf097 | |||
| 02896f21ed | |||
| 5082c17d0f | |||
| 33570296e0 | |||
| fc99491f78 | |||
| cb0d379261 | |||
| 524e390a62 | |||
| db7e22b627 | |||
| 6987b54dba | |||
| b44563b09b | |||
| e839f31104 | |||
| 2282625790 | |||
| aa8b559152 | |||
| e1862b8241 | |||
| eb6be8548c | |||
| 6ee4e21939 | |||
| bdd8aed891 | |||
| 801b2a9edd | |||
| 968499f1ab | |||
| 5b351821b1 | |||
| 7b49072848 | |||
| 0ee32724f1 | |||
| 6a19381672 | |||
| 248fec8b4c | |||
| b34c0557fa | |||
| 2af4066aab | |||
| d72ff3cdf5 | |||
| 63c69e5c6a | |||
| 78171183cc | |||
| 34a2b6bfd4 | |||
| 1dc24f855e | |||
| 1390aff07d | |||
| 8fc11b0acf | |||
| 9a30a0d3c0 | |||
| 10eecd09ff | |||
| 2cfb3fb12e | |||
| 47af8b135b | |||
| 39d0e63375 | |||
| 792154eba2 | |||
| dc76ed3156 | |||
| e627dd50be | |||
| 5527389196 | |||
| be24ca014e | |||
| 7c7056536e | |||
| 66d5d7a83b | |||
| 4d3ce087d6 | |||
| aeaf9fac43 | |||
| dcedf53b83 | |||
| 549648bd6b | |||
| 79149abdd2 | |||
| d66d1530bb | |||
| 4b9b6484d3 | |||
| a02944bdae | |||
| 3ede5304f1 | |||
| 27041695b8 | |||
| 0c927a2fe9 | |||
| c52db80c64 | |||
| 330ce8069c | |||
| 2989f11b01 | |||
| 738bb7fb74 | |||
| 79e50cd853 | |||
| 0a23c3ad5b | |||
| 43c7749102 | |||
| c1c4ccda8c | |||
| 615a689c61 | |||
| c5ccc42f99 | |||
| 2baa8b21e8 | |||
| 2e554141ba | |||
| 73ec6dc0fe | |||
| e19449ff99 | |||
| e81651119c | |||
| 55e9ef1b3f | |||
| c414179135 | |||
| 14c507de0f | |||
| 4722690fe9 | |||
| 493619a4ff | |||
| fb4aec88f1 | |||
| 4a35e770a4 |
@@ -38,3 +38,21 @@ TASK_WORKERS=1 # This only work if you're using the single container option. Inc
|
||||
#OIDC_CLIENT_SECRET=""
|
||||
#OIDC_SERVER_URL=""
|
||||
#OIDC_ALLOW_SIGNUP=true
|
||||
|
||||
# Personal access tokens. How often (seconds) a token's last_used_at is rewritten.
|
||||
#API_TOKEN_LAST_USED_UPDATE_INTERVAL=600
|
||||
|
||||
# MCP OAuth Application. Uncomment to auto-create/update the OAuth client
|
||||
# used by remote MCP integrations after migrations complete.
|
||||
#MCP_OAUTH_CLIENT_NAME="WYGIWYH MCP"
|
||||
#MCP_OAUTH_CLIENT_ID="mcp-wygiwyh"
|
||||
#MCP_OAUTH_CLIENT_SECRET="<INSERT A SAFE SECRET HERE>"
|
||||
#MCP_OAUTH_REDIRECT_URIS="http://127.0.0.1:8765/callback"
|
||||
#MCP_OAUTH_SKIP_AUTHORIZATION=false
|
||||
|
||||
# Dynamic Client Registration (RFC 7591). Disabled by default because an open
|
||||
# registration endpoint lets anyone create OAuth applications. Enable only if
|
||||
# remote MCP clients must self-register, and optionally require an initial
|
||||
# access token (sent as "Authorization: Bearer <token>" on /oauth/register/).
|
||||
#OAUTH2_DCR_ENABLED=false
|
||||
#OAUTH2_DCR_INITIAL_ACCESS_TOKEN=""
|
||||
|
||||
@@ -165,3 +165,6 @@ cython_debug/
|
||||
node_modules/
|
||||
postgres_data/
|
||||
.prod.env
|
||||
|
||||
# Private local uploads
|
||||
app/attachments/
|
||||
|
||||
Vendored
+29
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"version": "0.2.0",
|
||||
"configurations": [
|
||||
{
|
||||
"name": "Docker: Dev",
|
||||
"type": "node-terminal",
|
||||
"request": "launch",
|
||||
"command": "docker compose --env-file .env -f docker-compose.dev.yml up --build",
|
||||
"cwd": "${workspaceFolder}",
|
||||
"postDebugTask": "Docker: Dev Down"
|
||||
},
|
||||
{
|
||||
"name": "Docker: Dev (no rebuild)",
|
||||
"type": "node-terminal",
|
||||
"request": "launch",
|
||||
"command": "docker compose --env-file .env -f docker-compose.dev.yml up",
|
||||
"cwd": "${workspaceFolder}",
|
||||
"postDebugTask": "Docker: Dev Down"
|
||||
},
|
||||
{
|
||||
"name": "Docker: Prod",
|
||||
"type": "node-terminal",
|
||||
"request": "launch",
|
||||
"command": "docker compose --env-file .prod.env -f docker-compose.prod.yml up --build",
|
||||
"cwd": "${workspaceFolder}",
|
||||
"postDebugTask": "Docker: Prod Down"
|
||||
}
|
||||
]
|
||||
}
|
||||
Vendored
+119
@@ -0,0 +1,119 @@
|
||||
{
|
||||
"version": "2.0.0",
|
||||
"tasks": [
|
||||
{
|
||||
"label": "Docker: Dev",
|
||||
"type": "shell",
|
||||
"command": "docker",
|
||||
"args": [
|
||||
"compose",
|
||||
"--env-file",
|
||||
".env",
|
||||
"-f",
|
||||
"docker-compose.dev.yml",
|
||||
"up",
|
||||
"--build"
|
||||
],
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}"
|
||||
},
|
||||
"group": "build",
|
||||
"problemMatcher": []
|
||||
},
|
||||
{
|
||||
"label": "Docker: Dev (no rebuild)",
|
||||
"type": "shell",
|
||||
"command": "docker",
|
||||
"args": [
|
||||
"compose",
|
||||
"--env-file",
|
||||
".env",
|
||||
"-f",
|
||||
"docker-compose.dev.yml",
|
||||
"up"
|
||||
],
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}"
|
||||
},
|
||||
"problemMatcher": []
|
||||
},
|
||||
{
|
||||
"label": "Docker: Dev Refresh Vite Deps",
|
||||
"type": "shell",
|
||||
"command": "docker compose --env-file .env -f docker-compose.dev.yml rm -sfv vite; docker compose --env-file .env -f docker-compose.dev.yml up --build",
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}"
|
||||
},
|
||||
"problemMatcher": []
|
||||
},
|
||||
{
|
||||
"label": "Docker: Dev Down",
|
||||
"type": "shell",
|
||||
"command": "docker",
|
||||
"args": [
|
||||
"compose",
|
||||
"--env-file",
|
||||
".env",
|
||||
"-f",
|
||||
"docker-compose.dev.yml",
|
||||
"down"
|
||||
],
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}"
|
||||
},
|
||||
"problemMatcher": []
|
||||
},
|
||||
{
|
||||
"label": "Docker: Prod",
|
||||
"type": "shell",
|
||||
"command": "docker",
|
||||
"args": [
|
||||
"compose",
|
||||
"--env-file",
|
||||
".prod.env",
|
||||
"-f",
|
||||
"docker-compose.prod.yml",
|
||||
"up",
|
||||
"--build"
|
||||
],
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}"
|
||||
},
|
||||
"problemMatcher": []
|
||||
},
|
||||
{
|
||||
"label": "Docker: Prod Down",
|
||||
"type": "shell",
|
||||
"command": "docker",
|
||||
"args": [
|
||||
"compose",
|
||||
"--env-file",
|
||||
".prod.env",
|
||||
"-f",
|
||||
"docker-compose.prod.yml",
|
||||
"down"
|
||||
],
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}"
|
||||
},
|
||||
"problemMatcher": []
|
||||
},
|
||||
{
|
||||
"label": "Django: Runserver localhost:8000",
|
||||
"type": "shell",
|
||||
"command": "${command:python.interpreterPath}",
|
||||
"args": [
|
||||
"manage.py",
|
||||
"runserver",
|
||||
"localhost:8000"
|
||||
],
|
||||
"options": {
|
||||
"cwd": "${workspaceFolder}/app",
|
||||
"env": {
|
||||
"PYTHONUNBUFFERED": "1"
|
||||
}
|
||||
},
|
||||
"problemMatcher": []
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -182,6 +182,49 @@ When configuring your OIDC provider, you will need to provide a callback URL (al
|
||||
|
||||
Replace `https://your.wygiwyh.domain` with the actual URL where your WYGIWYH instance is accessible. And `<OIDC_CLIENT_NAME>` with the slugfied value set in OIDC_CLIENT_NAME or the default `openid-connect` if you haven't set this variable.
|
||||
|
||||
### API Tokens for n8n and other automations
|
||||
|
||||
If you need a stable non-browser credential for automations such as `n8n`, WYGIWYH can also issue its own user-bound API tokens. This avoids Keycloak login flows and can be used directly against `/api/`.
|
||||
|
||||
Create a token from the container or application shell:
|
||||
|
||||
```bash
|
||||
python manage.py create_api_token you@example.com --name n8n
|
||||
```
|
||||
|
||||
Optional expiration:
|
||||
|
||||
```bash
|
||||
python manage.py create_api_token you@example.com --name n8n --expires-in-days 90
|
||||
```
|
||||
|
||||
The command prints the raw token **once**. Store it in your secret manager and use it like this:
|
||||
|
||||
```bash
|
||||
curl -H "Authorization: Token wygiwyh_pat_<key>.<secret>" \
|
||||
https://your.wygiwyh.domain/api/accounts/
|
||||
```
|
||||
|
||||
Recommended usage for automation is a dedicated WYGIWYH user such as `n8n@...`, so API ownership and audit trails stay separate from your interactive account.
|
||||
|
||||
### MCP OAuth Application Bootstrap
|
||||
|
||||
If you want WYGIWYH to act as the OAuth authorization server for a remote MCP server, you can let the container create or update the OAuth application automatically on startup.
|
||||
|
||||
Set these environment variables:
|
||||
|
||||
| Variable | Description |
|
||||
|---|---|
|
||||
| `MCP_OAUTH_CLIENT_NAME` | Optional display name for the OAuth client. Defaults to `WYGIWYH MCP`. |
|
||||
| `MCP_OAUTH_CLIENT_ID` | Client ID that will be created or updated in `django-oauth-toolkit`. |
|
||||
| `MCP_OAUTH_CLIENT_SECRET` | Client secret for that OAuth application. |
|
||||
| `MCP_OAUTH_REDIRECT_URIS` | Space-separated redirect URIs allowed for the MCP OAuth client. |
|
||||
| `MCP_OAUTH_SKIP_AUTHORIZATION` | Set to `true` to bypass the consent screen. Defaults to `false`. |
|
||||
|
||||
When these variables are present, startup runs `python manage.py setup_oauth` after migrations and keeps the OAuth application in sync without needing a manual Django admin step.
|
||||
|
||||
WYGIWYH also exposes OAuth Dynamic Client Registration at `/.well-known/oauth-authorization-server` via `registration_endpoint`, so MCP clients that support RFC 7591 can self-register instead of relying on a pre-created `MCP_OAUTH_CLIENT_ID` / `MCP_OAUTH_CLIENT_SECRET`. The current implementation supports `authorization_code` + PKCE clients using `none`, `client_secret_basic`, or `client_secret_post` token endpoint auth methods.
|
||||
|
||||
# How it works
|
||||
|
||||
Check out our [Wiki](https://github.com/eitchtee/WYGIWYH/wiki) for more information.
|
||||
|
||||
+39
-7
@@ -72,6 +72,7 @@ INSTALLED_APPS = [
|
||||
"rest_framework",
|
||||
"rest_framework.authtoken",
|
||||
"drf_spectacular",
|
||||
"oauth2_provider",
|
||||
"django_cotton",
|
||||
"apps.rules.apps.RulesConfig",
|
||||
"apps.calendar_view.apps.CalendarViewConfig",
|
||||
@@ -311,6 +312,7 @@ LOCALE_PATHS = [BASE_DIR / "locale"]
|
||||
|
||||
STATIC_URL = "static/"
|
||||
STATIC_ROOT = BASE_DIR / "static_files"
|
||||
ATTACHMENT_MEDIA_ROOT = BASE_DIR / "attachments"
|
||||
|
||||
STATICFILES_DIRS = [
|
||||
ROOT_DIR / "frontend" / "build",
|
||||
@@ -343,6 +345,11 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
|
||||
LOGIN_REDIRECT_URL = "/"
|
||||
LOGIN_URL = "/login/"
|
||||
LOGOUT_REDIRECT_URL = "/login/"
|
||||
# Public base URL advertised in OAuth metadata. Falls back to the first entry
|
||||
# of the existing space-separated URL env var, then to the request host.
|
||||
PUBLIC_BASE_URL = (
|
||||
os.getenv("PUBLIC_BASE_URL", "") or os.getenv("URL", "").split(" ")[0]
|
||||
).rstrip("/")
|
||||
|
||||
# Allauth settings
|
||||
AUTHENTICATION_BACKENDS = [
|
||||
@@ -381,6 +388,12 @@ SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True
|
||||
ACCOUNT_ADAPTER = "allauth.account.adapter.DefaultAccountAdapter"
|
||||
SOCIALACCOUNT_ADAPTER = "apps.users.adapters.AutoConnectSocialAccountAdapter"
|
||||
|
||||
# Personal access tokens. last_used_at is only rewritten once per interval to
|
||||
# avoid a database write on every authenticated request.
|
||||
API_TOKEN_LAST_USED_UPDATE_INTERVAL = int(
|
||||
os.getenv("API_TOKEN_LAST_USED_UPDATE_INTERVAL", "600")
|
||||
)
|
||||
|
||||
# CRISPY FORMS
|
||||
CRISPY_ALLOWED_TEMPLATE_PACKS = [
|
||||
"crispy_forms/pure_text",
|
||||
@@ -440,19 +453,38 @@ REST_FRAMEWORK = {
|
||||
"apps.api.permissions.NotInDemoMode",
|
||||
"rest_framework.permissions.DjangoModelPermissions",
|
||||
],
|
||||
'DEFAULT_FILTER_BACKENDS': [
|
||||
'django_filters.rest_framework.DjangoFilterBackend',
|
||||
'rest_framework.filters.OrderingFilter',
|
||||
"DEFAULT_FILTER_BACKENDS": [
|
||||
"django_filters.rest_framework.DjangoFilterBackend",
|
||||
"rest_framework.filters.OrderingFilter",
|
||||
],
|
||||
'DEFAULT_AUTHENTICATION_CLASSES': [
|
||||
'rest_framework.authentication.BasicAuthentication',
|
||||
'rest_framework.authentication.SessionAuthentication',
|
||||
'rest_framework.authentication.TokenAuthentication',
|
||||
"DEFAULT_AUTHENTICATION_CLASSES": [
|
||||
"oauth2_provider.contrib.rest_framework.OAuth2Authentication",
|
||||
"apps.api.authentication.APITokenAuthentication",
|
||||
"rest_framework.authentication.TokenAuthentication",
|
||||
"rest_framework.authentication.SessionAuthentication",
|
||||
"rest_framework.authentication.BasicAuthentication",
|
||||
],
|
||||
"DEFAULT_PAGINATION_CLASS": "apps.api.custom.pagination.CustomPageNumberPagination",
|
||||
"DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
|
||||
}
|
||||
|
||||
OAUTH2_PROVIDER = {
|
||||
"PKCE_REQUIRED": True,
|
||||
"ACCESS_TOKEN_EXPIRE_SECONDS": int(
|
||||
os.getenv("OAUTH2_ACCESS_TOKEN_EXPIRE_SECONDS", "3600")
|
||||
),
|
||||
"SCOPES": {
|
||||
"mcp": "Access WYGIWYH from MCP clients.",
|
||||
},
|
||||
}
|
||||
|
||||
# Dynamic Client Registration (RFC 7591). Disabled by default: an open
|
||||
# registration endpoint lets anyone create OAuth applications. Enable it only
|
||||
# when remote MCP clients must self-register, and optionally require an initial
|
||||
# access token presented as `Authorization: Bearer <token>`.
|
||||
OAUTH2_DCR_ENABLED = os.getenv("OAUTH2_DCR_ENABLED", "false").lower() == "true"
|
||||
OAUTH2_DCR_INITIAL_ACCESS_TOKEN = os.getenv("OAUTH2_DCR_INITIAL_ACCESS_TOKEN", "")
|
||||
|
||||
SPECTACULAR_SETTINGS = {
|
||||
"TITLE": "WYGIWYH API",
|
||||
"DESCRIPTION": "A no-frills expense tracker",
|
||||
|
||||
@@ -22,6 +22,29 @@ from drf_spectacular.views import (
|
||||
SpectacularSwaggerView,
|
||||
)
|
||||
from allauth.socialaccount.providers.openid_connect.views import login, callback
|
||||
from apps.common.decorators.demo import disabled_on_demo
|
||||
from apps.common.oauth_views import (
|
||||
authorization_server_metadata,
|
||||
dynamic_client_registration,
|
||||
)
|
||||
from oauth2_provider import urls as _dot_urls
|
||||
|
||||
|
||||
def _decorate_included(patterns, decorator):
|
||||
"""Apply ``decorator`` to every view callback inside an included URLconf.
|
||||
|
||||
django.urls does not support decorating ``include()`` directly, so we wrap
|
||||
each URLPattern's callback here. The OAuth2 endpoints issue credentials, so
|
||||
gate them behind the same DEMO-mode guard used elsewhere.
