Added _edit_only auth types

diff --git a/flatnotes/auth.py b/flatnotes/auth.py
index 952a898556a143eea038dcb34e58608d47b9832c..7ea6871c4dde7f5a010a9307e6171fe265f59fe9 100644 (file)
--- a/flatnotes/auth.py
+++ b/flatnotes/auth.py
@@ -40,3 +40,20 @@ def validate_token(token: str = Depends(oauth2_scheme)):
             detail="Invalid authentication credentials",
             headers={"WWW-Authenticate": "Bearer"},
         )
+
+
+def no_auth():
+    return
+
+
+def get_auth(for_edit: bool = True):
+    if config.auth_type == AuthType.NONE:
+        return no_auth
+    elif (
+        config.auth_type
+        in [AuthType.PASSWORD_EDIT_ONLY, AuthType.TOTP_EDIT_ONLY]
+        and for_edit is False
+    ):
+        return no_auth
+    else:
+        return validate_token

diff --git a/flatnotes/config.py b/flatnotes/config.py
index 9dc98237d9fe16f4c7b39458cbdcacc9c4e6ae39..482fb408b2c6ef5cc1f0758983fe745bed7495dd 100644 (file)
--- a/flatnotes/config.py
+++ b/flatnotes/config.py
@@ -9,7 +9,9 @@ from logger import logger
 class AuthType(str, Enum):
     NONE = "none"
     PASSWORD = "password"
+    PASSWORD_EDIT_ONLY = "password_edit_only"
     TOTP = "totp"
+    TOTP_EDIT_ONLY = "totp_edit_only"
 
 
 class Config:

diff --git a/flatnotes/main.py b/flatnotes/main.py
index c9bdc2ba5e1d31b1157ecd5854d27fc666ae89d3..79e10f2ad071e9962690df981cbf57ceb60077c9 100644 (file)
--- a/flatnotes/main.py
+++ b/flatnotes/main.py
@@ -7,7 +7,7 @@ from fastapi.responses import HTMLResponse
 from fastapi.staticfiles import StaticFiles
 from qrcode import QRCode
 
-from auth import create_access_token, validate_token
+from auth import create_access_token, get_auth, validate_token
 from config import AuthType, config
 from error_responses import (
     invalid_title_response,
@@ -87,8 +87,12 @@ def root(title: str = ""):
     return HTMLResponse(content=html)
 
 
-@app.post("/api/notes", response_model=NoteModel)
-def post_note(data: NoteModel, _: str = Depends(validate_token)):
+@app.post(
+    "/api/notes",
+    dependencies=[Depends(get_auth(for_edit=True))],
+    response_model=NoteModel,
+)
+def post_note(data: NoteModel):
     """Create a new note."""
     try:
         note = Note(flatnotes, data.title, new=True)
@@ -100,11 +104,14 @@ def post_note(data: NoteModel, _: str = Depends(validate_token)):
         return title_exists_response
 
 
-@app.get("/api/notes/{title}", response_model=NoteModel)
+@app.get(
+    "/api/notes/{title}",
+    dependencies=[Depends(get_auth(for_edit=False))],
+    response_model=NoteModel,
+)
 def get_note(
     title: str,
     include_content: bool = True,
-    _: str = Depends(validate_token),
 ):
     """Get a specific note."""
     try:
@@ -116,10 +123,12 @@ def get_note(
         return note_not_found_response
 
 
-@app.patch("/api/notes/{title}", response_model=NoteModel)
-def patch_note(
-    title: str, new_data: NotePatchModel, _: str = Depends(validate_token)
-):
+@app.patch(
+    "/api/notes/{title}",
+    dependencies=[Depends(get_auth(for_edit=True))],
+    response_model=NoteModel,
+)
+def patch_note(title: str, new_data: NotePatchModel):
     try:
         note = Note(flatnotes, title)
         if new_data.new_title is not None:
@@ -135,8 +144,10 @@ def patch_note(
         return note_not_found_response
 
 
-@app.delete("/api/notes/{title}")
-def delete_note(title: str, _: str = Depends(validate_token)):
+@app.delete(
+    "/api/notes/{title}", dependencies=[Depends(get_auth(for_edit=True))]
+)
+def delete_note(title: str):
     try:
         note = Note(flatnotes, title)
         note.delete()
@@ -146,19 +157,25 @@ def delete_note(title: str, _: str = Depends(validate_token)):
         return note_not_found_response
 
 
-@app.get("/api/tags")
-def get_tags(_: str = Depends(validate_token)):
+@app.get(
+    "/api/tags",
+    dependencies=[Depends(get_auth(for_edit=False))],
+)
+def get_tags():
     """Get a list of all indexed tags."""
     return flatnotes.get_tags()
 
 
-@app.get("/api/search", response_model=List[SearchResultModel])
+@app.get(
+    "/api/search",
+    dependencies=[Depends(get_auth(for_edit=False))],
+    response_model=List[SearchResultModel],
+)
 def search(
     term: str,
     sort: Literal["score", "title", "lastModified"] = "score",
     order: Literal["asc", "desc"] = "desc",
     limit: int = None,
-    _: str = Depends(validate_token),
 ):
     """Perform a full text search on all notes."""
     if sort == "lastModified":