[#69419] server: add 'authenticated' API decorator

MaciejWas · MaciejWas · commit 304f14d7d20e · 2025-02-06T10:53:06.000+01:00
diff --git a/server/src/api/v1/middleware.py b/server/src/api/v1/middleware.py
@@ -67,6 +67,12 @@
                      """providing a management token with read-write scope""" \
                      f""" ``{SCOPE_READ_WRITE}``."""
 
+""" Text to append after the endpoint's docstring when a token
+    with zero or more scopes is required
+"""
+DOCS_AUTHENTICATED_API_TEXT = """.. warning:: Accessing this endpoint requires """ \
+                              """providing an authorization token"""
+
 """ Unprotected API routes
 """
 DOCS_PUBLIC_API_TEXT = """.. note:: This is a public API route; no """ \
@@ -749,6 +755,17 @@ def scope_check_callback(scopes):
     return __management_api(scope_check_callback, append_scopes=True)(f)
 
 
+def authenticated_api(f):
+    """Decorator to be used for API routes available to every
+    authenticated user
+    """
+
+    f.__rdfm_api_privileges__ = "authenticated"
+    __add_scope_docs(f, DOCS_AUTHENTICATED_API_TEXT)
+
+    return management_user_validation(f)
+
+
 def public_api(f):
     """Decorator to be used on public API routes
 
diff --git a/server/src/api/v1/permissions.py b/server/src/api/v1/permissions.py
@@ -10,7 +10,8 @@
     management_read_only_api,
     management_read_write_api,
     deserialize_schema,
-    check_admin_rights
+    check_admin_rights,
+    authenticated_api
 )
 from typing import List, Optional
 import server
@@ -36,7 +37,7 @@ def model_to_schema(
 
 
 @permissions_blueprint.route("/api/v1/permissions")
-@management_user_validation
+@authenticated_api
 @wrap_api_exception("permissions fetching failed")
 def fetch_all(**kwargs):
     """Fetch all permissions 
diff --git a/server/tests/test-server-route-correctness.py b/server/tests/test-server-route-correctness.py
@@ -47,7 +47,7 @@ def test_authorization_on_all_routes(endpoint, func):
     # Check for the presence of a decorator
     # The device/management API decorators add a special field for identification
     error_string = (f"route function {func.__name__} should be decorated using "
-                    "a management, device or public API decorator, but none was found")
+                    "a management, authenticated, device or public API decorator, but none was found")
     assert hasattr(func, "__rdfm_api_privileges__"), error_string
 
 
