405 error

2025-11-21 20:59:50 +05:00
parent 1227df4a41
commit a82be89d21
3 changed files with 116 additions and 3 deletions
--- a/backend/igny8_core/api/authentication.py
+++ b/backend/igny8_core/api/authentication.py
@@ -83,3 +83,60 @@ class JWTAuthentication(BaseAuthentication):
            # This allows session authentication to work if JWT fails
            return None

+
+class APIKeyAuthentication(BaseAuthentication):
+    """
+    API Key authentication for WordPress integration.
+    Validates API keys stored in Site.wp_api_key field.
+    """
+    def authenticate(self, request):
+        """
+        Authenticate using WordPress API key.
+        Returns (user, api_key) tuple if valid.
+        """
+        auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+        
+        if not auth_header.startswith('Bearer '):
+            return None  # Not an API key request
+        
+        api_key = auth_header.split(' ')[1] if len(auth_header.split(' ')) > 1 else None
+        if not api_key or len(api_key) < 20:  # API keys should be at least 20 chars
+            return None
+        
+        # Don't try to authenticate JWT tokens (they start with 'ey')
+        if api_key.startswith('ey'):
+            return None  # Let JWTAuthentication handle it
+        
+        try:
+            from igny8_core.auth.models import Site, User
+            
+            # Find site by API key
+            site = Site.objects.select_related('account', 'account__owner').filter(
+                wp_api_key=api_key,
+                is_active=True
+            ).first()
+            
+            if not site:
+                return None  # API key not found or site inactive
+            
+            # Get account and user
+            account = site.account
+            user = account.owner  # Use account owner as the authenticated user
+            
+            if not user.is_active:
+                raise AuthenticationFailed('User account is disabled.')
+            
+            # Set account on request for tenant isolation
+            request.account = account
+            
+            # Set site on request for WordPress integration context
+            request.site = site
+            
+            return (user, api_key)
+            
+        except Exception as e:
+            # Log the error but return None to allow other auth classes to try
+            import logging
+            logger = logging.getLogger(__name__)
+            logger.debug(f'APIKeyAuthentication error: {str(e)}')
+            return None