def require_auth():
if request.method == "OPTIONS":
return
auth = request.headers.get("Authorization")
g.auth_user = None
if auth and auth.startswith("Bearer "):
token = auth.split(" ", 1)[1]
g.auth_user = User.verify_session_token(token)
# Not a session token? Maybe APIKey token
if g.auth_user is None:
g.auth_user = APIKey.verify_token(token)
# Still nothing? Maybe legacy API key
if g.auth_user is None:
g.auth_user = User.verify_legacy_token(token)
if g.auth_user is not None:
getLogger().warning(
"'%s' used legacy auth token for authentication",
g.auth_user.login)
if g.auth_user:
if (app_config.mwdb.enable_maintenance
and g.auth_user.login != app_config.mwdb.admin_login):
raise Forbidden("Maintenance underway. Please come back later.")
if g.auth_user.disabled:
raise Forbidden("User has been disabled.")
def require_auth():
if request.method == "OPTIONS":
return
auth = request.headers.get("Authorization")
g.auth_user = None
if auth and auth.startswith("Bearer "):
token = auth.split(" ", 1)[1]
g.auth_user = User.verify_session_token(token)
# Not a session token? Maybe APIKey token
if g.auth_user is None:
g.auth_user = APIKey.verify_token(token)
# Still nothing? Maybe legacy API key
if g.auth_user is None:
g.auth_user = User.verify_legacy_token(token)
if g.auth_user is not None:
getLogger().warning(
"'%s' used legacy auth token for authentication", g.auth_user.login
)
if g.auth_user:
if (
app_config.mwdb.enable_maintenance
and g.auth_user.login != app_config.mwdb.admin_login
):
raise Forbidden("Maintenance underway. Please come back later.")
if g.auth_user.disabled:
raise Forbidden("User has been disabled.")
if app_config.mwdb.enable_rate_limit and not g.auth_user.has_rights(
Capabilities.unlimited_requests
):
"""
Single sample view in malwarefront generates 7 requests (6 GET, 1 POST)
"""
if request.method == "GET":
"""
DownloadResource is token-based and shouldn't be limited
"""
if request.endpoint != api.endpoint_for(DownloadResource):
# 1000 per 10 seconds
rate_limit("get-request", 10, 1000)
# 2000 per 1 minute
rate_limit("get-request", 60, 2000)
# 6000 per 5 minutes
rate_limit("get-request", 5 * 60, 6000)
# 10000 per 15 minutes
rate_limit("get-request", 15 * 60, 10000)
else:
# 10 per 10 seconds
rate_limit("set-request", 10, 10)
# 30 per 1 minute
rate_limit("set-request", 60, 30)
# 100 per 5 minutes
rate_limit("set-request", 5 * 60, 100)
# 200 per 15 minutes
rate_limit("set-request", 15 * 60, 200)