Skip to content

Commit 1b01e0a

Browse files
committed
Add a user agent with documentation
Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
1 parent a66b8a1 commit 1b01e0a

2 files changed

Lines changed: 52 additions & 5 deletions

File tree

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
#
2+
# Copyright (c) nexB Inc. and others. All rights reserved.
3+
# VulnerableCode is a trademark of nexB Inc.
4+
# SPDX-License-Identifier: Apache-2.0
5+
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
6+
# See https://github.com/aboutcode-org/vulnerablecode for support or download.
7+
# See https://aboutcode.org for more information about nexB OSS projects.
8+
#
9+
10+
from django.conf import settings
11+
from django.http import JsonResponse
12+
13+
14+
class VCIOUserAgentMiddleware:
15+
"""
16+
Allow API access only when the User-Agent matches VCIO_USER_AGENT.
17+
"""
18+
19+
def __init__(self, get_response):
20+
self.get_response = get_response
21+
22+
def __call__(self, request):
23+
if request.path.startswith("/api/") and not request.path.startswith(
24+
("/api/docs/", "/api/schema/")
25+
):
26+
user_agent = request.headers.get("User-Agent", "")
27+
docs_url = request.build_absolute_uri("/api/docs/")
28+
if user_agent != settings.VCIO_USER_AGENT:
29+
return JsonResponse(
30+
{
31+
"detail": (
32+
"Unauthorized client. Please refer to the API "
33+
"documentation at "
34+
f"{docs_url}"
35+
)
36+
},
37+
status=403,
38+
)
39+
40+
return self.get_response(request)

vulnerablecode/settings.py

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,7 @@
112112
"vulnerabilities.middleware.ban_user_agent.BanUserAgent",
113113
"vulnerabilities.middleware.timezone.UserTimezoneMiddleware",
114114
"vulnerabilities.middleware.altcha_protection.AltchaProtectionMiddleware",
115+
"vulnerabilities.middleware.vcio_user_agent.VCIOUserAgentMiddleware",
115116
)
116117

117118
ROOT_URLCONF = "vulnerablecode.urls"
@@ -195,11 +196,13 @@
195196
LOGIN_REDIRECT_URL = "/"
196197
LOGOUT_REDIRECT_URL = "/"
197198

198-
THROTTLE_RATE_ANON = env.str("THROTTLE_RATE_ANON", default="3600/hour")
199+
THROTTLE_RATE_ANON = env.str("THROTTLE_RATE_ANON", default="10/minute")
199200
THROTTLE_RATE_UI = env.str("THROTTLE_RATE_UI", default="15/minute")
200-
THROTTLE_RATE_USER_HIGH = env.str("THROTTLE_RATE_USER_HIGH", default="18000/hour")
201-
THROTTLE_RATE_USER_MEDIUM = env.str("THROTTLE_RATE_USER_MEDIUM", default="14400/hour")
202-
THROTTLE_RATE_USER_LOW = env.str("THROTTLE_RATE_USER_LOW", default="10800/hour")
201+
THROTTLE_RATE_USER_HIGH = env.str("THROTTLE_RATE_USER_HIGH", default="1/second")
202+
THROTTLE_RATE_USER_MEDIUM = env.str("THROTTLE_RATE_USER_MEDIUM", default="30/minute")
203+
THROTTLE_RATE_USER_LOW = env.str("THROTTLE_RATE_USER_LOW", default="20/minute")
204+
205+
VCIO_USER_AGENT = env.str("VCIO_USER_AGENT", default="VCIO_API_AGENT")
203206

204207
REST_FRAMEWORK_DEFAULT_THROTTLE_RATES = {
205208
"anon": THROTTLE_RATE_ANON,
@@ -263,8 +266,12 @@
263266
"DATETIME_FORMAT": "%Y-%m-%dT%H:%M:%SZ",
264267
}
265268

266-
api_doc_intro = """
269+
api_doc_intro = f"""
267270
<div>
271+
<strong>Note:</strong> All API requests must include the following
272+
<code>User-Agent</code> header:
273+
<pre>User-Agent: {VCIO_USER_AGENT} </pre>
274+
Requests without this exact header value will be rejected.
268275
<p><strong>VulnerableCode</strong> is open data and free software by
269276
<a href="https://github.com/nexB/vulnerablecode"> nexB Inc. and others.</a>
270277
</p>

0 commit comments

Comments
 (0)