From 904602510dad8f7c88043d00afa3988421d20dd1 Mon Sep 17 00:00:00 2001 From: Dan Albert Date: Sun, 6 Mar 2022 01:57:12 -0800 Subject: [PATCH] Remove API key auth; CORS is sufficient. The React UI running in a browser can't connect to the backend without punching a hole for CORS, which isn't done by default. We don't need the API key to protect from browsers, and anything else running on the user's machine that can access the backend (that's hosted on only localhost) already has enough control to do damage without using Liberation as an attack vector. https://github.com/dcs-liberation/dcs_liberation --- client/README.md | 10 ++-------- game/server/app.py | 9 ++------- qt_ui/widgets/map/model/mapmodel.py | 5 ----- qt_ui/windows/QLiberationWindow.py | 3 --- 4 files changed, 4 insertions(+), 23 deletions(-) diff --git a/client/README.md b/client/README.md index 135ea4e1..c008ec8e 100644 --- a/client/README.md +++ b/client/README.md @@ -7,20 +7,14 @@ yet. For development, set the following environment variables when launching DCS Liberation (the Qt UI): -- `REQUIRE_API_KEY=false` - - This will disable API key authentication. The API key is randomly generated at - server startup and we don't currently have a mechanism for communicating that - key to the front-end. - - `CORS_ALLOW_DEBUG_SERVER=true` This will allow the front-end to make requests to the server, as long as the front-end is running on http://localhost:3000. Then, run `npm start` to start the development server. Launch the Qt UI with -`--new-map` to connect the webview to the development server, or navigate to -http://localhost:3000 in your browser. +`--new-map --dev` to connect the webview to the development server, or navigate +to http://localhost:3000 in your browser. ## Available Scripts diff --git a/game/server/app.py b/game/server/app.py index 777b2427..64dbe170 100644 --- a/game/server/app.py +++ b/game/server/app.py @@ -1,4 +1,4 @@ -from fastapi import Depends, FastAPI +from fastapi import FastAPI from fastapi.middleware.cors import CORSMiddleware from . import ( @@ -15,14 +15,9 @@ from . import ( tgos, waypoints, ) -from .security import ApiKeyManager from .settings import ServerSettings -dependencies = [] -if ServerSettings.get().require_api_key: - dependencies.append(Depends(ApiKeyManager.verify)) - -app = FastAPI(dependencies=dependencies) +app = FastAPI() app.include_router(controlpoints.router) app.include_router(debuggeometries.router) app.include_router(eventstream.router) diff --git a/qt_ui/widgets/map/model/mapmodel.py b/qt_ui/widgets/map/model/mapmodel.py index d12b948d..cb200313 100644 --- a/qt_ui/widgets/map/model/mapmodel.py +++ b/qt_ui/widgets/map/model/mapmodel.py @@ -8,7 +8,6 @@ from dcs.mapping import LatLng from game import Game from game.profiling import logged_duration from game.server.leaflet import LeafletLatLon -from game.server.security import ApiKeyManager from game.theater import ( ConflictTheater, ) @@ -75,10 +74,6 @@ class MapModel(QObject): self._map_center = theater.terrain.map_view_default.position.latlng() self.mapCenterChanged.emit(self._map_center.as_list()) - @Property(str, notify=apiKeyChanged) - def apiKey(self) -> str: - return ApiKeyManager.KEY - @Property(list, notify=mapCenterChanged) def mapCenter(self) -> LeafletLatLon: return self._map_center.as_list() diff --git a/qt_ui/windows/QLiberationWindow.py b/qt_ui/windows/QLiberationWindow.py index b32817ac..ae9e3332 100644 --- a/qt_ui/windows/QLiberationWindow.py +++ b/qt_ui/windows/QLiberationWindow.py @@ -23,7 +23,6 @@ from game.debriefing import Debriefing from game.layout import LAYOUTS from game.server import EventStream, GameContext from game.server.dependencies import QtCallbacks, QtContext -from game.server.security import ApiKeyManager from game.theater import ControlPoint, MissionTarget, TheaterGroundObject from qt_ui import liberation_install from qt_ui.dialogs import Dialog @@ -116,8 +115,6 @@ class QLiberationWindow(QMainWindow): else: self.onGameGenerated(self.game) - logging.debug(f"API Key: {ApiKeyManager.KEY}") - def initUi(self): hbox = QSplitter(Qt.Horizontal) vbox = QSplitter(Qt.Vertical)