|
||||
"""
|
||||
wrapped = []
|
||||
for pattern in patterns:
|
||||
pattern.callback = decorator(pattern.callback)
|
||||
wrapped.append(pattern)
|
||||
return wrapped
|
||||
|
||||
|
||||
_oauth_patterns = _decorate_included(_dot_urls.urlpatterns, disabled_on_demo)
|
||||
|
||||
|
||||
urlpatterns = [
|
||||
@@ -39,6 +62,20 @@ urlpatterns = [
|
||||
name="swagger-ui",
|
||||
),
|
||||
path("auth/", include("allauth.urls")), # allauth urls
|
||||
path(
|
||||
"oauth/",
|
||||
include((_oauth_patterns, _dot_urls.app_name), namespace="oauth2_provider"),
|
||||
),
|
||||
path(
|
||||
".well-known/oauth-authorization-server",
|
||||
disabled_on_demo(authorization_server_metadata),
|
||||
name="oauth-authorization-server-metadata",
|
||||
),
|
||||
path(
|
||||
"oauth/register/",
|
||||
disabled_on_demo(dynamic_client_registration),
|
||||
name="oauth-dynamic-client-registration",
|
||||
),
|
||||
# path("auth/oidc/<str:provider_id>/login/", login, name="openid_connect_login"),
|
||||
# path(
|
||||
# "auth/oidc/<str:provider_id>/login/callback/",
|
||||
|
||||
@@ -0,0 +1,64 @@
|
||||
from datetime import timedelta
|
||||
|
||||
from django.conf import settings
|
||||
from django.utils import timezone
|
||||
from rest_framework.authentication import BaseAuthentication, get_authorization_header
|
||||
from rest_framework.exceptions import AuthenticationFailed
|
||||
|
||||
from apps.users.models import APIToken
|
||||
|
||||
|
||||
class APITokenAuthentication(BaseAuthentication):
|
||||
keyword = "Token"
|
||||
|
||||
def authenticate(self, request):
|
||||
auth = get_authorization_header(request).split()
|
||||
if not auth or auth[0].lower() != self.keyword.lower().encode():
|
||||
return None
|
||||
|
||||
if len(auth) != 2:
|
||||
raise AuthenticationFailed("Invalid API token header.")
|
||||
|
||||
try:
|
||||
raw_token = auth[1].decode("utf-8")
|
||||
except UnicodeDecodeError as exc:
|
||||
raise AuthenticationFailed("Invalid API token header.") from exc
|
||||
|
||||
# Only claim tokens carrying our prefix; otherwise return None so the
|
||||
# request falls through to other authenticators (e.g. DRF's built-in
|
||||
# TokenAuthentication, which shares the "Token" keyword).
|
||||
if not raw_token.startswith(APIToken.TOKEN_PREFIX):
|
||||
return None
|
||||
|
||||
try:
|
||||
token_key, token_secret = APIToken.parse_raw_token(raw_token)
|
||||
except ValueError as exc:
|
||||
raise AuthenticationFailed("Invalid API token.") from exc
|
||||
|
||||
token = APIToken.objects.select_related("user").filter(token_key=token_key).first()
|
||||
if token is None or not token.check_secret(token_secret):
|
||||
raise AuthenticationFailed("Invalid API token.")
|
||||
if token.revoked_at is not None:
|
||||
raise AuthenticationFailed("API token has been revoked.")
|
||||
if token.is_expired():
|
||||
raise AuthenticationFailed("API token has expired.")
|
||||
if not token.user.is_active:
|
||||
raise AuthenticationFailed("User account is disabled.")
|
||||
|
||||
self._touch_last_used(token)
|
||||
return (token.user, token)
|
||||
|
||||
@staticmethod
|
||||
def _touch_last_used(token):
|
||||
# Avoid a write on every request: only refresh once per interval.
|
||||
now = timezone.now()
|
||||
interval = settings.API_TOKEN_LAST_USED_UPDATE_INTERVAL
|
||||
if (
|
||||
token.last_used_at is None
|
||||
or (now - token.last_used_at) >= timedelta(seconds=interval)
|
||||
):
|
||||
token.last_used_at = now
|
||||
token.save(update_fields=["last_used_at"])
|
||||
|
||||
def authenticate_header(self, request):
|
||||
return self.keyword
|
||||
@@ -90,10 +90,10 @@ class AccountBalanceAPITests(TestCase):
|
||||
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
|
||||
|
||||
def test_get_balance_unauthenticated(self):
|
||||
"""Test unauthenticated request returns 403"""
|
||||
"""Test unauthenticated request returns 401"""
|
||||
unauthenticated_client = APIClient()
|
||||
response = unauthenticated_client.get(
|
||||
f"/api/accounts/{self.account.id}/balance/"
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
|
||||
|
||||
@@ -0,0 +1,109 @@
|
||||
from datetime import timedelta
|
||||
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.test import RequestFactory, TestCase, override_settings
|
||||
from django.utils import timezone
|
||||
from rest_framework.exceptions import AuthenticationFailed
|
||||
|
||||
from apps.api.authentication import APITokenAuthentication
|
||||
from apps.users.models import APIToken
|
||||
|
||||
|
||||
class APITokenAuthenticationTests(TestCase):
|
||||
def setUp(self):
|
||||
self.factory = RequestFactory()
|
||||
self.authentication = APITokenAuthentication()
|
||||
self.user = get_user_model().objects.create_user(
|
||||
email="automation@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
|
||||
def test_returns_none_without_token_header(self):
|
||||
request = self.factory.get("/api/accounts/")
|
||||
self.assertIsNone(self.authentication.authenticate(request))
|
||||
|
||||
def test_authenticates_valid_api_token(self):
|
||||
token, raw_token = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
request = self.factory.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
authenticated_user, authenticated_token = self.authentication.authenticate(request)
|
||||
|
||||
self.assertEqual(authenticated_user, self.user)
|
||||
self.assertEqual(authenticated_token.pk, token.pk)
|
||||
token.refresh_from_db()
|
||||
self.assertIsNotNone(token.last_used_at)
|
||||
|
||||
def test_rejects_expired_api_token(self):
|
||||
token, raw_token = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
token.expires_at = timezone.now() - timedelta(minutes=1)
|
||||
token.save(update_fields=["expires_at"])
|
||||
request = self.factory.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
with self.assertRaisesRegex(AuthenticationFailed, "expired"):
|
||||
self.authentication.authenticate(request)
|
||||
|
||||
def test_rejects_revoked_api_token(self):
|
||||
token, raw_token = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
token.revoked_at = timezone.now()
|
||||
token.save(update_fields=["revoked_at"])
|
||||
request = self.factory.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
with self.assertRaisesRegex(AuthenticationFailed, "revoked"):
|
||||
self.authentication.authenticate(request)
|
||||
|
||||
def test_stores_secret_as_sha256_not_raw(self):
|
||||
token, raw_token = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
_key, secret = APIToken.parse_raw_token(raw_token)
|
||||
|
||||
self.assertNotIn(secret, token.token_hash)
|
||||
self.assertEqual(len(token.token_hash), 64)
|
||||
self.assertTrue(token.check_secret(secret))
|
||||
|
||||
def test_falls_through_for_non_prefixed_token(self):
|
||||
request = self.factory.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION="Token deadbeefdeadbeefdeadbeef",
|
||||
)
|
||||
# Not our prefix: return None so another authenticator can handle it.
|
||||
self.assertIsNone(self.authentication.authenticate(request))
|
||||
|
||||
@override_settings(API_TOKEN_LAST_USED_UPDATE_INTERVAL=600)
|
||||
def test_last_used_at_is_throttled_within_interval(self):
|
||||
token, raw_token = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
request = self.factory.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
self.authentication.authenticate(request)
|
||||
token.refresh_from_db()
|
||||
first_used = token.last_used_at
|
||||
self.assertIsNotNone(first_used)
|
||||
|
||||
self.authentication.authenticate(request)
|
||||
token.refresh_from_db()
|
||||
self.assertEqual(token.last_used_at, first_used)
|
||||
|
||||
@override_settings(API_TOKEN_LAST_USED_UPDATE_INTERVAL=0)
|
||||
def test_last_used_at_updates_after_interval(self):
|
||||
token, raw_token = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
token.last_used_at = timezone.now() - timedelta(minutes=5)
|
||||
token.save(update_fields=["last_used_at"])
|
||||
stale = token.last_used_at
|
||||
request = self.factory.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
self.authentication.authenticate(request)
|
||||
token.refresh_from_db()
|
||||
self.assertGreater(token.last_used_at, stale)
|
||||
@@ -0,0 +1,166 @@
|
||||
from datetime import timedelta
|
||||
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.test import TestCase, override_settings
|
||||
from django.urls import reverse
|
||||
from django.utils import timezone
|
||||
from oauth2_provider.models import get_access_token_model, get_application_model
|
||||
|
||||
from apps.users.models import APIToken
|
||||
|
||||
User = get_user_model()
|
||||
Application = get_application_model()
|
||||
AccessToken = get_access_token_model()
|
||||
|
||||
|
||||
@override_settings(DEMO=True)
|
||||
class DemoModeAPITests(TestCase):
|
||||
"""The DEMO-mode gate (apps.api.permissions.NotInDemoMode) must reject
|
||||
API access regardless of the authentication method used, including the
|
||||
PAT and OAuth2 backends introduced for MCP integrations."""
|
||||
|
||||
def setUp(self):
|
||||
self.user = User.objects.create_user(
|
||||
email="demo@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
|
||||
def test_pat_cannot_access_api_in_demo_mode(self):
|
||||
_token, raw_token = APIToken.objects.create_token(
|
||||
user=self.user, name="n8n"
|
||||
)
|
||||
|
||||
response = self.client.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_oauth_access_token_cannot_access_api_in_demo_mode(self):
|
||||
app = Application.objects.create(
|
||||
name="Test Client",
|
||||
client_type=Application.CLIENT_CONFIDENTIAL,
|
||||
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
|
||||
redirect_uris="http://127.0.0.1:8765/callback",
|
||||
client_secret="secret",
|
||||
)
|
||||
access_token = AccessToken.objects.create(
|
||||
user=self.user,
|
||||
scope="mcp",
|
||||
expires=timezone.now() + timedelta(hours=1),
|
||||
token="demo-oauth-access-token-xyz",
|
||||
application=app,
|
||||
)
|
||||
|
||||
response = self.client.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Bearer {access_token.token}",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_superuser_pat_can_access_api_in_demo_mode(self):
|
||||
admin = User.objects.create_superuser(
|
||||
email="admin@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
_token, raw_token = APIToken.objects.create_token(
|
||||
user=admin, name="admin"
|
||||
)
|
||||
|
||||
response = self.client.get(
|
||||
"/api/accounts/",
|
||||
HTTP_AUTHORIZATION=f"Token {raw_token}",
|
||||
)
|
||||
|
||||
# NotInDemoMode grants superusers access in DEMO mode; the request is
|
||||
# authenticated by the PAT, so the API responds normally (never 403).
|
||||
self.assertNotEqual(response.status_code, 403)
|
||||
|
||||
|
||||
@override_settings(DEMO=True)
|
||||
class DemoModeOAuthEndpointTests(TestCase):
|
||||
"""OAuth2 issuance and discovery endpoints must be disabled in DEMO mode
|
||||
so demo tenants cannot obtain (or even discover) credentials."""
|
||||
|
||||
def setUp(self):
|
||||
self.user = User.objects.create_user(
|
||||
email="demo@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
|
||||
def test_oauth_authorize_rejects_non_superuser_in_demo_mode(self):
|
||||
self.client.force_login(self.user)
|
||||
|
||||
response = self.client.get(reverse("oauth2_provider:authorize"))
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_oauth_token_rejects_non_superuser_in_demo_mode(self):
|
||||
self.client.force_login(self.user)
|
||||
|
||||
response = self.client.post(reverse("oauth2_provider:token"))
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_oauth_authorization_server_metadata_rejects_in_demo_mode(self):
|
||||
response = self.client.get(reverse("oauth-authorization-server-metadata"))
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_oauth_dynamic_client_registration_rejects_in_demo_mode(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data="{}",
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
|
||||
@override_settings(DEMO=True)
|
||||
class DemoModeAPITokenViewsTests(TestCase):
|
||||
"""The PAT management UI must be disabled in DEMO mode just like the
|
||||
other mutating user views."""
|
||||
|
||||
def setUp(self):
|
||||
self.user = User.objects.create_user(
|
||||
email="demo@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
self.client.force_login(self.user)
|
||||
self.htmx_headers = {"HTTP_HX_REQUEST": "true"}
|
||||
|
||||
def test_cannot_create_api_token_from_ui_in_demo_mode(self):
|
||||
response = self.client.post(
|
||||
reverse("user_api_token_add"),
|
||||
{"name": "n8n", "expires_in_days": "30"},
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
self.assertEqual(APIToken.objects.count(), 0)
|
||||
|
||||
def test_cannot_revoke_api_token_from_ui_in_demo_mode(self):
|
||||
token, _ = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
|
||||
response = self.client.delete(
|
||||
reverse("user_api_token_revoke", kwargs={"token_id": token.id}),
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
token.refresh_from_db()
|
||||
self.assertIsNone(token.revoked_at)
|
||||
|
||||
def test_cannot_delete_api_token_from_ui_in_demo_mode(self):
|
||||
token, _ = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
|
||||
response = self.client.delete(
|
||||
reverse("user_api_token_delete", kwargs={"token_id": token.id}),
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 403)
|
||||
self.assertTrue(APIToken.objects.filter(id=token.id).exists())
|
||||
@@ -159,7 +159,7 @@ column_mapping:
|
||||
self.assertIn("import_run_id", response.data)
|
||||
|
||||
def test_unauthenticated_request(self):
|
||||
"""Test unauthenticated request returns 403"""
|
||||
"""Test unauthenticated request returns 401"""
|
||||
unauthenticated_client = APIClient()
|
||||
|
||||
csv_content = b"date,description,amount\n2025-01-01,Test,100"
|
||||
@@ -173,7 +173,7 @@ column_mapping:
|
||||
format="multipart",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
|
||||
|
||||
|
||||
@override_settings(
|
||||
@@ -266,11 +266,11 @@ column_mapping:
|
||||
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
|
||||
|
||||
def test_profiles_unauthenticated(self):
|
||||
"""Test unauthenticated request returns 403"""
|
||||
"""Test unauthenticated request returns 401"""
|
||||
unauthenticated_client = APIClient()
|
||||
response = unauthenticated_client.get("/api/import/profiles/")
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
|
||||
|
||||
|
||||
@override_settings(
|
||||
@@ -397,8 +397,8 @@ column_mapping:
|
||||
self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
|
||||
|
||||
def test_runs_unauthenticated(self):
|
||||
"""Test unauthenticated request returns 403"""
|
||||
"""Test unauthenticated request returns 401"""
|
||||
unauthenticated_client = APIClient()
|
||||
response = unauthenticated_client.get("/api/import/runs/")
|
||||
|
||||
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
|
||||
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
|
||||
|
||||
@@ -0,0 +1,58 @@
|
||||
from datetime import timedelta
|
||||
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.core.management.base import BaseCommand, CommandError
|
||||
from django.utils import timezone
|
||||
|
||||
from apps.users.models import APIToken
|
||||
|
||||
|
||||
class Command(BaseCommand):
|
||||
help = "Creates a hashed API token for a WYGIWYH user and prints the raw token once."
|
||||
|
||||
def add_arguments(self, parser):
|
||||
parser.add_argument("email", help="WYGIWYH user email that will own this token.")
|
||||
parser.add_argument(
|
||||
"--name",
|
||||
default="n8n",
|
||||
help="Human-readable token name. Defaults to 'n8n'.",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--expires-in-days",
|
||||
type=int,
|
||||
default=None,
|
||||
help="Optional token lifetime in whole days.",
|
||||
)
|
||||
|
||||
def handle(self, *args, **options):
|
||||
email = options["email"].strip()
|
||||
name = options["name"].strip()
|
||||
expires_in_days = options["expires_in_days"]
|
||||
|
||||
if not email:
|
||||
raise CommandError("Email is required.")
|
||||
if not name:
|
||||
raise CommandError("Token name cannot be empty.")
|
||||
if expires_in_days is not None and expires_in_days <= 0:
|
||||
raise CommandError("--expires-in-days must be greater than zero.")
|
||||
|
||||
user = get_user_model().objects.filter(email__iexact=email).first()
|
||||
if user is None:
|
||||
raise CommandError(f"No WYGIWYH user exists for '{email}'.")
|
||||
|
||||
expires_at = None
|
||||
if expires_in_days is not None:
|
||||
expires_at = timezone.now() + timedelta(days=expires_in_days)
|
||||
|
||||
token, raw_token = APIToken.objects.create_token(
|
||||
user=user,
|
||||
name=name,
|
||||
expires_at=expires_at,
|
||||
)
|
||||
|
||||
self.stdout.write(
|
||||
self.style.SUCCESS(
|
||||
f"Created API token '{token.name}' for {user.email} ({token.token_key})."
|
||||
)
|
||||
)
|
||||
self.stdout.write(raw_token)
|
||||
@@ -0,0 +1,129 @@
|
||||
import os
|
||||
|
||||
from django.contrib.auth.hashers import check_password
|
||||
from django.core.exceptions import ValidationError
|
||||
from django.core.management.base import BaseCommand, CommandError
|
||||
from oauth2_provider.models import get_application_model
|
||||
|
||||
|
||||
Application = get_application_model()
|
||||
|
||||
|
||||
def _get_env(name: str) -> str:
|
||||
return os.getenv(name, "").strip()
|
||||
|
||||
|
||||
def _get_bool_env(name: str, default: bool = False) -> bool:
|
||||
raw = _get_env(name)
|
||||
if not raw:
|
||||
return default
|
||||
return raw.lower() in {"1", "true", "yes", "on"}
|
||||
|
||||
|
||||
class Command(BaseCommand):
|
||||
help = (
|
||||
"Creates or updates the OAuth application used by MCP clients when "
|
||||
"MCP_OAUTH_CLIENT_* environment variables are configured."
