Remove API key auth; CORS is sufficient.

The React UI running in a browser can't connect to the backend without punching a hole for CORS, which isn't done by default. We don't need the API key to protect from browsers, and anything else running on the user's machine that can access the backend (that's hosted on only localhost) already has enough control to do damage without using Liberation as an attack vector. https://github.com/dcs-liberation/dcs_liberation
2025-11-10 14:22:26 +00:00 · 2022-03-06 01:57:12 -08:00 · 2022-03-06 01:57:12 -08:00 · 904602510d
commit 904602510d
parent 8165d3bd8c
4 changed files with 4 additions and 23 deletions
--- a/client/README.md
+++ b/client/README.md
@ -7,20 +7,14 @@ yet.
 For development, set the following environment variables when launching DCS
 Liberation (the Qt UI):

- `REQUIRE_API_KEY=false`
-
-  This will disable API key authentication. The API key is randomly generated at
-  server startup and we don't currently have a mechanism for communicating that
-  key to the front-end.
-
 - `CORS_ALLOW_DEBUG_SERVER=true`

  This will allow the front-end to make requests to the server, as long as the
  front-end is running on http://localhost:3000.

 Then, run `npm start` to start the development server. Launch the Qt UI with
-`--new-map` to connect the webview to the development server, or navigate to
-http://localhost:3000 in your browser.
+`--new-map --dev` to connect the webview to the development server, or navigate
+to http://localhost:3000 in your browser.

 ## Available Scripts

--- a/game/server/app.py
+++ b/game/server/app.py
@ -1,4 +1,4 @@
-from fastapi import Depends, FastAPI
+from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware

 from . import (
@ -15,14 +15,9 @@ from . import (
    tgos,
    waypoints,
 )
-from .security import ApiKeyManager
 from .settings import ServerSettings

-dependencies = []
-if ServerSettings.get().require_api_key:
-    dependencies.append(Depends(ApiKeyManager.verify))
-
-app = FastAPI(dependencies=dependencies)
+app = FastAPI()
 app.include_router(controlpoints.router)
 app.include_router(debuggeometries.router)
 app.include_router(eventstream.router)
--- a/qt_ui/widgets/map/model/mapmodel.py
+++ b/qt_ui/widgets/map/model/mapmodel.py
@ -8,7 +8,6 @@ from dcs.mapping import LatLng
 from game import Game
 from game.profiling import logged_duration
 from game.server.leaflet import LeafletLatLon
-from game.server.security import ApiKeyManager
 from game.theater import (
    ConflictTheater,
 )
@ -75,10 +74,6 @@ class MapModel(QObject):
        self._map_center = theater.terrain.map_view_default.position.latlng()
        self.mapCenterChanged.emit(self._map_center.as_list())

-    @Property(str, notify=apiKeyChanged)
-    def apiKey(self) -> str:
-        return ApiKeyManager.KEY
-
    @Property(list, notify=mapCenterChanged)
    def mapCenter(self) -> LeafletLatLon:
        return self._map_center.as_list()
--- a/qt_ui/windows/QLiberationWindow.py
+++ b/qt_ui/windows/QLiberationWindow.py
@ -23,7 +23,6 @@ from game.debriefing import Debriefing
 from game.layout import LAYOUTS
 from game.server import EventStream, GameContext
 from game.server.dependencies import QtCallbacks, QtContext
-from game.server.security import ApiKeyManager
 from game.theater import ControlPoint, MissionTarget, TheaterGroundObject
 from qt_ui import liberation_install
 from qt_ui.dialogs import Dialog
@ -116,8 +115,6 @@ class QLiberationWindow(QMainWindow):
        else:
            self.onGameGenerated(self.game)

-        logging.debug(f"API Key: {ApiKeyManager.KEY}")
-
    def initUi(self):
        hbox = QSplitter(Qt.Horizontal)
        vbox = QSplitter(Qt.Vertical)