WIP Don't use tokens in UI

cvat-core/src/api-implementation.ts

@@ -137,10 +137,6 @@ export default function implementAPI(cvat: CVATCore): CVATCore {
         const result = await serverProxy.server.setAuthData(response);
         return result;
     });
-    implementationMixin(cvat.server.removeAuthData, async () => {
-        const result = await serverProxy.server.removeAuthData();
-        return result;
-    });
     implementationMixin(cvat.server.installedApps, async () => {
         const result = await serverProxy.server.installedApps();
         return result;

cvat-core/src/api.ts

@@ -122,10 +122,6 @@ function build(): CVATCore {
                 const result = await PluginRegistry.apiWrapper(cvat.server.setAuthData, response);
                 return result;
             },
-            async removeAuthData() {
-                const result = await PluginRegistry.apiWrapper(cvat.server.removeAuthData);
-                return result;
-            },
             async installedApps() {
                 const result = await PluginRegistry.apiWrapper(cvat.server.installedApps);
                 return result;

cvat-core/src/index.ts

@@ -71,7 +71,6 @@ export default interface CVATCore {
         healthCheck: any;
         request: any;
         setAuthData: any;
-        removeAuthData: any;
         installedApps: any;
         apiSchema: typeof serverProxy.server.apiSchema;
     };

cvat-core/src/server-proxy.ts

@@ -358,10 +358,10 @@ Axios.interceptors.response.use((response) => {
     return response;
 });
 
-let token = store.get('token');
-if (token) {
-    Axios.defaults.headers.common.Authorization = `Token ${token}`;
-}
+// Previously, we used to store an additional authentication token in local storage.
+// Now we don't, and if the user still has one stored, we'll remove it to prevent
+// unnecessary credential exposure.
+store.remove('token');
 
 function setAuthData(response: AxiosResponse): void {
     if (response.headers['set-cookie']) {
@@ -370,18 +370,6 @@ function setAuthData(response: AxiosResponse): void {
         const cookies = response.headers['set-cookie'].join(';');
         Axios.defaults.headers.common.Cookie = cookies;
     }
-
-    if (response.data.key) {
-        token = response.data.key;
-        store.set('token', token);
-        Axios.defaults.headers.common.Authorization = `Token ${token}`;
-    }
-}
-
-function removeAuthData(): void {
-    Axios.defaults.headers.common.Authorization = '';
-    store.remove('token');
-    token = null;
 }
 
 async function about(): Promise<SerializedAbout> {
@@ -474,7 +462,6 @@ async function register(
 }
 
 async function login(credential: string, password: string): Promise<void> {
-    removeAuthData();
     let authenticationResponse = null;
     try {
         authenticationResponse = await Axios.post(`${config.backendAPI}/auth/login`, {
@@ -491,7 +478,6 @@ async function login(credential: string, password: string): Promise<void> {
 async function logout(): Promise<void> {
     try {
         await Axios.post(`${config.backendAPI}/auth/logout`);
-        removeAuthData();
     } catch (errorData) {
         throw generateError(errorData);
     }
@@ -570,17 +556,9 @@ async function getSelf(): Promise<SerializedUser> {
 
 async function authenticated(): Promise<boolean> {
     try {
-        // In CVAT app we use two types of authentication
-        // At first we check if authentication token is present
-        // Request in getSelf will provide correct authentication cookies
-        if (!store.get('token')) {
-            removeAuthData();
-            return false;
-        }
         await getSelf();
     } catch (serverError) {
         if (serverError.code === 401) {
-            removeAuthData();
             return false;
         }
 
@@ -2345,7 +2323,6 @@ async function calculateAnalyticsReport(
 export default Object.freeze({
     server: Object.freeze({
         setAuthData,
-        removeAuthData,
         about,
         share,
         formats,

cvat/apps/iam/authentication.py

@@ -52,21 +52,6 @@ def unsign(self, signature, url):
         except User.DoesNotExist:
             raise signing.BadSignature()
 
-# Even with token authentication it is very important to have a valid session id
-# in cookies because in some cases we cannot use token authentication (e.g. when
-# we redirect to the server in UI using just URL). To overkill that we override
-# the class to call `login` method which restores the session id in cookies.
-class TokenAuthenticationEx(TokenAuthentication):
-    def authenticate(self, request):
-        auth = super().authenticate(request)
-        # drf_spectacular uses mock requests without session field
-        session = getattr(request, 'session', None)
-        if (auth is not None and
-            session is not None and
-            (session.session_key is None or (not session.modified and not session.load()))):
-            login(request, auth[0], 'django.contrib.auth.backends.ModelBackend')
-        return auth
-
 class SignatureAuthentication(BaseAuthentication):
     """
     Authentication backend for signed URLs.

cvat/settings/base.py

@@ -134,7 +134,7 @@ def generate_secret_key():
         'cvat.apps.iam.permissions.PolicyEnforcer',
     ],
     'DEFAULT_AUTHENTICATION_CLASSES': [
-        'cvat.apps.iam.authentication.TokenAuthenticationEx',
+        'rest_framework.authentication.TokenAuthentication',
         'cvat.apps.iam.authentication.SignatureAuthentication',
         'rest_framework.authentication.SessionAuthentication',
         'rest_framework.authentication.BasicAuthentication'