|
||||
)
|
||||
|
||||
def handle(self, *args, **options):
|
||||
client_id = _get_env("MCP_OAUTH_CLIENT_ID")
|
||||
client_secret = _get_env("MCP_OAUTH_CLIENT_SECRET")
|
||||
redirect_uris = " ".join(_get_env("MCP_OAUTH_REDIRECT_URIS").split())
|
||||
name = _get_env("MCP_OAUTH_CLIENT_NAME") or "WYGIWYH MCP"
|
||||
skip_authorization = _get_bool_env("MCP_OAUTH_SKIP_AUTHORIZATION", default=False)
|
||||
|
||||
if not any([client_id, client_secret, redirect_uris]):
|
||||
self.stdout.write(
|
||||
self.style.NOTICE(
|
||||
"MCP OAuth client env vars are not set. Skipping OAuth application setup."
|
||||
)
|
||||
)
|
||||
return
|
||||
|
||||
missing = []
|
||||
if not client_id:
|
||||
missing.append("MCP_OAUTH_CLIENT_ID")
|
||||
if not client_secret:
|
||||
missing.append("MCP_OAUTH_CLIENT_SECRET")
|
||||
if not redirect_uris:
|
||||
missing.append("MCP_OAUTH_REDIRECT_URIS")
|
||||
if missing:
|
||||
raise CommandError(
|
||||
"Missing required MCP OAuth settings: " + ", ".join(missing)
|
||||
)
|
||||
|
||||
application, created = Application.objects.get_or_create(
|
||||
client_id=client_id,
|
||||
defaults={
|
||||
"name": name,
|
||||
"client_type": Application.CLIENT_CONFIDENTIAL,
|
||||
"authorization_grant_type": Application.GRANT_AUTHORIZATION_CODE,
|
||||
"redirect_uris": redirect_uris,
|
||||
"skip_authorization": skip_authorization,
|
||||
"client_secret": client_secret,
|
||||
"hash_client_secret": True,
|
||||
},
|
||||
)
|
||||
|
||||
updated_fields = []
|
||||
if application.name != name:
|
||||
application.name = name
|
||||
updated_fields.append("name")
|
||||
if application.client_type != Application.CLIENT_CONFIDENTIAL:
|
||||
application.client_type = Application.CLIENT_CONFIDENTIAL
|
||||
updated_fields.append("client_type")
|
||||
if (
|
||||
application.authorization_grant_type
|
||||
!= Application.GRANT_AUTHORIZATION_CODE
|
||||
):
|
||||
application.authorization_grant_type = Application.GRANT_AUTHORIZATION_CODE
|
||||
updated_fields.append("authorization_grant_type")
|
||||
if application.redirect_uris != redirect_uris:
|
||||
application.redirect_uris = redirect_uris
|
||||
updated_fields.append("redirect_uris")
|
||||
if application.skip_authorization != skip_authorization:
|
||||
application.skip_authorization = skip_authorization
|
||||
updated_fields.append("skip_authorization")
|
||||
if application.hash_client_secret is not True:
|
||||
application.hash_client_secret = True
|
||||
updated_fields.append("hash_client_secret")
|
||||
if not application.client_secret or not check_password(
|
||||
client_secret,
|
||||
application.client_secret,
|
||||
):
|
||||
application.client_secret = client_secret
|
||||
updated_fields.append("client_secret")
|
||||
|
||||
try:
|
||||
application.full_clean()
|
||||
except ValidationError as exc:
|
||||
errors = "; ".join(
|
||||
f"{field}: {', '.join(messages)}"
|
||||
for field, messages in exc.message_dict.items()
|
||||
)
|
||||
raise CommandError(f"Invalid MCP OAuth application settings: {errors}") from exc
|
||||
|
||||
if created:
|
||||
application.save()
|
||||
self.stdout.write(
|
||||
self.style.SUCCESS(
|
||||
f"Created MCP OAuth application '{application.client_id}'."
|
||||
)
|
||||
)
|
||||
return
|
||||
|
||||
if updated_fields:
|
||||
application.save(update_fields=updated_fields)
|
||||
self.stdout.write(
|
||||
self.style.SUCCESS(
|
||||
f"Updated MCP OAuth application '{application.client_id}'."
|
||||
)
|
||||
)
|
||||
return
|
||||
|
||||
self.stdout.write(
|
||||
self.style.SUCCESS(
|
||||
f"MCP OAuth application '{application.client_id}' is already up to date."
|
||||
)
|
||||
)
|
||||
@@ -0,0 +1,253 @@
|
||||
import hmac
|
||||
import json
|
||||
import time
|
||||
from secrets import token_urlsafe
|
||||
|
||||
from django.conf import settings
|
||||
from django.core.exceptions import ValidationError
|
||||
from django.http import JsonResponse
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
from django.views.decorators.http import require_http_methods
|
||||
from oauth2_provider.models import get_application_model
|
||||
|
||||
|
||||
Application = get_application_model()
|
||||
|
||||
SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS = {
|
||||
"none": Application.CLIENT_PUBLIC,
|
||||
"client_secret_basic": Application.CLIENT_CONFIDENTIAL,
|
||||
"client_secret_post": Application.CLIENT_CONFIDENTIAL,
|
||||
}
|
||||
SUPPORTED_GRANT_TYPES = {"authorization_code", "refresh_token"}
|
||||
SUPPORTED_RESPONSE_TYPES = {"code"}
|
||||
|
||||
|
||||
def _base_url(request):
|
||||
return settings.PUBLIC_BASE_URL or request.build_absolute_uri("/").rstrip("/")
|
||||
|
||||
|
||||
def _json_error(error, error_description, status=400):
|
||||
response = JsonResponse(
|
||||
{"error": error, "error_description": error_description},
|
||||
status=status,
|
||||
)
|
||||
response["Cache-Control"] = "no-store"
|
||||
response["Pragma"] = "no-cache"
|
||||
return response
|
||||
|
||||
|
||||
def _set_no_store_headers(response):
|
||||
response["Cache-Control"] = "no-store"
|
||||
response["Pragma"] = "no-cache"
|
||||
return response
|
||||
|
||||
|
||||
def _parse_json_request_body(request):
|
||||
try:
|
||||
payload = json.loads(request.body.decode("utf-8"))
|
||||
except (UnicodeDecodeError, json.JSONDecodeError) as exc:
|
||||
raise ValueError("Request body must be valid JSON.") from exc
|
||||
|
||||
if not isinstance(payload, dict):
|
||||
raise ValueError("Request body must be a JSON object.")
|
||||
|
||||
return payload
|
||||
|
||||
|
||||
def _get_string_list(payload, field_name, *, required=False, default=None):
|
||||
value = payload.get(field_name, default)
|
||||
if value is None:
|
||||
if required:
|
||||
raise ValueError(f"'{field_name}' is required.")
|
||||
return None
|
||||
|
||||
if not isinstance(value, list) or not value:
|
||||
raise ValueError(f"'{field_name}' must be a non-empty array of strings.")
|
||||
|
||||
normalized = []
|
||||
for item in value:
|
||||
if not isinstance(item, str) or not item.strip():
|
||||
raise ValueError(f"'{field_name}' must contain only non-empty strings.")
|
||||
normalized.append(item.strip())
|
||||
return normalized
|
||||
|
||||
|
||||
def _get_supported_scopes():
|
||||
return set(settings.OAUTH2_PROVIDER.get("SCOPES", {}).keys())
|
||||
|
||||
|
||||
def _dcr_initial_access_token_ok(request):
|
||||
"""Validate the optional RFC 7591 initial access token, if one is configured."""
|
||||
expected = settings.OAUTH2_DCR_INITIAL_ACCESS_TOKEN
|
||||
if not expected:
|
||||
return True
|
||||
|
||||
header = request.META.get("HTTP_AUTHORIZATION", "")
|
||||
scheme, _, value = header.partition(" ")
|
||||
if scheme.lower() != "bearer" or not value:
|
||||
return False
|
||||
return hmac.compare_digest(value, expected)
|
||||
|
||||
|
||||
@require_http_methods(["GET"])
|
||||
def authorization_server_metadata(request):
|
||||
base_url = _base_url(request)
|
||||
metadata = {
|
||||
"issuer": base_url,
|
||||
"authorization_endpoint": f"{base_url}/oauth/authorize/",
|
||||
"token_endpoint": f"{base_url}/oauth/token/",
|
||||
"revocation_endpoint": f"{base_url}/oauth/revoke_token/",
|
||||
"introspection_endpoint": f"{base_url}/oauth/introspect/",
|
||||
"scopes_supported": sorted(settings.OAUTH2_PROVIDER["SCOPES"].keys()),
|
||||
"response_types_supported": ["code"],
|
||||
"grant_types_supported": ["authorization_code", "refresh_token"],
|
||||
"token_endpoint_auth_methods_supported": [
|
||||
"none",
|
||||
"client_secret_basic",
|
||||
"client_secret_post",
|
||||
],
|
||||
"code_challenge_methods_supported": ["S256"],
|
||||
}
|
||||
# Only advertise registration when DCR is actually enabled.
|
||||
if settings.OAUTH2_DCR_ENABLED:
|
||||
metadata["registration_endpoint"] = f"{base_url}/oauth/register/"
|
||||
return JsonResponse(metadata)
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
@require_http_methods(["POST"])
|
||||
def dynamic_client_registration(request):
|
||||
if not settings.OAUTH2_DCR_ENABLED:
|
||||
return _json_error(
|
||||
"not_found",
|
||||
"Dynamic client registration is disabled.",
|
||||
status=404,
|
||||
)
|
||||
|
||||
if not _dcr_initial_access_token_ok(request):
|
||||
return _json_error(
|
||||
"invalid_token",
|
||||
"A valid initial access token is required to register a client.",
|
||||
status=401,
|
||||
)
|
||||
|
||||
try:
|
||||
payload = _parse_json_request_body(request)
|
||||
redirect_uris = _get_string_list(payload, "redirect_uris", required=True)
|
||||
grant_types = _get_string_list(
|
||||
payload,
|
||||
"grant_types",
|
||||
default=["authorization_code"],
|
||||
)
|
||||
response_types = _get_string_list(
|
||||
payload,
|
||||
"response_types",
|
||||
default=["code"],
|
||||
)
|
||||
except ValueError as exc:
|
||||
return _json_error("invalid_client_metadata", str(exc))
|
||||
|
||||
unsupported_grant_types = sorted(set(grant_types) - SUPPORTED_GRANT_TYPES)
|
||||
if unsupported_grant_types:
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"Unsupported grant_types: " + ", ".join(unsupported_grant_types),
|
||||
)
|
||||
|
||||
if "authorization_code" not in grant_types:
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"grant_types must include 'authorization_code'.",
|
||||
)
|
||||
|
||||
unsupported_response_types = sorted(set(response_types) - SUPPORTED_RESPONSE_TYPES)
|
||||
if unsupported_response_types:
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"Unsupported response_types: "
|
||||
+ ", ".join(unsupported_response_types),
|
||||
)
|
||||
|
||||
if "code" not in response_types:
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"response_types must include 'code'.",
|
||||
)
|
||||
|
||||
token_endpoint_auth_method = payload.get(
|
||||
"token_endpoint_auth_method",
|
||||
"client_secret_basic",
|
||||
)
|
||||
if token_endpoint_auth_method not in SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS:
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"Unsupported token_endpoint_auth_method: "
|
||||
+ token_endpoint_auth_method,
|
||||
)
|
||||
|
||||
supported_scopes = _get_supported_scopes()
|
||||
raw_scope = payload.get("scope", "mcp")
|
||||
if not isinstance(raw_scope, str):
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"'scope' must be a space-delimited string.",
|
||||
)
|
||||
requested_scope = raw_scope.strip() or "mcp"
|
||||
requested_scopes = set(requested_scope.split())
|
||||
unsupported_scopes = sorted(requested_scopes - supported_scopes)
|
||||
if unsupported_scopes:
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"Unsupported scope values: " + ", ".join(unsupported_scopes),
|
||||
)
|
||||
|
||||
client_name = str(payload.get("client_name", "Dynamic MCP Client")).strip()
|
||||
if not client_name:
|
||||
client_name = "Dynamic MCP Client"
|
||||
|
||||
client_secret = None
|
||||
client_type = SUPPORTED_TOKEN_ENDPOINT_AUTH_METHODS[token_endpoint_auth_method]
|
||||
if client_type == Application.CLIENT_CONFIDENTIAL:
|
||||
client_secret = token_urlsafe(48)
|
||||
|
||||
application = Application(
|
||||
name=client_name,
|
||||
client_type=client_type,
|
||||
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
|
||||
redirect_uris=" ".join(redirect_uris),
|
||||
skip_authorization=False,
|
||||
hash_client_secret=True,
|
||||
client_secret=client_secret or "",
|
||||
)
|
||||
|
||||
try:
|
||||
application.full_clean()
|
||||
except ValidationError as exc:
|
||||
errors = []
|
||||
for field, messages in exc.message_dict.items():
|
||||
errors.extend(f"{field}: {message}" for message in messages)
|
||||
return _json_error(
|
||||
"invalid_client_metadata",
|
||||
"; ".join(errors),
|
||||
)
|
||||
|
||||
application.save()
|
||||
|
||||
response_payload = {
|
||||
"client_id": application.client_id,
|
||||
"client_id_issued_at": int(time.time()),
|
||||
"client_name": client_name,
|
||||
"redirect_uris": redirect_uris,
|
||||
# Report what was actually provisioned, not the raw request echo. The app
|
||||
# is created with the authorization_code grant; refresh_token is implicit
|
||||
# to that grant in django-oauth-toolkit rather than a separate capability.
|
||||
"grant_types": sorted(set(grant_types) & SUPPORTED_GRANT_TYPES),
|
||||
"response_types": sorted(set(response_types) & SUPPORTED_RESPONSE_TYPES),
|
||||
"scope": " ".join(sorted(requested_scopes)),
|
||||
"token_endpoint_auth_method": token_endpoint_auth_method,
|
||||
}
|
||||
if client_secret is not None:
|
||||
response_payload["client_secret"] = client_secret
|
||||
response_payload["client_secret_expires_at"] = 0
|
||||
|
||||
return _set_no_store_headers(JsonResponse(response_payload, status=201))
|
||||
@@ -1,6 +1,47 @@
|
||||
import functools
|
||||
import inspect
|
||||
|
||||
import procrastinate
|
||||
from django.db import close_old_connections
|
||||
|
||||
|
||||
_CONNECTION_CLEANUP_WRAPPED = "_wygiwyh_connection_cleanup_wrapped"
|
||||
|
||||
|
||||
def _wrap_task_with_django_connection_cleanup(task):
|
||||
if getattr(task.func, _CONNECTION_CLEANUP_WRAPPED, False):
|
||||
return
|
||||
|
||||
func = task.func
|
||||
|
||||
if inspect.iscoroutinefunction(func):
|
||||
|
||||
@functools.wraps(func)
|
||||
async def async_wrapped(*args, **kwargs):
|
||||
close_old_connections()
|
||||
try:
|
||||
return await func(*args, **kwargs)
|
||||
finally:
|
||||
close_old_connections()
|
||||
|
||||
wrapped = async_wrapped
|
||||
else:
|
||||
|
||||
@functools.wraps(func)
|
||||
def sync_wrapped(*args, **kwargs):
|
||||
close_old_connections()
|
||||
try:
|
||||
return func(*args, **kwargs)
|
||||
finally:
|
||||
close_old_connections()
|
||||
|
||||
wrapped = sync_wrapped
|
||||
|
||||
setattr(wrapped, _CONNECTION_CLEANUP_WRAPPED, True)
|
||||
task.func = wrapped
|
||||
|
||||
|
||||
def on_app_ready(app: procrastinate.App):
|
||||
"""This function is ran upon procrastinate initialization."""
|
||||
...
