From 147d982c875ff581eb3e9823d0e745e2b2dce4e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <gina@octoprint.org>
Date: Thu, 22 Sep 2022 18:52:06 +0200
Subject: =?UTF-8?q?=F0=9F=90=9B=20Fix=20invalid=20API=20key=20and=20guest?=
 =?UTF-8?q?=20behaviour=20vs=20CSRF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes second issue discovered in #4648
---
 src/octoprint/server/util/__init__.py | 6 +++---
 src/octoprint/server/util/csrf.py     | 5 +++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/octoprint/server/util/__init__.py b/src/octoprint/server/util/__init__.py
index 79bf9e05e..5a477b0ab 100644
--- a/src/octoprint/server/util/__init__.py
+++ b/src/octoprint/server/util/__init__.py
@@ -43,7 +43,7 @@ def loginFromApiKeyRequestHandler():
         if loginUserFromApiKey():
             _flask.g.login_via_apikey = True
     except InvalidApiKeyException:
-        _flask.abort(403)
+        _flask.abort(403, "Invalid API key")
 
 
 def loginFromAuthorizationHeaderRequestHandler():
@@ -54,7 +54,7 @@ def loginFromAuthorizationHeaderRequestHandler():
         if loginUserFromAuthorizationHeader():
             _flask.g.login_via_header = True
     except InvalidApiKeyException:
-        _flask.abort(403)
+        _flask.abort(403, "Invalid credentials in Basic Authorization header")
 
 
 class InvalidApiKeyException(Exception):
@@ -69,7 +69,7 @@ def loginUserFromApiKey():
     user = get_user_for_apikey(apikey)
     if user is None:
         # invalid API key = no API key
-        return False
+        raise InvalidApiKeyException("Invalid API key")
 
     return loginUser(user, login_mechanism="apikey")
 
diff --git a/src/octoprint/server/util/csrf.py b/src/octoprint/server/util/csrf.py
index 74821440a..aaa7b133b 100644
--- a/src/octoprint/server/util/csrf.py
+++ b/src/octoprint/server/util/csrf.py
@@ -77,8 +77,9 @@ def validate_csrf_request(request):
         # Irrelevant method for CSRF, bypass
         return
 
-    if getattr(flask.g, "login_via_apikey", False):
-        # API key authorization, bypass
+    session = getattr(flask, "session", {})
+    if len(session) == 0 or session.get("login_mechanism") == "apikey":
+        # empty session, not a browser context
         return
 
     if is_exempt(request.endpoint):
-- 
cgit v1.2.3