|
||||
for task in set(app.tasks.values()):
|
||||
_wrap_task_with_django_connection_cleanup(task)
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
|
||||
@@ -0,0 +1,298 @@
|
||||
import os
|
||||
import json
|
||||
from io import StringIO
|
||||
from unittest.mock import patch
|
||||
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.contrib.auth.hashers import check_password
|
||||
from django.core.management import call_command
|
||||
from django.test import SimpleTestCase, TestCase, override_settings
|
||||
from django.utils import timezone
|
||||
from django.urls import reverse
|
||||
from oauth2_provider.models import get_application_model
|
||||
|
||||
from apps.users.models import APIToken
|
||||
|
||||
Application = get_application_model()
|
||||
|
||||
|
||||
@override_settings(
|
||||
PUBLIC_BASE_URL="https://wygiwyh.example.com",
|
||||
SECRET_KEY="test-secret-key",
|
||||
OAUTH2_PROVIDER={"SCOPES": {"mcp": "Access WYGIWYH from MCP clients."}},
|
||||
)
|
||||
class AuthorizationServerMetadataTests(SimpleTestCase):
|
||||
@override_settings(OAUTH2_DCR_ENABLED=True)
|
||||
def test_returns_oauth_authorization_server_metadata(self):
|
||||
response = self.client.get(reverse("oauth-authorization-server-metadata"))
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(response.json()["issuer"], "https://wygiwyh.example.com")
|
||||
self.assertEqual(
|
||||
response.json()["authorization_endpoint"],
|
||||
"https://wygiwyh.example.com/oauth/authorize/",
|
||||
)
|
||||
self.assertEqual(
|
||||
response.json()["registration_endpoint"],
|
||||
"https://wygiwyh.example.com/oauth/register/",
|
||||
)
|
||||
self.assertEqual(response.json()["scopes_supported"], ["mcp"])
|
||||
self.assertIn("none", response.json()["token_endpoint_auth_methods_supported"])
|
||||
|
||||
@override_settings(OAUTH2_DCR_ENABLED=False)
|
||||
def test_omits_registration_endpoint_when_dcr_disabled(self):
|
||||
response = self.client.get(reverse("oauth-authorization-server-metadata"))
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertNotIn("registration_endpoint", response.json())
|
||||
|
||||
|
||||
@override_settings(
|
||||
PUBLIC_BASE_URL="https://wygiwyh.example.com",
|
||||
SECRET_KEY="test-secret-key",
|
||||
OAUTH2_PROVIDER={"SCOPES": {"mcp": "Access WYGIWYH from MCP clients."}},
|
||||
OAUTH2_DCR_ENABLED=True,
|
||||
OAUTH2_DCR_INITIAL_ACCESS_TOKEN="",
|
||||
)
|
||||
class DynamicClientRegistrationTests(TestCase):
|
||||
def test_registers_public_client_for_pkce_flow(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps(
|
||||
{
|
||||
"client_name": "Copilot MCP",
|
||||
"redirect_uris": ["http://127.0.0.1:8765/callback"],
|
||||
"grant_types": ["authorization_code", "refresh_token"],
|
||||
"response_types": ["code"],
|
||||
"scope": "mcp",
|
||||
"token_endpoint_auth_method": "none",
|
||||
}
|
||||
),
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 201)
|
||||
payload = response.json()
|
||||
self.assertEqual(payload["client_name"], "Copilot MCP")
|
||||
self.assertEqual(
|
||||
payload["redirect_uris"],
|
||||
["http://127.0.0.1:8765/callback"],
|
||||
)
|
||||
self.assertEqual(
|
||||
payload["grant_types"],
|
||||
["authorization_code", "refresh_token"],
|
||||
)
|
||||
self.assertEqual(payload["response_types"], ["code"])
|
||||
self.assertEqual(payload["scope"], "mcp")
|
||||
self.assertEqual(payload["token_endpoint_auth_method"], "none")
|
||||
self.assertNotIn("client_secret", payload)
|
||||
|
||||
application = Application.objects.get(client_id=payload["client_id"])
|
||||
self.assertEqual(application.name, "Copilot MCP")
|
||||
self.assertEqual(application.client_type, Application.CLIENT_PUBLIC)
|
||||
self.assertEqual(
|
||||
application.authorization_grant_type,
|
||||
Application.GRANT_AUTHORIZATION_CODE,
|
||||
)
|
||||
self.assertEqual(
|
||||
application.redirect_uris,
|
||||
"http://127.0.0.1:8765/callback",
|
||||
)
|
||||
|
||||
def test_registers_confidential_client_with_generated_secret(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps(
|
||||
{
|
||||
"client_name": "Confidential MCP",
|
||||
"redirect_uris": ["http://127.0.0.1:8765/callback"],
|
||||
"token_endpoint_auth_method": "client_secret_basic",
|
||||
}
|
||||
),
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 201)
|
||||
payload = response.json()
|
||||
self.assertEqual(payload["token_endpoint_auth_method"], "client_secret_basic")
|
||||
self.assertEqual(payload["scope"], "mcp")
|
||||
self.assertEqual(payload["client_secret_expires_at"], 0)
|
||||
self.assertTrue(payload["client_secret"])
|
||||
|
||||
application = Application.objects.get(client_id=payload["client_id"])
|
||||
self.assertEqual(application.client_type, Application.CLIENT_CONFIDENTIAL)
|
||||
self.assertTrue(check_password(payload["client_secret"], application.client_secret))
|
||||
|
||||
def test_rejects_unsupported_token_auth_method(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps(
|
||||
{
|
||||
"redirect_uris": ["http://127.0.0.1:8765/callback"],
|
||||
"token_endpoint_auth_method": "private_key_jwt",
|
||||
}
|
||||
),
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
self.assertEqual(response.json()["error"], "invalid_client_metadata")
|
||||
self.assertIn("token_endpoint_auth_method", response.json()["error_description"])
|
||||
|
||||
def test_rejects_missing_redirect_uris(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps({"client_name": "No redirect"}),
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 400)
|
||||
self.assertEqual(response.json()["error"], "invalid_client_metadata")
|
||||
self.assertIn("redirect_uris", response.json()["error_description"])
|
||||
|
||||
@override_settings(OAUTH2_DCR_ENABLED=False)
|
||||
def test_returns_404_when_dcr_disabled(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps({"redirect_uris": ["http://127.0.0.1:8765/callback"]}),
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 404)
|
||||
self.assertEqual(Application.objects.count(), 0)
|
||||
|
||||
|
||||
@override_settings(
|
||||
PUBLIC_BASE_URL="https://wygiwyh.example.com",
|
||||
SECRET_KEY="test-secret-key",
|
||||
OAUTH2_PROVIDER={"SCOPES": {"mcp": "Access WYGIWYH from MCP clients."}},
|
||||
OAUTH2_DCR_ENABLED=True,
|
||||
OAUTH2_DCR_INITIAL_ACCESS_TOKEN="s3cret-iat",
|
||||
)
|
||||
class DynamicClientRegistrationInitialAccessTokenTests(TestCase):
|
||||
def test_rejects_registration_without_initial_access_token(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps({"redirect_uris": ["http://127.0.0.1:8765/callback"]}),
|
||||
content_type="application/json",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 401)
|
||||
self.assertEqual(response.json()["error"], "invalid_token")
|
||||
self.assertEqual(Application.objects.count(), 0)
|
||||
|
||||
def test_allows_registration_with_initial_access_token(self):
|
||||
response = self.client.post(
|
||||
reverse("oauth-dynamic-client-registration"),
|
||||
data=json.dumps(
|
||||
{
|
||||
"redirect_uris": ["http://127.0.0.1:8765/callback"],
|
||||
"token_endpoint_auth_method": "none",
|
||||
}
|
||||
),
|
||||
content_type="application/json",
|
||||
HTTP_AUTHORIZATION="Bearer s3cret-iat",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 201)
|
||||
self.assertEqual(Application.objects.count(), 1)
|
||||
|
||||
|
||||
class SetupOAuthCommandTests(TestCase):
|
||||
@patch.dict(
|
||||
os.environ,
|
||||
{
|
||||
"MCP_OAUTH_CLIENT_ID": "mcp-wygiwyh",
|
||||
"MCP_OAUTH_CLIENT_SECRET": "super-secret",
|
||||
"MCP_OAUTH_REDIRECT_URIS": "http://127.0.0.1:8765/callback",
|
||||
},
|
||||
clear=False,
|
||||
)
|
||||
def test_creates_mcp_oauth_application(self):
|
||||
call_command("setup_oauth")
|
||||
|
||||
application = Application.objects.get(client_id="mcp-wygiwyh")
|
||||
self.assertEqual(application.name, "WYGIWYH MCP")
|
||||
self.assertEqual(application.client_type, Application.CLIENT_CONFIDENTIAL)
|
||||
self.assertEqual(
|
||||
application.authorization_grant_type,
|
||||
Application.GRANT_AUTHORIZATION_CODE,
|
||||
)
|
||||
self.assertEqual(
|
||||
application.redirect_uris,
|
||||
"http://127.0.0.1:8765/callback",
|
||||
)
|
||||
self.assertFalse(application.skip_authorization)
|
||||
self.assertTrue(check_password("super-secret", application.client_secret))
|
||||
|
||||
@patch.dict(
|
||||
os.environ,
|
||||
{
|
||||
"MCP_OAUTH_CLIENT_ID": "mcp-wygiwyh",
|
||||
"MCP_OAUTH_CLIENT_SECRET": "new-secret",
|
||||
"MCP_OAUTH_REDIRECT_URIS": "http://127.0.0.1:8765/callback http://localhost:8765/callback",
|
||||
"MCP_OAUTH_CLIENT_NAME": "WYGIWYH MCP Production",
|
||||
"MCP_OAUTH_SKIP_AUTHORIZATION": "true",
|
||||
},
|
||||
clear=False,
|
||||
)
|
||||
def test_updates_existing_mcp_oauth_application(self):
|
||||
Application.objects.create(
|
||||
client_id="mcp-wygiwyh",
|
||||
client_secret="old-secret",
|
||||
name="Old Name",
|
||||
client_type=Application.CLIENT_CONFIDENTIAL,
|
||||
authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
|
||||
redirect_uris="http://127.0.0.1:8765/callback",
|
||||
skip_authorization=False,
|
||||
)
|
||||
|
||||
call_command("setup_oauth")
|
||||
|
||||
application = Application.objects.get(client_id="mcp-wygiwyh")
|
||||
self.assertEqual(application.name, "WYGIWYH MCP Production")
|
||||
self.assertEqual(
|
||||
application.redirect_uris,
|
||||
"http://127.0.0.1:8765/callback http://localhost:8765/callback",
|
||||
)
|
||||
self.assertTrue(application.skip_authorization)
|
||||
self.assertTrue(check_password("new-secret", application.client_secret))
|
||||
|
||||
|
||||
class CreateAPITokenCommandTests(TestCase):
|
||||
def setUp(self):
|
||||
self.user = get_user_model().objects.create_user(
|
||||
email="n8n@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
|
||||
def test_creates_hashed_api_token_and_prints_raw_value(self):
|
||||
stdout = StringIO()
|
||||
|
||||
call_command(
|
||||
"create_api_token",
|
||||
self.user.email,
|
||||
"--name",
|
||||
"n8n sync",
|
||||
stdout=stdout,
|
||||
)
|
||||
|
||||
token = APIToken.objects.get(user=self.user, name="n8n sync")
|
||||
lines = [line.strip() for line in stdout.getvalue().splitlines() if line.strip()]
|
||||
raw_token = lines[-1]
|
||||
|
||||
self.assertTrue(raw_token.startswith(APIToken.TOKEN_PREFIX))
|
||||
self.assertNotEqual(token.token_hash, raw_token)
|
||||
self.assertTrue(token.check_secret(APIToken.parse_raw_token(raw_token)[1]))
|
||||
|
||||
def test_supports_expiring_tokens(self):
|
||||
call_command(
|
||||
"create_api_token",
|
||||
self.user.email,
|
||||
"--expires-in-days",
|
||||
"7",
|
||||
)
|
||||
|
||||
token = APIToken.objects.get(user=self.user)
|
||||
self.assertIsNotNone(token.expires_at)
|
||||
self.assertGreater(token.expires_at, timezone.now())
|
||||
@@ -0,0 +1,89 @@
|
||||
from unittest.mock import patch
|
||||
|
||||
import procrastinate
|
||||
from django.db import connection
|
||||
from django.test import SimpleTestCase, TransactionTestCase
|
||||
from procrastinate.testing import InMemoryConnector
|
||||
|
||||
from apps.common.procrastinate import on_app_ready
|
||||
|
||||
|
||||
def make_app_with_task(func):
|
||||
app = procrastinate.App(connector=InMemoryConnector())
|
||||
task = app.task(name="sample_task")(func)
|
||||
|
||||
return app, task
|
||||
|
||||
|
||||
class ProcrastinateConnectionCleanupTests(SimpleTestCase):
|
||||
def test_app_ready_closes_old_connections_around_sync_tasks(self):
|
||||
calls = []
|
||||
|
||||
def sample_task(value):
|
||||
calls.append(("task", value))
|
||||
return value * 2
|
||||
|
||||
app, task = make_app_with_task(sample_task)
|
||||
|
||||
with patch(
|
||||
"apps.common.procrastinate.close_old_connections",
|
||||
create=True,
|
||||
side_effect=lambda: calls.append(("cleanup", None)),
|
||||
):
|
||||
on_app_ready(app)
|
||||
|
||||
result = task.func(3)
|
||||
|
||||
self.assertEqual(result, 6)
|
||||
self.assertEqual(
|
||||
calls,
|
||||
[
|
||||
("cleanup", None),
|
||||
("task", 3),
|
||||
("cleanup", None),
|
||||
],
|
||||
)
|
||||
|
||||
def test_app_ready_closes_old_connections_when_sync_task_raises(self):
|
||||
calls = []
|
||||
|
||||
def sample_task():
|
||||
calls.append(("task", None))
|
||||
raise RuntimeError("boom")
|
||||
|
||||
app, task = make_app_with_task(sample_task)
|
||||
|
||||
with patch(
|
||||
"apps.common.procrastinate.close_old_connections",
|
||||
create=True,
|
||||
side_effect=lambda: calls.append(("cleanup", None)),
|
||||
):
|
||||
on_app_ready(app)
|
||||
|
||||
with self.assertRaises(RuntimeError):
|
||||
task.func()
|
||||
|
||||
self.assertEqual(
|
||||
calls,
|
||||
[
|
||||
("cleanup", None),
|
||||
("task", None),
|
||||
("cleanup", None),
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
class ProcrastinateConnectionRecoveryTests(TransactionTestCase):
|
||||
def test_wrapped_task_recovers_from_closed_django_connection(self):
|
||||
def sample_task():
|
||||
with connection.cursor() as cursor:
|
||||
cursor.execute("SELECT 1")
|
||||
return cursor.fetchone()[0]
|
||||
|
||||
app, task = make_app_with_task(sample_task)
|
||||
on_app_ready(app)
|
||||
|
||||
connection.ensure_connection()
|
||||
connection.connection.close()
|
||||
|
||||
self.assertEqual(task.func(), 1)
|
||||
@@ -13,6 +13,7 @@ import openpyxl
|
||||
import xlrd
|
||||
import yaml
|
||||
from cachalot.api import cachalot_disabled
|
||||
from django.core.exceptions import FieldDoesNotExist
|
||||
from django.utils import timezone
|
||||
from openpyxl.utils.exceptions import InvalidFileException
|
||||
|
||||
@@ -365,7 +366,7 @@ class ImportService:
|
||||
try:
|
||||
if entities_mapping:
|
||||
if entities_mapping.type == "id":
|
||||
entity = TransactionTag.objects.filter(
|
||||
entity = TransactionEntity.objects.filter(
|
||||
id=entity_name
|
||||
).first()
|
||||
else: # name
|
||||
@@ -462,12 +463,12 @@ class ImportService:
|
||||
for field in rule.fields:
|
||||
if field in transaction_data:
|
||||
value = transaction_data[field]
|
||||
# Use __iexact only for string fields; non-string types
|
||||
# (date, Decimal, bool, int, etc.) don't support UPPER()
|
||||
if rule.match_type == "strict" or not isinstance(value, str):
|
||||
query = query.filter(**{field: value})
|
||||
else: # lax matching for strings only
|
||||
query = query.filter(**{f"{field}__iexact": value})
|
||||
query = self._apply_deduplication_filter(
|
||||
query=query,
|
||||
field=field,
|
||||
value=value,
|
||||
match_type=rule.match_type,
|
||||
)
|
||||
|
||||
# If we found any matching transaction, it's a duplicate
|
||||
if query.exists():
|
||||
@@ -475,6 +476,71 @@ class ImportService:
|
||||
|
||||
return False
|
||||
|
||||
@staticmethod
|
||||
def _is_int_like(value: Any) -> bool:
|
||||
try:
|
||||
int(value)
|
||||
except (TypeError, ValueError):
|
||||
return False
|
||||
return True
|
||||
|
||||
def _apply_deduplication_filter(
|
||||
self,
|
||||
query,
|
||||
field: str,
|
||||
value: Any,
|
||||
match_type: Literal["lax", "strict"],
|
||||
):
|
||||
if isinstance(value, list):
|
||||
return self._apply_list_deduplication_filter(
|
||||
query=query,
|
||||
field=field,
|
||||
values=value,
|
||||
match_type=match_type,
|
||||
)
|
||||
|
||||
# Use __iexact only for string fields; non-string types
|
||||
# (date, Decimal, bool, int, etc.) don't support UPPER()
|
||||
if match_type == "strict" or not isinstance(value, str):
|
||||
return query.filter(**{field: value})
|
||||
|
||||
return query.filter(**{f"{field}__iexact": value})
|
||||
|
||||
def _apply_list_deduplication_filter(
|
||||
self,
|
||||
query,
|
||||
field: str,
|
||||
values: list[Any],
|
||||
match_type: Literal["lax", "strict"],
|
||||
):
|
||||
clean_values = [v for v in values if v not in (None, "")]
|
||||
if not clean_values:
|
||||
return query
|
||||
|
||||
try:
|
||||
model_field = Transaction._meta.get_field(field)
|
||||
except FieldDoesNotExist:
|
||||
return query.filter(**{f"{field}__in": clean_values})
|
||||
|
||||
if getattr(model_field, "many_to_many", False):
|
||||
# For m2m fields (e.g., entities/tags), apply one filter per value so
|
||||
# all provided values must be present in the matched transaction.
|
||||
if all(self._is_int_like(v) for v in clean_values):
|
||||
for value in clean_values:
|
||||
query = query.filter(**{f"{field}__id": int(value)})
|
||||
else:
|
||||
for value in clean_values:
|
||||
lookup = (
|
||||
f"{field}__name"
|
||||
if match_type == "strict"
|
||||
else f"{field}__name__iexact"
|
||||
)
|
||||
query = query.filter(**{lookup: str(value).strip()})
|
||||
|
||||
return query.distinct()
|
||||
|
||||
return query.filter(**{f"{field}__in": clean_values})
|
||||
|
||||
def _coerce_type(
|
||||
self, value: str, mapping: version_1.ColumnMapping
|
||||
) -> Union[str, int, bool, Decimal, datetime, list, None]:
|
||||
|
||||
@@ -15,7 +15,7 @@ from apps.accounts.models import Account, AccountGroup
|
||||
from apps.currencies.models import Currency
|
||||
from apps.import_app.models import ImportProfile, ImportRun
|
||||
from apps.import_app.services.v1 import ImportService
|
||||
from apps.transactions.models import Transaction
|
||||
from apps.transactions.models import Transaction, TransactionEntity
|
||||
|
||||
|
||||
class DeduplicationTests(TestCase):
|
||||
@@ -273,3 +273,39 @@ deduplication:
|
||||
}
|
||||
)
|
||||
self.assertTrue(is_duplicate)
|
||||
|
||||
def test_deduplication_with_entities_list_value(self):
|
||||
"""Test that list values for m2m entities deduplicate correctly."""
|
||||
entity = TransactionEntity.objects.create(name="DB Vertrieb GmbH")
|
||||
self.existing_transaction.entities.add(entity)
|
||||
|
||||
service = self._create_import_service_with_deduplication(
|
||||
fields=["date", "amount", "entities"], match_type="strict"
|
||||
)
|
||||
|
||||
is_duplicate = service._check_duplicate_transaction(
|
||||
{
|
||||
"date": date(2024, 1, 15),
|
||||
"amount": Decimal("100.00"),
|
||||
"entities": ["DB Vertrieb GmbH"],
|
||||
}
|
||||
)
|
||||
self.assertTrue(is_duplicate)
|
||||
|
||||
def test_deduplication_with_entities_list_value_not_matching(self):
|
||||
"""Test that non-matching entity list values are not marked duplicate."""
|
||||
entity = TransactionEntity.objects.create(name="DB Vertrieb GmbH")
|
||||
self.existing_transaction.entities.add(entity)
|
||||
|
||||
service = self._create_import_service_with_deduplication(
|
||||
fields=["date", "amount", "entities"], match_type="strict"
|
||||
)
|
||||
|
||||
is_duplicate = service._check_duplicate_transaction(
|
||||
{
|
||||
"date": date(2024, 1, 15),
|
||||
"amount": Decimal("100.00"),
|
||||
"entities": ["Different Entity"],
|
||||
}
|
||||
)
|
||||
self.assertFalse(is_duplicate)
|
||||
|
||||
@@ -365,7 +365,9 @@ def check_for_transaction_rules(
|
||||
|
||||
if processed_action.set_category:
|
||||
value = simple.eval(processed_action.set_category)
|
||||
if isinstance(value, int):
|
||||
if value is None:
|
||||
transaction.category = None
|
||||
elif isinstance(value, int):
|
||||
transaction.category = TransactionCategory.objects.get(id=value)
|
||||
else:
|
||||
transaction.category = TransactionCategory.objects.get(name=value)
|
||||
@@ -458,7 +460,9 @@ def check_for_transaction_rules(
|
||||
transaction.account = account
|
||||
|
||||
elif field == TransactionRuleAction.Field.category:
|
||||
if isinstance(new_value, int):
|
||||
if new_value is None:
|
||||
transaction.category = None
|
||||
elif isinstance(new_value, int):
|
||||
category = TransactionCategory.objects.get(id=new_value)
|
||||
transaction.category = category
|
||||
elif isinstance(new_value, str):
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
|
||||
@@ -0,0 +1,82 @@
|
||||
from datetime import date
|
||||
from decimal import Decimal
|
||||
from unittest.mock import patch
|
||||
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.test import TransactionTestCase
|
||||
|
||||
from apps.accounts.models import Account
|
||||
from apps.currencies.models import Currency
|
||||
from apps.rules.models import TransactionRule, UpdateOrCreateTransactionRuleAction
|
||||
from apps.rules.tasks import check_for_transaction_rules
|
||||
from apps.transactions.models import Transaction
|
||||
|
||||
|
||||
def run_check_for_transaction_rules_without_worker_wrapper(**kwargs):
|
||||
task_func = check_for_transaction_rules.func
|
||||
task_func = getattr(task_func, "__wrapped__", task_func)
|
||||
|
||||
return task_func(**kwargs)
|
||||
|
||||
|
||||
class CheckForTransactionRulesTests(TransactionTestCase):
|
||||
def setUp(self):
|
||||
User = get_user_model()
|
||||
self.user = User.objects.create_user(
|
||||
email="rules@example.com",
|
||||
password="testpass123",
|
||||
)
|
||||
self.currency = Currency.objects.create(
|
||||
code="USD",
|
||||
name="US Dollar",
|
||||
decimal_places=2,
|
||||
)
|
||||
self.account = Account.objects.create(
|
||||
name="Main Account",
|
||||
currency=self.currency,
|
||||
owner=self.user,
|
||||
)
|
||||
|
||||
@patch("apps.rules.signals.check_for_transaction_rules.defer")
|
||||
def test_update_or_create_action_can_clear_category_from_none_expression(
|
||||
self, mock_defer
|
||||
):
|
||||
source_transaction = Transaction.objects.create(
|
||||
account=self.account,
|
||||
type=Transaction.Type.EXPENSE,
|
||||
amount=Decimal("10.00"),
|
||||
date=date(2026, 5, 4),
|
||||
reference_date=date(2026, 5, 1),
|
||||
description="Source without category",
|
||||
category=None,
|
||||
owner=self.user,
|
||||
)
|
||||
rule = TransactionRule.objects.create(
|
||||
active=True,
|
||||
on_create=False,
|
||||
on_update=True,
|
||||
name="Copy transaction",
|
||||
trigger="True",
|
||||
owner=self.user,
|
||||
)
|
||||
UpdateOrCreateTransactionRuleAction.objects.create(
|
||||
rule=rule,
|
||||
set_account="account_id",
|
||||
set_type="'EX'",
|
||||
set_date="date",
|
||||
set_reference_date="reference_date",
|
||||
set_amount="amount",
|
||||
set_description="'Generated transaction'",
|
||||
set_category="category_name",
|
||||
)
|
||||
|
||||
run_check_for_transaction_rules_without_worker_wrapper(
|
||||
instance_id=source_transaction.id,
|
||||
user_id=self.user.id,
|
||||
signal="transaction_updated",
|
||||
)
|
||||
|
||||
generated_transaction = Transaction.objects.get(
|
||||
description="Generated transaction"
|
||||
)
|
||||
self.assertIsNone(generated_transaction.category)
|
||||
@@ -14,6 +14,7 @@ from apps.common.widgets.tom_select import TomSelect
|
||||
from apps.rules.signals import transaction_created, transaction_updated
|
||||
from apps.transactions.models import (
|
||||
InstallmentPlan,
|
||||
TransactionAttachment,
|
||||
QuickTransaction,
|
||||
RecurringTransaction,
|
||||
Transaction,
|
||||
@@ -36,6 +37,22 @@ from django.db.models import Q
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
|
||||
class MultipleFileInput(forms.ClearableFileInput):
|
||||
allow_multiple_selected = True
|
||||
|
||||
|
||||
class MultipleFileField(forms.FileField):
|
||||
widget = MultipleFileInput
|
||||
|
||||
def clean(self, data, initial=None):
|
||||
single_file_clean = super().clean
|
||||
if isinstance(data, (list, tuple)):
|
||||
return [single_file_clean(file, initial) for file in data]
|
||||
if data:
|
||||
return [single_file_clean(data, initial)]
|
||||
return []
|
||||
|
||||
|
||||
class TransactionForm(forms.ModelForm):
|
||||
category = DynamicModelChoiceField(
|
||||
create_field="name",
|
||||
@@ -247,6 +264,41 @@ class TransactionForm(forms.ModelForm):
|
||||
return instance
|
||||
|
||||
|
||||
class TransactionAttachmentForm(forms.Form):
|
||||
attachments = MultipleFileField(
|
||||
required=True,
|
||||
label=_("Attachments"),
|
||||
help_text=_("Files are private and only visible to users with access to this transaction."),
|
||||
)
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
self.helper = FormHelper()
|
||||
self.helper.form_tag = False
|
||||
self.helper.form_method = "post"
|
||||
self.helper.layout = Layout(
|
||||
"attachments",
|
||||
FormActions(
|
||||
NoClassSubmit("submit", _("Upload"), css_class="btn btn-primary"),
|
||||
),
|
||||
)
|
||||
|
||||
def save(self, transaction, uploaded_by):
|
||||
created = []
|
||||
for attachment in self.cleaned_data.get("attachments") or []:
|
||||
created.append(
|
||||
TransactionAttachment.objects.create(
|
||||
transaction=transaction,
|
||||
file=attachment,
|
||||
original_name=attachment.name,
|
||||
content_type=getattr(attachment, "content_type", ""),
|
||||
size=attachment.size,
|
||||
uploaded_by=uploaded_by,
|
||||
)
|
||||
)
|
||||
return created
|
||||
|
||||
|
||||
class QuickTransactionForm(forms.ModelForm):
|
||||
category = DynamicModelChoiceField(
|
||||
create_field="name",
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
# Generated by Django 5.2.13 on 2026-06-06 02:34
|
||||
|
||||
import apps.transactions.models
|
||||
import apps.transactions.storage
|
||||
import django.db.models.deletion
|
||||
import uuid
|
||||
from django.conf import settings
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('transactions', '0048_recurringtransaction_keep_at_most'),
|
||||
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='TransactionAttachment',
|
||||
fields=[
|
||||
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
|
||||
('file', models.FileField(storage=apps.transactions.storage.PrivateMediaStorage(), upload_to=apps.transactions.models.transaction_attachment_path, verbose_name='File')),
|
||||
('original_name', models.CharField(max_length=255, verbose_name='Original Name')),
|
||||
('content_type', models.CharField(blank=True, max_length=255, verbose_name='Content Type')),
|
||||
('size', models.PositiveBigIntegerField(default=0, verbose_name='Size')),
|
||||
('created_at', models.DateTimeField(auto_now_add=True)),
|
||||
('transaction', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='attachments', to='transactions.transaction', verbose_name='Transaction')),
|
||||
('uploaded_by', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='transaction_attachments', to=settings.AUTH_USER_MODEL, verbose_name='Uploaded By')),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Transaction Attachment',
|
||||
'verbose_name_plural': 'Transaction Attachments',
|
||||
'db_table': 'transaction_attachments',
|
||||
'ordering': ['-created_at', 'original_name'],
|
||||
},
|
||||
),
|
||||
]
|
||||
@@ -1,6 +1,8 @@
|
||||
import decimal
|
||||
import logging
|
||||
import uuid
|
||||
from copy import deepcopy
|
||||
from pathlib import Path
|
||||
|
||||
from apps.common.fields.month_year import MonthYearModelField
|
||||
from apps.common.functions.decimals import truncate_decimal
|
||||
@@ -13,13 +15,15 @@ from apps.common.models import (
|
||||
)
|
||||
from apps.common.templatetags.decimal import drop_trailing_zeros, localize_number
|
||||
from apps.currencies.utils.convert import convert
|
||||
from apps.transactions.storage import PrivateMediaStorage
|
||||
from apps.transactions.validators import validate_decimal_places, validate_non_negative
|
||||
from dateutil.relativedelta import relativedelta
|
||||
from django.conf import settings
|
||||
from django.core.validators import MinValueValidator
|
||||
from django.db import models, transaction
|
||||
from django.db.models import Q
|
||||
from django.dispatch import Signal
|
||||
from django.db.models.signals import post_delete
|
||||
from django.dispatch import Signal, receiver
|
||||
from django.template.defaultfilters import date
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
@@ -32,6 +36,11 @@ transaction_updated = Signal()
|
||||
transaction_deleted = Signal()
|
||||
|
||||
|
||||
def transaction_attachment_path(instance, filename):
|
||||
extension = Path(filename).suffix
|
||||
return f"transaction_attachments/{instance.transaction_id}/{instance.id}{extension}"
|
||||
|
||||
|
||||
class SoftDeleteQuerySet(models.QuerySet):
|
||||
@staticmethod
|
||||
def _emit_signals(instances, created=False, old_data=None):
|
||||
@@ -526,6 +535,60 @@ class Transaction(OwnedObject):
|
||||
|
||||
return new_obj
|
||||
|
||||
class TransactionAttachment(models.Model):
|
||||
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
|
||||
transaction = models.ForeignKey(
|
||||
Transaction,
|
||||
on_delete=models.CASCADE,
|
||||
related_name="attachments",
|
||||
verbose_name=_("Transaction"),
|
||||
)
|
||||
file = models.FileField(
|
||||
upload_to=transaction_attachment_path,
|
||||
storage=PrivateMediaStorage(),
|
||||
verbose_name=_("File"),
|
||||
)
|
||||
original_name = models.CharField(max_length=255, verbose_name=_("Original Name"))
|
||||
content_type = models.CharField(
|
||||
max_length=255, blank=True, verbose_name=_("Content Type")
|
||||
)
|
||||
size = models.PositiveBigIntegerField(default=0, verbose_name=_("Size"))
|
||||
uploaded_by = models.ForeignKey(
|
||||
settings.AUTH_USER_MODEL,
|
||||
on_delete=models.PROTECT,
|
||||
related_name="transaction_attachments",
|
||||
verbose_name=_("Uploaded By"),
|
||||
)
|
||||
created_at = models.DateTimeField(auto_now_add=True)
|
||||
|
||||
class Meta:
|
||||
verbose_name = _("Transaction Attachment")
|
||||
verbose_name_plural = _("Transaction Attachments")
|
||||
db_table = "transaction_attachments"
|
||||
ordering = ["-created_at", "original_name"]
|
||||
|
||||
def save(self, *args, **kwargs):
|
||||
if self.file:
|
||||
if not self.original_name:
|
||||
self.original_name = Path(self.file.name).name
|
||||
if not self.size:
|
||||
self.size = self.file.size
|
||||
if not self.content_type:
|
||||
self.content_type = getattr(self.file.file, "content_type", "")
|
||||
super().save(*args, **kwargs)
|
||||
|
||||
def __str__(self):
|
||||
return self.original_name
|
||||
|
||||
|
||||
@receiver(post_delete, sender=TransactionAttachment)
|
||||
def delete_transaction_attachment_file(sender, instance, **kwargs):
|
||||
if not instance.file.name:
|
||||
return
|
||||
|
||||
storage = instance.file.storage
|
||||
if storage.exists(instance.file.name):
|
||||
storage.delete(instance.file.name)
|
||||
|
||||
class InstallmentPlan(models.Model):
|
||||
class Recurrence(models.TextChoices):
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
from django.conf import settings
|
||||
from django.core.files.storage import FileSystemStorage
|
||||
|
||||
|
||||
class PrivateMediaStorage(FileSystemStorage):
|
||||
def __init__(self, *args, **kwargs):
|
||||
kwargs.setdefault("location", settings.ATTACHMENT_MEDIA_ROOT)
|
||||
kwargs.setdefault("base_url", None)
|
||||
super().__init__(*args, **kwargs)
|
||||
@@ -0,0 +1,219 @@
|
||||
import shutil
|
||||
import tempfile
|
||||
from datetime import date
|
||||
from decimal import Decimal
|
||||
from pathlib import Path
|
||||
|
||||
from apps.accounts.models import Account
|
||||
from apps.common.middleware.thread_local import delete_current_user, write_current_user
|
||||
from apps.currencies.models import Currency
|
||||
from apps.transactions.models import Transaction, TransactionAttachment
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.core.files.uploadedfile import SimpleUploadedFile
|
||||
from django.test import TestCase, override_settings
|
||||
from django.urls import reverse
|
||||
|
||||
|
||||
@override_settings(
|
||||
STORAGES={
|
||||
"default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
|
||||
"staticfiles": {
|
||||
"BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
|
||||
},
|
||||
},
|
||||
WHITENOISE_AUTOREFRESH=True,
|
||||
)
|
||||
class TransactionAttachmentTests(TestCase):
|
||||
def setUp(self):
|
||||
self.attachment_media_root = tempfile.mkdtemp()
|
||||
self.override_private_media = override_settings(
|
||||
ATTACHMENT_MEDIA_ROOT=self.attachment_media_root
|
||||
)
|
||||
self.override_private_media.enable()
|
||||
self.addCleanup(self.override_private_media.disable)
|
||||
self.addCleanup(shutil.rmtree, self.attachment_media_root, ignore_errors=True)
|
||||
|
||||
self.attachment_storage = TransactionAttachment._meta.get_field("file").storage
|
||||
self.original_storage_location = self.attachment_storage._location
|
||||
self.attachment_storage._location = self.attachment_media_root
|
||||
self.attachment_storage.__dict__.pop("base_location", None)
|
||||
self.attachment_storage.__dict__.pop("location", None)
|
||||
self.addCleanup(self.restore_attachment_storage)
|
||||
|
||||
User = get_user_model()
|
||||
self.user1 = User.objects.create_user(
|
||||
email="user1@test.com", password="testpass123"
|
||||
)
|
||||
self.user2 = User.objects.create_user(
|
||||
email="user2@test.com", password="testpass123"
|
||||
)
|
||||
|
||||
self.currency = Currency.objects.create(
|
||||
code="USD", name="US Dollar", decimal_places=2, prefix="$ "
|
||||
)
|
||||
self.user1_account = Account.all_objects.create(
|
||||
name="User1 Account", currency=self.currency, owner=self.user1
|
||||
)
|
||||
self.user2_account = Account.all_objects.create(
|
||||
name="User2 Account", currency=self.currency, owner=self.user2
|
||||
)
|
||||
self.transaction = Transaction.userless_all_objects.create(
|
||||
account=self.user1_account,
|
||||
type=Transaction.Type.EXPENSE,
|
||||
amount=Decimal("12.34"),
|
||||
is_paid=True,
|
||||
date=date(2026, 6, 5),
|
||||
description="Receipt transaction",
|
||||
owner=self.user1,
|
||||
)
|
||||
self.other_transaction = Transaction.userless_all_objects.create(
|
||||
account=self.user2_account,
|
||||
type=Transaction.Type.EXPENSE,
|
||||
amount=Decimal("56.78"),
|
||||
is_paid=True,
|
||||
date=date(2026, 6, 5),
|
||||
description="Other receipt transaction",
|
||||
owner=self.user2,
|
||||
)
|
||||
|
||||
def restore_attachment_storage(self):
|
||||
self.attachment_storage._location = self.original_storage_location
|
||||
self.attachment_storage.__dict__.pop("base_location", None)
|
||||
self.attachment_storage.__dict__.pop("location", None)
|
||||
|
||||
def test_attachment_uses_uuid_and_preserves_original_download_name(self):
|
||||
attachment = TransactionAttachment.objects.create(
|
||||
transaction=self.transaction,
|
||||
file=SimpleUploadedFile(
|
||||
"receipt June.pdf", b"receipt bytes", content_type="application/pdf"
|
||||
),
|
||||
uploaded_by=self.user1,
|
||||
)
|
||||
|
||||
self.assertEqual(attachment.original_name, "receipt June.pdf")
|
||||
self.assertNotIn("receipt June.pdf", attachment.file.name)
|
||||
|
||||
self.client.force_login(self.user1)
|
||||
response = self.client.get(
|
||||
reverse(
|
||||
"transaction_attachment_download",
|
||||
kwargs={"attachment_id": attachment.id},
|
||||
)
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(b"".join(response.streaming_content), b"receipt bytes")
|
||||
self.assertIn('filename="receipt June.pdf"', response["Content-Disposition"])
|
||||
|
||||
def test_user_without_transaction_access_cannot_download_attachment(self):
|
||||
attachment = TransactionAttachment.objects.create(
|
||||
transaction=self.other_transaction,
|
||||
file=SimpleUploadedFile("private.txt", b"private"),
|
||||
uploaded_by=self.user2,
|
||||
)
|
||||
|
||||
self.client.force_login(self.user1)
|
||||
response = self.client.get(
|
||||
reverse(
|
||||
"transaction_attachment_download",
|
||||
kwargs={"attachment_id": attachment.id},
|
||||
)
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 404)
|
||||
|
||||
def test_attachment_button_lives_in_transaction_hover_toolbar(self):
|
||||
template = Path("templates/cotton/transaction/item.html").read_text()
|
||||
before_toolbar, toolbar = template.split("{# Item actions#}", 1)
|
||||
|
||||
self.assertNotIn("transaction_attachments", before_toolbar)
|
||||
self.assertLess(
|
||||
toolbar.index("transaction_edit"),
|
||||
toolbar.index("transaction_attachments"),
|
||||
)
|
||||
self.assertLess(
|
||||
toolbar.index("transaction_attachments"),
|
||||
toolbar.index("transaction_delete"),
|
||||
)
|
||||
|
||||
def test_transaction_edit_form_does_not_include_attachment_upload(self):
|
||||
self.client.force_login(self.user1)
|
||||
|
||||
response = self.client.get(
|
||||
reverse("transaction_edit", kwargs={"transaction_id": self.transaction.id}),
|
||||
HTTP_HX_REQUEST="true",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertNotContains(response, "multipart/form-data")
|
||||
self.assertNotContains(response, 'type="file"')
|
||||
|
||||
def test_attachment_management_uploads_multiple_attachments(self):
|
||||
self.client.force_login(self.user1)
|
||||
|
||||
response = self.client.post(
|
||||
reverse(
|
||||
"transaction_attachments",
|
||||
kwargs={"transaction_id": self.transaction.id},
|
||||
),
|
||||
{
|
||||
"attachments": [
|
||||
SimpleUploadedFile("first.txt", b"first"),
|
||||
SimpleUploadedFile("second.txt", b"second"),
|
||||
],
|
||||
},
|
||||
HTTP_HX_REQUEST="true",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertContains(response, "first.txt")
|
||||
self.assertContains(response, "second.txt")
|
||||
self.assertEqual(self.transaction.attachments.count(), 2)
|
||||
|
||||
def test_attachment_delete_returns_refreshed_attachment_list(self):
|
||||
attachment = TransactionAttachment.objects.create(
|
||||
transaction=self.transaction,
|
||||
file=SimpleUploadedFile("delete-me.txt", b"delete"),
|
||||
uploaded_by=self.user1,
|
||||
)
|
||||
|
||||
self.client.force_login(self.user1)
|
||||
response = self.client.delete(
|
||||
reverse(
|
||||
"transaction_attachment_delete",
|
||||
kwargs={"attachment_id": attachment.id},
|
||||
),
|
||||
HTTP_HX_REQUEST="true",
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertNotContains(response, "delete-me.txt")
|
||||
self.assertContains(response, "No attachments yet")
|
||||
self.assertFalse(
|
||||
TransactionAttachment.objects.filter(id=attachment.id).exists()
|
||||
)
|
||||
|
||||
def test_hard_deleting_transaction_deletes_attachment_files(self):
|
||||
attachment = TransactionAttachment.objects.create(
|
||||
transaction=self.transaction,
|
||||
file=SimpleUploadedFile("hard-delete.txt", b"delete with transaction"),
|
||||
uploaded_by=self.user1,
|
||||
)
|
||||
file_path = Path(attachment.file.path)
|
||||
|
||||
self.assertTrue(file_path.exists())
|
||||
|
||||
write_current_user(self.user1)
|
||||
self.addCleanup(delete_current_user)
|
||||
|
||||
self.transaction.delete()
|
||||
|
||||
self.assertTrue(file_path.exists())
|
||||
self.assertTrue(TransactionAttachment.objects.filter(id=attachment.id).exists())
|
||||
|
||||
self.transaction.delete()
|
||||
|
||||
self.assertFalse(file_path.exists())
|
||||
self.assertFalse(
|
||||
TransactionAttachment.objects.filter(id=attachment.id).exists()
|
||||
)
|
||||
@@ -81,6 +81,26 @@ urlpatterns = [
|
||||
views.transaction_move_to_today,
|
||||
name="transaction_move_to_today",
|
||||
),
|
||||
path(
|
||||
"transaction/<int:transaction_id>/attachments/",
|
||||
views.transaction_attachments,
|
||||
name="transaction_attachments",
|
||||
),
|
||||
path(
|
||||
"transaction/<int:transaction_id>/attachments/list/",
|
||||
views.transaction_attachments_list,
|
||||
name="transaction_attachments_list",
|
||||
),
|
||||
path(
|
||||
"transaction/attachments/<uuid:attachment_id>/download/",
|
||||
views.transaction_attachment_download,
|
||||
name="transaction_attachment_download",
|
||||
),
|
||||
path(
|
||||
"transaction/attachments/<uuid:attachment_id>/delete/",
|
||||
views.transaction_attachment_delete,
|
||||
name="transaction_attachment_delete",
|
||||
),
|
||||
path(
|
||||
"transaction/<int:transaction_id>/delete/",
|
||||
views.transaction_delete,
|
||||
|
||||
@@ -1,32 +1,120 @@
|
||||
import datetime
|
||||
from copy import deepcopy
|
||||
|
||||
from dateutil.relativedelta import relativedelta
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.core.paginator import Paginator
|
||||
from django.db.models import Q, When, Case, Value, IntegerField
|
||||
from django.http import HttpResponse, JsonResponse
|
||||
from django.shortcuts import render, get_object_or_404
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _, ngettext_lazy
|
||||
from django.views.decorators.http import require_http_methods
|
||||
|
||||
from apps.common.decorators.demo import disabled_on_demo
|
||||
from apps.common.decorators.htmx import only_htmx
|
||||
from apps.rules.signals import transaction_created, transaction_updated
|
||||
from apps.transactions.filters import TransactionsFilter
|
||||
from apps.transactions.forms import (
|
||||
BulkEditTransactionForm,
|
||||
TransactionAttachmentForm,
|
||||
TransactionForm,
|
||||
TransferForm,
|
||||
BulkEditTransactionForm,
|
||||
)
|
||||
from apps.transactions.models import Transaction
|
||||
from apps.transactions.models import Transaction, TransactionAttachment
|
||||
from apps.transactions.utils.calculations import (
|
||||
calculate_currency_totals,
|
||||
calculate_account_totals,
|
||||
calculate_currency_totals,
|
||||
calculate_percentage_distribution,
|
||||
)
|
||||
from apps.transactions.utils.default_ordering import default_order
|
||||
from dateutil.relativedelta import relativedelta
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.core.paginator import Paginator
|
||||
from django.db.models import Case, IntegerField, Q, Value, When
|
||||
from django.http import FileResponse, Http404, HttpResponse, JsonResponse
|
||||
from django.shortcuts import get_object_or_404, render
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from django.utils.translation import ngettext_lazy
|
||||
from django.views.decorators.http import require_http_methods
|
||||
|
||||
|
||||
def _get_accessible_transaction_or_404(transaction_id):
|
||||
return get_object_or_404(Transaction.objects, id=transaction_id)
|
||||
|
||||
|
||||
def _get_accessible_attachment_or_404(attachment_id):
|
||||
attachment = get_object_or_404(
|
||||
TransactionAttachment.objects.select_related("transaction"),
|
||||
id=attachment_id,
|
||||
)
|
||||
if not Transaction.objects.filter(id=attachment.transaction_id).exists():
|
||||
raise Http404()
|
||||
return attachment
|
||||
|
||||
|
||||
@only_htmx
|
||||
@login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["GET", "POST"])
|
||||
def transaction_attachments(request, transaction_id):
|
||||
transaction = _get_accessible_transaction_or_404(transaction_id)
|
||||
|
||||
if request.method == "POST":
|
||||
form = TransactionAttachmentForm(request.POST, request.FILES)
|
||||
if form.is_valid():
|
||||
form.save(transaction=transaction, uploaded_by=request.user)
|
||||
messages.success(request, _("Attachment uploaded successfully"))
|
||||
form = TransactionAttachmentForm()
|
||||
else:
|
||||
form = TransactionAttachmentForm()
|
||||
|
||||
response = render(
|
||||
request,
|
||||
"transactions/fragments/attachments_manage.html",
|
||||
{"form": form, "transaction": transaction},
|
||||
)
|
||||
|
||||
response["HX-Trigger"] = "toasts, updated"
|
||||
|
||||
return response
|
||||
|
||||
|
||||
@only_htmx
|
||||
@login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["GET"])
|
||||
def transaction_attachments_list(request, transaction_id):
|
||||
transaction = _get_accessible_transaction_or_404(transaction_id)
|
||||
return render(
|
||||
request,
|
||||
"transactions/fragments/attachments.html",
|
||||
{"transaction": transaction},
|
||||
)
|
||||
|
||||
|
||||
@login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["GET"])
|
||||
def transaction_attachment_download(request, attachment_id):
|
||||
attachment = _get_accessible_attachment_or_404(attachment_id)
|
||||
return FileResponse(
|
||||
attachment.file.open("rb"),
|
||||
as_attachment=False,
|
||||
filename=attachment.original_name,
|
||||
content_type=attachment.content_type or "application/octet-stream",
|
||||
)
|
||||
|
||||
|
||||
@only_htmx
|
||||
@login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["DELETE"])
|
||||
def transaction_attachment_delete(request, attachment_id):
|
||||
attachment = _get_accessible_attachment_or_404(attachment_id)
|
||||
transaction = attachment.transaction
|
||||
attachment.file.delete(save=False)
|
||||
attachment.delete()
|
||||
messages.success(request, _("Attachment deleted successfully"))
|
||||
response = render(
|
||||
request,
|
||||
"transactions/fragments/attachments.html",
|
||||
{"transaction": transaction},
|
||||
)
|
||||
response["HX-Trigger"] = "toasts, updated"
|
||||
return response
|
||||
|
||||
|
||||
@only_htmx
|
||||
|
||||
+37
-1
@@ -4,13 +4,19 @@ from django.contrib.auth.forms import (
|
||||
UserCreationForm,
|
||||
AdminPasswordChangeForm,
|
||||
)
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from django.contrib import admin
|
||||
from django.contrib.auth.admin import GroupAdmin as BaseGroupAdmin
|
||||
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
|
||||
from django.contrib.auth.models import Group
|
||||
|
||||
from apps.users.models import User, UserSettings
|
||||
from apps.users.models import APIToken, User, UserSettings
|
||||
|
||||
|
||||
@admin.action(description=_("Revoke selected API tokens"))
|
||||
def revoke_api_tokens(modeladmin, request, queryset):
|
||||
queryset.update(revoked_at=timezone.now())
|
||||
|
||||
admin.site.unregister(Group)
|
||||
|
||||
@@ -77,3 +83,33 @@ class GroupAdmin(BaseGroupAdmin, ModelAdmin):
|
||||
|
||||
|
||||
admin.site.register(UserSettings)
|
||||
|
||||
|
||||
@admin.register(APIToken)
|
||||
class APITokenAdmin(admin.ModelAdmin):
|
||||
actions = [revoke_api_tokens]
|
||||
list_display = (
|
||||
"name",
|
||||
"user",
|
||||
"token_key",
|
||||
"created_at",
|
||||
"last_used_at",
|
||||
"expires_at",
|
||||
"revoked_at",
|
||||
)
|
||||
search_fields = ("name", "user__email", "token_key")
|
||||
# Never expose the secret hash in the form; it must not be editable.
|
||||
exclude = ("token_hash",)
|
||||
readonly_fields = (
|
||||
"user",
|
||||
"name",
|
||||
"token_key",
|
||||
"created_at",
|
||||
"updated_at",
|
||||
"last_used_at",
|
||||
"expires_at",
|
||||
"revoked_at",
|
||||
)
|
||||
|
||||
def has_add_permission(self, request):
|
||||
return False
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
from datetime import timedelta
|
||||
|
||||
from apps.common.middleware.thread_local import get_current_user
|
||||
from apps.users.models import APIToken
|
||||
from apps.common.widgets.crispy.submit import NoClassSubmit
|
||||
from apps.common.widgets.tom_select import TomSelect
|
||||
from apps.users.models import UserSettings
|
||||
@@ -16,6 +19,7 @@ from django.contrib.auth.forms import (
|
||||
UsernameField,
|
||||
)
|
||||
from django.db import transaction
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
|
||||
@@ -427,3 +431,49 @@ class UserAddForm(UserCreationForm):
|
||||
if commit:
|
||||
user.save()
|
||||
return user
|
||||
|
||||
|
||||
class APITokenCreateForm(forms.Form):
|
||||
name = forms.CharField(
|
||||
max_length=255,
|
||||
label=_("Token name"),
|
||||
help_text=_(
|
||||
"Use a descriptive name such as n8n, Home Assistant, or backup job."
|
||||
),
|
||||
)
|
||||
expires_in_days = forms.IntegerField(
|
||||
required=False,
|
||||
min_value=1,
|
||||
label=_("Expires in days"),
|
||||
help_text=_("Leave empty for a non-expiring token."),
|
||||
)
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
|
||||
self.helper = FormHelper()
|
||||
self.helper.form_tag = False
|
||||
self.helper.form_method = "post"
|
||||
self.helper.layout = Layout(
|
||||
"name",
|
||||
"expires_in_days",
|
||||
FormActions(
|
||||
NoClassSubmit(
|
||||
"submit",
|
||||
_("Create token"),
|
||||
css_class="btn btn-primary",
|
||||
),
|
||||
),
|
||||
)
|
||||
|
||||
def save(self, user):
|
||||
expires_in_days = self.cleaned_data.get("expires_in_days")
|
||||
expires_at = None
|
||||
if expires_in_days:
|
||||
expires_at = timezone.now() + timedelta(days=expires_in_days)
|
||||
|
||||
return APIToken.objects.create_token(
|
||||
user=user,
|
||||
name=self.cleaned_data["name"],
|
||||
expires_at=expires_at,
|
||||
)
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
# Generated by Django 5.2.15 on 2026-06-24 09:21
|
||||
|
||||
import django.db.models.deletion
|
||||
from django.conf import settings
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('users', '0025_alter_usersettings_default_account'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='APIToken',
|
||||
fields=[
|
||||
('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
|
||||
('name', models.CharField(max_length=255, verbose_name='Name')),
|
||||
('token_key', models.CharField(db_index=True, max_length=16, unique=True, verbose_name='Token key')),
|
||||
('token_hash', models.CharField(max_length=255, verbose_name='Token hash')),
|
||||
('last_used_at', models.DateTimeField(blank=True, null=True, verbose_name='Last used at')),
|
||||
('expires_at', models.DateTimeField(blank=True, null=True, verbose_name='Expires at')),
|
||||
('revoked_at', models.DateTimeField(blank=True, null=True, verbose_name='Revoked at')),
|
||||
('created_at', models.DateTimeField(auto_now_add=True, verbose_name='Created at')),
|
||||
('updated_at', models.DateTimeField(auto_now=True, verbose_name='Updated at')),
|
||||
('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='api_tokens', to=settings.AUTH_USER_MODEL, verbose_name='User')),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'API token',
|
||||
'verbose_name_plural': 'API tokens',
|
||||
'ordering': ['-created_at'],
|
||||
'indexes': [models.Index(fields=['user', 'revoked_at'], name='users_apito_user_id_73edec_idx'), models.Index(fields=['expires_at'], name='users_apito_expires_2b737c_idx')],
|
||||
},
|
||||
),
|
||||
]
|
||||
File diff suppressed because one or more lines are too long
+119
-2
@@ -1,9 +1,14 @@
|
||||
import hashlib
|
||||
import hmac
|
||||
import secrets
|
||||
|
||||
import pytz
|
||||
from django.conf import settings
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.contrib.auth.models import AbstractUser, Group
|
||||
from django.core.validators import MaxValueValidator, MinValueValidator
|
||||
from django.db import models
|
||||
from django.db import IntegrityError, models, transaction
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from apps.users.managers import UserManager
|
||||
@@ -410,7 +415,7 @@ timezones = [
|
||||
("Pacific/Galapagos", "Pacific/Galapagos"),
|
||||
("Pacific/Gambier", "Pacific/Gambier"),
|
||||
("Pacific/Guadalcanal", "Pacific/Guadalcanal"),
|
||||
("P2025-06-29T01:43:14.671389745Z acific/Guam", "Pacific/Guam"),
|
||||
("Pacific/Guam", "Pacific/Guam"),
|
||||
("Pacific/Honolulu", "Pacific/Honolulu"),
|
||||
("Pacific/Kanton", "Pacific/Kanton"),
|
||||
("Pacific/Kiritimati", "Pacific/Kiritimati"),
|
||||
@@ -524,3 +529,115 @@ class UserSettings(models.Model):
|
||||
|
||||
def clean(self):
|
||||
super().clean()
|
||||
|
||||
|
||||
class APITokenManager(models.Manager):
|
||||
def create_token(self, *, user, name: str, expires_at=None):
|
||||
token_secret = secrets.token_urlsafe(32)
|
||||
token_hash = self.model.hash_secret(token_secret)
|
||||
|
||||
# token_key is unique; the pre-check in generate_token_key still leaves a
|
||||
# tiny race window under concurrency, so retry on the unique-constraint
|
||||
# violation with a fresh key instead of failing the request.
|
||||
last_error = None
|
||||
for _ in range(5):
|
||||
token = self.model(
|
||||
user=user,
|
||||
name=name,
|
||||
token_key=self.model.generate_token_key(),
|
||||
token_hash=token_hash,
|
||||
expires_at=expires_at,
|
||||
)
|
||||
token.full_clean()
|
||||
try:
|
||||
with transaction.atomic():
|
||||
token.save()
|
||||
except IntegrityError as exc:
|
||||
last_error = exc
|
||||
continue
|
||||
return token, token.build_raw_token(token_secret)
|
||||
|
||||
raise last_error
|
||||
|
||||
|
||||
class APIToken(models.Model):
|
||||
TOKEN_PREFIX = "wygiwyh_pat_"
|
||||
|
||||
user = models.ForeignKey(
|
||||
settings.AUTH_USER_MODEL,
|
||||
on_delete=models.CASCADE,
|
||||
related_name="api_tokens",
|
||||
verbose_name=_("User"),
|
||||
)
|
||||
name = models.CharField(max_length=255, verbose_name=_("Name"))
|
||||
token_key = models.CharField(
|
||||
max_length=16,
|
||||
unique=True,
|
||||
db_index=True,
|
||||
verbose_name=_("Token key"),
|
||||
)
|
||||
token_hash = models.CharField(max_length=255, verbose_name=_("Token hash"))
|
||||
last_used_at = models.DateTimeField(
|
||||
null=True,
|
||||
blank=True,
|
||||
verbose_name=_("Last used at"),
|
||||
)
|
||||
expires_at = models.DateTimeField(
|
||||
null=True,
|
||||
blank=True,
|
||||
verbose_name=_("Expires at"),
|
||||
)
|
||||
revoked_at = models.DateTimeField(
|
||||
null=True,
|
||||
blank=True,
|
||||
verbose_name=_("Revoked at"),
|
||||
)
|
||||
created_at = models.DateTimeField(auto_now_add=True, verbose_name=_("Created at"))
|
||||
updated_at = models.DateTimeField(auto_now=True, verbose_name=_("Updated at"))
|
||||
|
||||
objects = APITokenManager()
|
||||
|
||||
class Meta:
|
||||
indexes = [
|
||||
models.Index(fields=["user", "revoked_at"]),
|
||||
models.Index(fields=["expires_at"]),
|
||||
]
|
||||
ordering = ["-created_at"]
|
||||
verbose_name = _("API token")
|
||||
verbose_name_plural = _("API tokens")
|
||||
|
||||
def __str__(self):
|
||||
return f"{self.user} / {self.name}"
|
||||
|
||||
@classmethod
|
||||
def generate_token_key(cls) -> str:
|
||||
while True:
|
||||
candidate = secrets.token_hex(8)
|
||||
if not cls.objects.filter(token_key=candidate).exists():
|
||||
return candidate
|
||||
|
||||
@classmethod
|
||||
def parse_raw_token(cls, raw_token: str):
|
||||
if not raw_token.startswith(cls.TOKEN_PREFIX):
|
||||
raise ValueError("Token is missing the expected prefix.")
|
||||
|
||||
payload = raw_token.removeprefix(cls.TOKEN_PREFIX)
|
||||
token_key, separator, token_secret = payload.partition(".")
|
||||
if not separator or not token_key or not token_secret:
|
||||
raise ValueError("Token is malformed.")
|
||||
return token_key, token_secret
|
||||
|
||||
def build_raw_token(self, token_secret: str) -> str:
|
||||
return f"{self.TOKEN_PREFIX}{self.token_key}.{token_secret}"
|
||||
|
||||
@staticmethod
|
||||
def hash_secret(token_secret: str) -> str:
|
||||
# The secret is a 256-bit random value (secrets.token_urlsafe(32)), so a
|
||||
# single SHA-256 is sufficient and avoids a slow KDF on every request.
|
||||
return hashlib.sha256(token_secret.encode("utf-8")).hexdigest()
|
||||
|
||||
def check_secret(self, raw_secret: str) -> bool:
|
||||
return hmac.compare_digest(self.token_hash, self.hash_secret(raw_secret))
|
||||
|
||||
def is_expired(self) -> bool:
|
||||
return self.expires_at is not None and self.expires_at <= timezone.now()
|
||||
|
||||
@@ -0,0 +1,73 @@
|
||||
from django.contrib.auth import get_user_model
|
||||
from django.test import TestCase
|
||||
from django.urls import reverse
|
||||
from django.utils import timezone
|
||||
|
||||
from apps.users.models import APIToken
|
||||
|
||||
|
||||
class UserAPITokenViewsTests(TestCase):
|
||||
def setUp(self):
|
||||
self.user = get_user_model().objects.create_user(
|
||||
email="user@example.com",
|
||||
password="test-password",
|
||||
)
|
||||
self.client.force_login(self.user)
|
||||
self.htmx_headers = {"HTTP_HX_REQUEST": "true"}
|
||||
|
||||
def test_user_settings_renders_api_token_section(self):
|
||||
response = self.client.get(reverse("user_settings"), **self.htmx_headers)
|
||||
|
||||
self.assertContains(response, "API Tokens")
|
||||
self.assertContains(response, reverse("user_api_token_add"))
|
||||
|
||||
def test_can_create_api_token_from_ui(self):
|
||||
response = self.client.post(
|
||||
reverse("user_api_token_add"),
|
||||
{"name": "n8n", "expires_in_days": "30"},
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertContains(response, "Copy this token now")
|
||||
self.assertEqual(APIToken.objects.filter(user=self.user, name="n8n").count(), 1)
|
||||
|
||||
def test_can_revoke_own_api_token(self):
|
||||
token, _ = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
|
||||
response = self.client.delete(
|
||||
reverse("user_api_token_revoke", kwargs={"token_id": token.id}),
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
token.refresh_from_db()
|
||||
self.assertIsNotNone(token.revoked_at)
|
||||
self.assertContains(response, "Revoked")
|
||||
|
||||
def test_can_delete_revoked_api_token(self):
|
||||
token, _ = APIToken.objects.create_token(user=self.user, name="n8n")
|
||||
token.revoked_at = timezone.now()
|
||||
token.save(update_fields=["revoked_at"])
|
||||
|
||||
response = self.client.delete(
|
||||
reverse("user_api_token_delete", kwargs={"token_id": token.id}),
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertFalse(APIToken.objects.filter(id=token.id).exists())
|
||||
|
||||
def test_cannot_delete_other_users_api_token(self):
|
||||
other = get_user_model().objects.create_user(
|
||||
email="other@example.com", password="test-password"
|
||||
)
|
||||
token, _ = APIToken.objects.create_token(user=other, name="theirs")
|
||||
|
||||
response = self.client.delete(
|
||||
reverse("user_api_token_delete", kwargs={"token_id": token.id}),
|
||||
**self.htmx_headers,
|
||||
)
|
||||
|
||||
self.assertEqual(response.status_code, 404)
|
||||
self.assertTrue(APIToken.objects.filter(id=token.id).exists())
|
||||
@@ -32,6 +32,21 @@ urlpatterns = [
|
||||
views.update_settings,
|
||||
name="user_settings",
|
||||
),
|
||||
path(
|
||||
"user/api-tokens/add/",
|
||||
views.api_token_add,
|
||||
name="user_api_token_add",
|
||||
),
|
||||
path(
|
||||
"user/api-tokens/<int:token_id>/revoke/",
|
||||
views.api_token_revoke,
|
||||
name="user_api_token_revoke",
|
||||
),
|
||||
path(
|
||||
"user/api-tokens/<int:token_id>/delete/",
|
||||
views.api_token_delete,
|
||||
name="user_api_token_delete",
|
||||
),
|
||||
path(
|
||||
"users/",
|
||||
views.users_index,
|
||||
|
||||
+66
-2
@@ -2,12 +2,13 @@ from apps.common.decorators.demo import disabled_on_demo
|
||||
from apps.common.decorators.htmx import only_htmx
|
||||
from apps.common.decorators.user import htmx_login_required, is_superuser
|
||||
from apps.users.forms import (
|
||||
APITokenCreateForm,
|
||||
LoginForm,
|
||||
UserAddForm,
|
||||
UserSettingsForm,
|
||||
UserUpdateForm,
|
||||
)
|
||||
from apps.users.models import UserSettings
|
||||
from apps.users.models import APIToken, UserSettings
|
||||
from django.contrib import messages
|
||||
from django.contrib.auth import get_user_model, logout
|
||||
from django.contrib.auth.decorators import login_required
|
||||
@@ -18,6 +19,7 @@ from django.core.exceptions import PermissionDenied
|
||||
from django.http import HttpResponse
|
||||
from django.shortcuts import get_object_or_404, redirect, render
|
||||
from django.urls import reverse
|
||||
from django.utils import timezone
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
from django.views.decorators.http import require_http_methods
|
||||
|
||||
@@ -112,7 +114,69 @@ def update_settings(request):
|
||||
else:
|
||||
form = UserSettingsForm(instance=user_settings)
|
||||
|
||||
return render(request, "users/fragments/user_settings.html", {"form": form})
|
||||
return render(
|
||||
request,
|
||||
"users/fragments/user_settings.html",
|
||||
{
|
||||
"form": form,
|
||||
"api_token_form": APITokenCreateForm(),
|
||||
"api_tokens": request.user.api_tokens.all(),
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
def _render_api_tokens(request, *, form=None, raw_token=None):
|
||||
return render(
|
||||
request,
|
||||
"users/fragments/api_tokens.html",
|
||||
{
|
||||
"api_token_form": form or APITokenCreateForm(),
|
||||
"api_tokens": request.user.api_tokens.all(),
|
||||
"raw_token": raw_token,
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
@only_htmx
|
||||
@htmx_login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["POST"])
|
||||
def api_token_add(request):
|
||||
form = APITokenCreateForm(request.POST)
|
||||
if form.is_valid():
|
||||
_token, raw_token = form.save(user=request.user)
|
||||
messages.success(request, _("API token created successfully"))
|
||||
return _render_api_tokens(
|
||||
request,
|
||||
form=APITokenCreateForm(),
|
||||
raw_token=raw_token,
|
||||
)
|
||||
|
||||
return _render_api_tokens(request, form=form)
|
||||
|
||||
|
||||
@only_htmx
|
||||
@htmx_login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["DELETE"])
|
||||
def api_token_revoke(request, token_id):
|
||||
token = get_object_or_404(APIToken, id=token_id, user=request.user)
|
||||
if token.revoked_at is None:
|
||||
token.revoked_at = timezone.now()
|
||||
token.save(update_fields=["revoked_at"])
|
||||
messages.success(request, _("API token revoked successfully"))
|
||||
return _render_api_tokens(request)
|
||||
|
||||
|
||||
@only_htmx
|
||||
@htmx_login_required
|
||||
@disabled_on_demo
|
||||
@require_http_methods(["DELETE"])
|
||||
def api_token_delete(request, token_id):
|
||||
token = get_object_or_404(APIToken, id=token_id, user=request.user)
|
||||
token.delete()
|
||||
messages.success(request, _("API token deleted successfully"))
|
||||
return _render_api_tokens(request)
|
||||
|
||||
|
||||
@only_htmx
|
||||
|
||||
+495
-254
File diff suppressed because it is too large
Load Diff
+430
-206
File diff suppressed because it is too large
Load Diff
+474
-206
File diff suppressed because it is too large
Load Diff
+469
-229
File diff suppressed because it is too large
Load Diff
+458
-206
File diff suppressed because it is too large
Load Diff
+430
-206
File diff suppressed because it is too large
Load Diff
+472
-206
File diff suppressed because it is too large
Load Diff
+439
-208
File diff suppressed because it is too large
Load Diff
+473
-219
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
+836
-564
File diff suppressed because it is too large
Load Diff
+432
-206
File diff suppressed because it is too large
Load Diff
+432
-206
File diff suppressed because it is too large
Load Diff
+462
-206
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -147,6 +147,12 @@
|
||||
hx-target="#generic-offcanvas" hx-swap="innerHTML"
|
||||
data-tippy-content="{% translate "Edit" %}">
|
||||
<i class="fa-solid fa-pencil fa-fw"></i></a>
|
||||
<a class="btn btn-soft btn-sm transaction-action gap-1"
|
||||
role="button"
|
||||
hx-get="{% url 'transaction_attachments' transaction_id=transaction.id %}"
|
||||
hx-target="#generic-offcanvas" hx-swap="innerHTML"
|
||||
data-tippy-content="{% translate "Attachments" %}">
|
||||
<i class="fa-solid fa-paperclip fa-fw"></i><span>{{ transaction.attachments.count }}</span></a>
|
||||
<a class="btn btn-error btn-soft btn-sm transaction-action"
|
||||
role="button"
|
||||
hx-delete="{% url 'transaction_delete' transaction_id=transaction.id %}"
|
||||
|
||||
@@ -34,8 +34,7 @@
|
||||
{% if demo_mode %}
|
||||
<div class="px-3 m-0" id="demo-mode-alert" hx-preserve>
|
||||
<div class="alert alert-warning my-3 relative" role="alert">
|
||||
<strong>{% trans "This is a demo!" %}</strong> {% trans "Any data you add here will be wiped in 24hrs or less"
|
||||
%}
|
||||
<strong>{% trans "This is a demo!" %}</strong>{% trans "Any data you add here will be wiped in 24hrs or less" %}
|
||||
<button type="button" class="btn btn-sm btn-ghost absolute right-2 top-1/2 -translate-y-1/2"
|
||||
onclick="this.parentElement.style.display='none'" aria-label="Close">✕</button>
|
||||
</div>
|
||||
@@ -54,4 +53,4 @@
|
||||
{% endblock extra_js_body %}
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
||||
@@ -268,7 +268,7 @@
|
||||
</div>
|
||||
|
||||
{# Filter transactions form #}
|
||||
<div class="z-1" x-show="filterOpen" x-collapse>
|
||||
<div class="z-1" x-show="filterOpen" x-collapse x-cloak>
|
||||
<div class="card card-body bg-base-200 mt-2">
|
||||
<div class="text-right">
|
||||
<button class="btn btn-outline btn-error btn-sm w-fit"
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
{% load i18n %}
|
||||
|
||||
<div id="transaction-attachments-list" class="mt-4">
|
||||
<h3 class="font-semibold mb-2">{% translate 'Attachments' %}</h3>
|
||||
{% if transaction.attachments.exists %}
|
||||
<ul class="flex flex-col gap-2">
|
||||
{% for attachment in transaction.attachments.all %}
|
||||
<li class="flex items-center justify-between gap-3 rounded-box border border-base-content/20 p-3">
|
||||
<a class="link link-primary truncate"
|
||||
target="_blank"
|
||||
href="{% url 'transaction_attachment_download' attachment_id=attachment.id %}">
|
||||
{{ attachment.original_name }}
|
||||
</a>
|
||||
<button class="btn btn-error btn-sm btn-soft"
|
||||
type="button"
|
||||
hx-delete="{% url 'transaction_attachment_delete' attachment_id=attachment.id %}"
|
||||
hx-trigger="confirmed"
|
||||
hx-target="#transaction-attachments-list"
|
||||
hx-swap="outerHTML"
|
||||
data-title="{% translate 'Delete this attachment?' %}"
|
||||
data-text="{% translate 'This file will be removed from the transaction.' %}"
|
||||
data-confirm-text="{% translate 'Yes, delete it!' %}"
|
||||
_="install prompt_swal">
|
||||
<i class="fa-solid fa-trash fa-fw"></i>
|
||||
</button>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% else %}
|
||||
<p class="text-base-content/60">{% translate 'No attachments yet' %}</p>
|
||||
{% endif %}
|
||||
</div>
|
||||
@@ -0,0 +1,17 @@
|
||||
{% extends 'extends/offcanvas.html' %}
|
||||
{% load i18n %}
|
||||
{% load crispy_forms_tags %}
|
||||
|
||||
{% block title %}{% translate 'Transaction attachments' %}{% endblock %}
|
||||
|
||||
{% block body %}
|
||||
<form hx-post="{% url 'transaction_attachments' transaction_id=transaction.id %}"
|
||||
hx-target="#generic-offcanvas"
|
||||
hx-swap="innerHTML"
|
||||
enctype="multipart/form-data"
|
||||
novalidate>
|
||||
{% crispy form %}
|
||||
</form>
|
||||
|
||||
{% include 'transactions/fragments/attachments.html' %}
|
||||
{% endblock %}
|
||||
@@ -218,7 +218,7 @@
|
||||
</div>
|
||||
|
||||
{# Filter transactions form #}
|
||||
<div class="z-1" x-show="filterOpen" x-collapse>
|
||||
<div class="z-1" x-show="filterOpen" x-collapse x-cloak>
|
||||
<div class="card card-body bg-base-200 mt-2">
|
||||
<div class="text-right">
|
||||
<button class="btn btn-outline btn-error btn-sm w-fit"
|
||||
|
||||
@@ -0,0 +1,116 @@
|
||||
{% load crispy_forms_tags %}
|
||||
{% load i18n %}
|
||||
|
||||
<div class="mb-3">
|
||||
<div class="text-lg font-bold font-mono">{% translate "API Tokens" %}</div>
|
||||
<p class="text-sm opacity-70">
|
||||
{% translate "Use these tokens for automations such as n8n. The raw token is shown only once after creation." %}
|
||||
</p>
|
||||
</div>
|
||||
|
||||
{% if raw_token %}
|
||||
<div class="bg-primary-content p-3 rounded-box">
|
||||
<div class="w-full">
|
||||
<div class="font-semibold mb-1">{% translate "Copy this token now" %}</div>
|
||||
<p class="text-sm opacity-80 mb-3">
|
||||
{% translate "It will not be shown again after this response." %}
|
||||
</p>
|
||||
<div class="join w-full">
|
||||
<input id="raw-token-value"
|
||||
type="text"
|
||||
readonly
|
||||
value="{{ raw_token }}"
|
||||
class="input input-sm join-item w-full"
|
||||
_="on focus call me.select()" />
|
||||
<button type="button"
|
||||
class="btn btn-sm btn-secondary join-item"
|
||||
_="on click call navigator.clipboard.writeText(#raw-token-value.value)
|
||||
then put 'Copied!' into me
|
||||
then wait 1.5s
|
||||
then put 'Copy' into me">
|
||||
{% translate "Copy" %}
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% endif %}
|
||||
|
||||
<form hx-post="{% url 'user_api_token_add' %}" hx-target="#api-token-settings" hx-swap="innerHTML" novalidate>
|
||||
{% crispy api_token_form %}
|
||||
</form>
|
||||
|
||||
{% if api_tokens %}
|
||||
<div class="overflow-x-auto mt-4">
|
||||
<table class="table table-zebra">
|
||||
<tbody>
|
||||
{% for token in api_tokens %}
|
||||
<tr>
|
||||
<td>
|
||||
<div class="flex items-center gap-2 flex-wrap">
|
||||
<span class="font-medium font-mono">{{ token.name }}</span>
|
||||
{% if token.revoked_at %}
|
||||
<span class="badge badge-sm badge-ghost">{% translate "Revoked" %}</span>
|
||||
{% else %}
|
||||
<span class="badge badge-sm badge-success">{% translate "Active" %}</span>
|
||||
{% endif %}
|
||||
</div>
|
||||
<div class="text-xs opacity-60 font-mono break-all mt-1">{{ token.token_key }}</div>
|
||||
<div class="text-xs opacity-60">
|
||||
{% blocktranslate with created=token.created_at|date:"Y-m-d" %}Created {{ created }}{% endblocktranslate %}
|
||||
·
|
||||
{% if token.last_used_at %}
|
||||
{% blocktranslate with used=token.last_used_at|date:"Y-m-d H:i" %}last used {{ used }}{% endblocktranslate %}
|
||||
{% else %}
|
||||
{% translate "never used" %}
|
||||
{% endif %}
|
||||
·
|
||||
{% if token.expires_at %}
|
||||
{% blocktranslate with expires=token.expires_at|date:"Y-m-d" %}expires {{ expires }}{% endblocktranslate %}
|
||||
{% else %}
|
||||
{% translate "no expiry" %}
|
||||
{% endif %}
|
||||
</div>
|
||||
</td>
|
||||
<td class="table-col-auto text-right align-top">
|
||||
{% if not token.revoked_at %}
|
||||
<a class="btn btn-error btn-sm"
|
||||
role="button"
|
||||
data-tippy-content="{% translate 'Revoke' %}"
|
||||
hx-delete="{% url 'user_api_token_revoke' token_id=token.id %}"
|
||||
hx-target="#api-token-settings"
|
||||
hx-swap="innerHTML"
|
||||
hx-trigger="confirmed"
|
||||
data-bypass-on-ctrl="true"
|
||||
data-title="{% translate 'Revoke token?' %}"
|
||||
data-text="{% translate 'This token will stop working immediately.' %}"
|
||||
data-confirm-text="{% translate 'Yes, revoke it!' %}"
|
||||
_="install prompt_swal">
|
||||
<i class="fa-solid fa-ban fa-fw"></i>
|
||||
</a>
|
||||
{% else %}
|
||||
<a class="btn btn-error btn-sm"
|
||||
role="button"
|
||||
data-tippy-content="{% translate 'Delete' %}"
|
||||
hx-delete="{% url 'user_api_token_delete' token_id=token.id %}"
|
||||
hx-target="#api-token-settings"
|
||||
hx-swap="innerHTML"
|
||||
hx-trigger="confirmed"
|
||||
data-bypass-on-ctrl="true"
|
||||
data-title="{% translate 'Delete token?' %}"
|
||||
data-text="{% translate 'This permanently removes the token from the list. It cannot be undone.' %}"
|
||||
data-confirm-text="{% translate 'Yes, delete it!' %}"
|
||||
_="install prompt_swal">
|
||||
<i class="fa-solid fa-trash fa-fw"></i>
|
||||
</a>
|
||||
{% endif %}
|
||||
</td>
|
||||
</tr>
|
||||
{% endfor %}
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
{% else %}
|
||||
<div class="mt-4">
|
||||
<c-msg.empty title="{% translate "No API tokens" %}" remove-padding></c-msg.empty>
|
||||
</div>
|
||||
{% endif %}
|
||||
@@ -8,4 +8,8 @@
|
||||
<form hx-post="{% url 'user_settings' %}" hx-target="#generic-offcanvas" novalidate>
|
||||
{% crispy form %}
|
||||
</form>
|
||||
<div class="divider my-6"></div>
|
||||
<div id="api-token-settings">
|
||||
{% include "users/fragments/api_tokens.html" %}
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
volumes:
|
||||
wygiwyh_dev_postgres_data: {}
|
||||
wygiwyh_temp:
|
||||
wygiwyh_attachments:
|
||||
|
||||
|
||||
services:
|
||||
@@ -14,6 +15,7 @@ services:
|
||||
- ./app/:/usr/src/app/:z
|
||||
- ./frontend/:/usr/src/frontend:z
|
||||
- wygiwyh_temp:/usr/src/app/temp/
|
||||
- wygiwyh_attachments:/usr/src/app/attachments/
|
||||
ports:
|
||||
- "${OUTBOUND_PORT:-8000}:${INTERNAL_PORT:-8000}"
|
||||
env_file:
|
||||
|
||||
@@ -6,6 +6,8 @@ services:
|
||||
- "${OUTBOUND_PORT:-8000}:${INTERNAL_PORT:-8000}"
|
||||
env_file:
|
||||
- .env
|
||||
volumes:
|
||||
- ./media:/usr/src/app/attachments/
|
||||
depends_on:
|
||||
- db
|
||||
restart: unless-stopped
|
||||
|
||||
@@ -15,5 +15,6 @@ python manage.py migrate
|
||||
touch /tmp/migrations_complete
|
||||
|
||||
python manage.py setup_users
|
||||
python manage.py setup_oauth
|
||||
|
||||
exec python manage.py runserver 0.0.0.0:$INTERNAL_PORT
|
||||
|
||||
@@ -2,9 +2,9 @@ FROM node:lts-alpine
|
||||
|
||||
WORKDIR /usr/src/frontend
|
||||
|
||||
COPY ./frontend/package.json .
|
||||
COPY ./frontend/package.json ./frontend/package-lock.json ./
|
||||
|
||||
RUN npm install --verbose && npm cache clean --force
|
||||
RUN npm ci --verbose && npm cache clean --force
|
||||
|
||||
ENV PATH ./node_modules/.bin/:$PATH
|
||||
|
||||
|
||||
@@ -16,5 +16,6 @@ python manage.py migrate
|
||||
touch /tmp/migrations_complete
|
||||
|
||||
python manage.py setup_users
|
||||
python manage.py setup_oauth
|
||||
|
||||
exec gunicorn WYGIWYH.wsgi:application --bind 0.0.0.0:$INTERNAL_PORT --timeout 600
|
||||
|
||||
Generated
+753
-1307
File diff suppressed because it is too large
Load Diff
+20
-20
@@ -16,35 +16,35 @@
|
||||
},
|
||||
"type": "module",
|
||||
"dependencies": {
|
||||
"@alpinejs/collapse": "^3.15.1",
|
||||
"@alpinejs/mask": "^3.15.1",
|
||||
"@alpinejs/collapse": "^3.15.12",
|
||||
"@alpinejs/mask": "^3.15.12",
|
||||
"@fontsource-variable/jetbrains-mono": "^5.2.8",
|
||||
"@fortawesome/fontawesome-free": "^7.1.0",
|
||||
"@fortawesome/fontawesome-free": "^7.2.0",
|
||||
"@popperjs/core": "^2.11.8",
|
||||
"@rollup/plugin-commonjs": "^29.0.0",
|
||||
"@tailwindcss/vite": "^4.1.17",
|
||||
"@rollup/plugin-commonjs": "^29.0.3",
|
||||
"@tailwindcss/vite": "^4.3.0",
|
||||
"air-datepicker": "^3.6.0",
|
||||
"alpinejs": "^3.15.1",
|
||||
"autoprefixer": "^10.4.22",
|
||||
"alpinejs": "^3.15.12",
|
||||
"autoprefixer": "^10.5.0",
|
||||
"autosize": "^6.0.1",
|
||||
"bootstrap": "^5.3.8",
|
||||
"chart.js": "^4.5.1",
|
||||
"chartjs-chart-sankey": "^0.14.0",
|
||||
"daisyui": "^5.5.5",
|
||||
"htmx.org": "^2.0.8",
|
||||
"hyperscript.org": "^0.9.14",
|
||||
"mathjs": "^15.1.0",
|
||||
"postcss": "^8.5.6",
|
||||
"chartjs-chart-sankey": "^0.14.3",
|
||||
"daisyui": "5.5.20",
|
||||
"htmx.org": "^2.0.10",
|
||||
"hyperscript.org": "^0.9.91",
|
||||
"mathjs": "^15.2.0",
|
||||
"postcss": "^8.5.15",
|
||||
"pulltorefreshjs": "^0.1.22",
|
||||
"sass": "^1.94.0",
|
||||
"sweetalert2": "^11.26.3",
|
||||
"tailwindcss": "^4.1.17",
|
||||
"sass": "^1.100.0",
|
||||
"sweetalert2": "^11.26.25",
|
||||
"tailwindcss": "^4.3.0",
|
||||
"tippy.js": "^6.3.7",
|
||||
"tom-select": "^2.4.3",
|
||||
"tw-bootstrap-grid": "^1.3.2",
|
||||
"vite": "7.2.2"
|
||||
"tom-select": "^2.6.1",
|
||||
"tw-bootstrap-grid": "^1.4.0",
|
||||
"vite": "8.0.16"
|
||||
},
|
||||
"resolutions": {
|
||||
"rollup": "npm:@rollup/wasm-node"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,4 @@
|
||||
import _hyperscript from 'hyperscript.org/dist/_hyperscript.min';
|
||||
import 'hyperscript.org';
|
||||
import './_htmx.js';
|
||||
import Alpine from "alpinejs";
|
||||
import mask from '@alpinejs/mask';
|
||||
@@ -6,7 +6,6 @@ import collapse from '@alpinejs/collapse'
|
||||
import { create, all } from 'mathjs';
|
||||
|
||||
window.Alpine = Alpine;
|
||||
window._hyperscript = _hyperscript;
|
||||
window.math = create(all, {
|
||||
number: 'BigNumber',
|
||||
});
|
||||
@@ -15,8 +14,6 @@ Alpine.plugin(mask);
|
||||
Alpine.plugin(collapse);
|
||||
Alpine.start();
|
||||
|
||||
_hyperscript.browserInit();
|
||||
|
||||
const successAudio = new Audio("/static/sounds/success.mp3");
|
||||
const popAudio = new Audio("/static/sounds/pop.mp3");
|
||||
window.paidSound = successAudio;
|
||||
|
||||
@@ -4,6 +4,15 @@ import '../styles/_tom-select.scss'
|
||||
|
||||
|
||||
window.TomSelect = function createDynamicTomSelect(element) {
|
||||
const schedulePopperUpdate = function (instance) {
|
||||
// Wait for TomSelect DOM updates before recalculating dropdown position.
|
||||
requestAnimationFrame(() => {
|
||||
if (instance.popper) {
|
||||
instance.popper.update();
|
||||
}
|
||||
});
|
||||
};
|
||||
|
||||
// Basic configuration
|
||||
const config = {
|
||||
plugins: {},
|
||||
@@ -27,10 +36,16 @@ window.TomSelect = function createDynamicTomSelect(element) {
|
||||
this.popper = Popper.createPopper(this.control, this.dropdown, {
|
||||
placement: "bottom-start",
|
||||
modifiers: [
|
||||
{
|
||||
name: "offset",
|
||||
options: {
|
||||
offset: [0, 4],
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "sameWidth",
|
||||
enabled: true,
|
||||
fn: ({state}) => {
|
||||
fn: ({ state }) => {
|
||||
state.styles.popper.width = `${state.rects.reference.width}px`;
|
||||
},
|
||||
phase: "beforeWrite",
|
||||
@@ -45,11 +60,23 @@ window.TomSelect = function createDynamicTomSelect(element) {
|
||||
]
|
||||
|
||||
});
|
||||
|
||||
},
|
||||
onDropdownOpen: function () {
|
||||
this.popper.update();
|
||||
}
|
||||
schedulePopperUpdate(this);
|
||||
},
|
||||
onItemAdd: function () {
|
||||
if (this.settings.mode === 'multi') {
|
||||
this.setTextboxValue();
|
||||
this.refreshOptions(false);
|
||||
}
|
||||
schedulePopperUpdate(this);
|
||||
},
|
||||
onItemRemove: function () {
|
||||
schedulePopperUpdate(this);
|
||||
},
|
||||
onClear: function () {
|
||||
schedulePopperUpdate(this);
|
||||
},
|
||||
};
|
||||
|
||||
if (element.dataset.checkboxes === 'true') {
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
import twBootstrapGrid from "tw-bootstrap-grid";
|
||||
|
||||
export default twBootstrapGrid;
|
||||
@@ -49,6 +49,10 @@ div:where(.swal2-container) {
|
||||
z-index: 1101 !important;
|
||||
}
|
||||
|
||||
#toasts .toast-container {
|
||||
z-index: 1100;
|
||||
}
|
||||
|
||||
.logo {
|
||||
/* Set the background-color to DaisyUI CSS variable */
|
||||
background-color: var(--color-primary);
|
||||
@@ -77,4 +81,4 @@ div:where(.swal2-container) {
|
||||
|
||||
[x-cloak] {
|
||||
display: none !important;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
themes: wygiwyh_dark --default, wygiwyh_light;
|
||||
logs: true;
|
||||
}
|
||||
@plugin "tw-bootstrap-grid";
|
||||
@plugin "../plugins/tw-bootstrap-grid-plugin.js";
|
||||
|
||||
@plugin "daisyui/theme" {
|
||||
name: "wygiwyh_light";
|
||||
|
||||
@@ -51,10 +51,44 @@ export default defineConfig({
|
||||
manifest: 'manifest.json',
|
||||
emptyOutDir: true,
|
||||
target: 'es2017',
|
||||
chunkSizeWarningLimit: 800,
|
||||
rollupOptions: {
|
||||
input: rollupInputs,
|
||||
output: {
|
||||
chunkFileNames: undefined,
|
||||
manualChunks(id) {
|
||||
if (!id.includes('node_modules')) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (id.includes('/chart.js/') || id.includes('/chartjs-chart-sankey/')) {
|
||||
return 'vendor-chart';
|
||||
}
|
||||
|
||||
if (id.includes('/mathjs/')) {
|
||||
return 'vendor-math';
|
||||
}
|
||||
|
||||
if (
|
||||
id.includes('/alpinejs/') ||
|
||||
id.includes('/@alpinejs/') ||
|
||||
id.includes('/htmx.org/') ||
|
||||
id.includes('/hyperscript.org/')
|
||||
) {
|
||||
return 'vendor-interaction';
|
||||
}
|
||||
|
||||
if (
|
||||
id.includes('/bootstrap/') ||
|
||||
id.includes('/@popperjs/') ||
|
||||
id.includes('/sweetalert2/') ||
|
||||
id.includes('/tippy.js/') ||
|
||||
id.includes('/tom-select/') ||
|
||||
id.includes('/air-datepicker/')
|
||||
) {
|
||||
return 'vendor-ui';
|
||||
}
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
+19
-18
@@ -5,34 +5,35 @@ description = "An opinionated and powerful finance tracker."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.11"
|
||||
dependencies = [
|
||||
"crispy-bootstrap5==2025.6",
|
||||
"django~=5.2.9",
|
||||
"django-allauth[socialaccount]~=65.13.1",
|
||||
"crispy-bootstrap5==2026.3",
|
||||
"django~=5.2.15",
|
||||
"django-allauth[socialaccount]~=65.18.0",
|
||||
"django-browser-reload==1.21.0",
|
||||
"django-cachalot~=2.8.0",
|
||||
"django-cotton<2.3.0",
|
||||
"django-crispy-forms==2.5",
|
||||
"django-debug-toolbar==6.1.0",
|
||||
"django-cachalot~=2.9.0",
|
||||
"django-cotton~=2.7.2",
|
||||
"django-crispy-forms==2.6",
|
||||
"django-debug-toolbar==6.3.0",
|
||||
"django-filter==25.2",
|
||||
"django-hijack==3.7.4",
|
||||
"django-import-export~=4.3.9",
|
||||
"django-hijack==3.7.8",
|
||||
"django-import-export~=4.4.1",
|
||||
"django-oauth-toolkit~=3.0.1",
|
||||
"django-pwa~=2.0.1",
|
||||
"django-vite==3.1.0",
|
||||
"djangorestframework~=3.16.0",
|
||||
"djangorestframework~=3.17.1",
|
||||
"drf-spectacular~=0.29.0",
|
||||
"gunicorn==23.0.0",
|
||||
"mistune~=3.1.3",
|
||||
"gunicorn==26.0.0",
|
||||
"mistune~=3.2.1",
|
||||
"openpyxl~=3.1.5",
|
||||
"procrastinate[django]~=3.5.3",
|
||||
"psycopg[binary,pool]==3.2.9",
|
||||
"pydantic~=2.12.3",
|
||||
"procrastinate[django]~=3.8.1",
|
||||
"psycopg[binary,pool]==3.3.4",
|
||||
"pydantic~=2.13.4",
|
||||
"python-dateutil~=2.9.0.post0",
|
||||
"pytz>=2025.2",
|
||||
"pyyaml~=6.0.2",
|
||||
"requests~=2.32.5",
|
||||
"requests~=2.34.2",
|
||||
"simpleeval~=1.0.3",
|
||||
"watchfiles==1.1.1",
|
||||
"whitenoise[brotli]==6.11.0",
|
||||
"watchfiles==1.2.0",
|
||||
"whitenoise[brotli]==6.12.0",
|
||||
"xlrd~=2.0.1",
|
||||
]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user