dfir-iris · whikernel · Apr 23, 2025 · Apr 22, 2025 · Apr 22, 2025 · Apr 22, 2025
diff --git a/docker/nginx/nginx-newui.conf b/docker/nginx/nginx-newui.conf
@@ -26,7 +26,7 @@ events {
 
 http {
     map $request_uri $csp_header {
-        default "default-src 'self' https://analytics.dfir-iris.org https://127.0.0.1; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
+        default "default-src 'self' https://analytics.dfir-iris.org https://127.0.0.1 http://app:8000; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; img-src 'self' data:;";
     }
     include /etc/nginx/mime.types;
 

diff --git a/source/app/__init__.py b/source/app/__init__.py
@@ -116,15 +116,17 @@ def ac_current_user_has_manage_perms():
 
 set_celery_flask_context(celery, app)
 
-if app.config.get('DEVELOPMENT_ENABLED'):
-    CORS(app,
-         supports_credentials=True,
-         resources={r"/api/*": {"origins": [
-             "https://127.0.0.1:5137",
-             "https://localhost:5173",
-             "https://localhost",
-             "https://127.0.0.1"
-         ]}})
+#if app.config.get('DEVELOPMENT_ENABLED'):
+CORS(app,
+     supports_credentials=True,
+     resources={r"/api/*": {"origins": [
+         "https://127.0.0.1:5137",
+         "https://localhost:5173",
+         "https://localhost",
+         "https://127.0.0.1",
+         "http://app:8000",
+         "http://frontend:5173",
+     ]}})
 
 
 app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1)

diff --git a/source/app/blueprints/access_controls.py b/source/app/blueprints/access_controls.py
@@ -30,6 +30,7 @@
 from flask import request
 from flask import render_template
 from flask import session
+from flask import g
 from flask_login import current_user
 from flask_login import login_user
 from flask_wtf import FlaskForm
@@ -42,9 +43,11 @@
 from app import app
 from app import db
 from app.blueprints.responses import response_error
+from app.business.auth import validate_auth_token
 from app.datamgmt.case.case_db import get_case
 from app.datamgmt.manage.manage_access_control_db import user_has_client_access
 from app.datamgmt.manage.manage_users_db import get_user
+from app.iris_engine.access_control.iris_user import iris_current_user
 from app.iris_engine.access_control.utils import ac_fast_check_user_has_case_access
 from app.iris_engine.access_control.utils import ac_get_effective_permissions_of_user
 from app.iris_engine.utils.tracker import track_activity
@@ -55,12 +58,36 @@
 
 def _user_has_at_least_a_required_permission(permissions: list[Permissions]):
     """
-        Returns true as soon as the user has at least one permission in the list of permissions
-        Returns true if the list of required permissions is empty
+    Returns true if the user has at least one of the required permissions
+    Works with both session-based and token-based authentication
     """
     if not permissions:
         return True
 
+    # For token-based authentication
+    if hasattr(g, 'auth_token_user_id'):
+        # Use cached permissions from token if available
+        if hasattr(g, 'auth_user_permissions'):
+            user_permissions = g.auth_user_permissions
+        else:
+            # Lazy load permissions only once per request
+            from app.datamgmt.manage.manage_users_db import get_user
+            user = get_user(g.auth_token_user_id)
+            if not user:
+                return False
+
+            user_permissions = ac_get_effective_permissions_of_user(user)
+            g.auth_user_permissions = user_permissions  # Cache for this request
+
+        for permission in permissions:
+            if user_permissions & permission.value:
+                return True
+        return False
+
+    # For session-based authentication
+    if 'permissions' not in session:
+        session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+
-    if 'permissions' not in session:
-        session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+    if 'permissions' not in session:
+        session['permissions'] = ac_get_effective_permissions_of_user(iris_current_user)
-    if 'permissions' not in session:
-        session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+    if 'permissions' not in session:
+        session['permissions'] = ac_get_effective_permissions_of_user(iris_current_user)
     for permission in permissions:
         if session['permissions'] & permission.value:
             return True
@@ -182,7 +209,7 @@ def _get_case_access(request_data, access_level, no_cid_required=False):
     if ctmp is not None:
         return redir, ctmp, has_access
 
-    eaccess_level = ac_fast_check_user_has_case_access(current_user.id, caseid, access_level)
+    eaccess_level = ac_fast_check_user_has_case_access(iris_current_user.id, caseid, access_level)
     if eaccess_level is None and access_level:
         _update_denied_case(caseid)
         return redir, caseid, False
@@ -218,8 +245,8 @@ def _is_csrf_token_valid():
 
 def _ac_return_access_denied(caseid: int = None):
     error_uuid = uuid.uuid4()
-    log.warning(f"Access denied to case #{caseid} for user ID {current_user.id}. Error {error_uuid}")
-    return render_template('pages/error-403.html', user=current_user, caseid=caseid, error_uuid=error_uuid,
+    log.warning(f"Access denied to case #{caseid} for user ID {iris_current_user.id}. Error {error_uuid}")
+    return render_template('pages/error-403.html', user=iris_current_user, caseid=caseid, error_uuid=error_uuid,
                            template_folder=TEMPLATE_PATH), 403
 
 
@@ -251,11 +278,11 @@ def get_case_access_from_api(request_data, access_level):
     redir, caseid, has_access = _get_caseid_from_request_data(request_data, False)
     redir = False
 
-    if not hasattr(current_user, 'id'):
+    if not hasattr(iris_current_user, 'id'):
         # Anonymous request, deny access
         return False, 1, False
 
-    eaccess_level = ac_fast_check_user_has_case_access(current_user.id, caseid, access_level)
+    eaccess_level = ac_fast_check_user_has_case_access(iris_current_user.id, caseid, access_level)
     if eaccess_level is None and access_level:
         return redir, caseid, False
 
@@ -321,19 +348,37 @@ def inner_wrap(f):
         @wraps(f)
         def wrap(*args, **kwargs):
             if not _is_csrf_token_valid():
-                return response_error('Invalid CSRF token')
+                if 'auth_token_user_id' not in g:
+                    return response_error('Invalid CSRF token')
 
             if not is_user_authenticated(request):
                 return response_error('Authentication required', status=401)
 
-            if 'permissions' not in session:
-                session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+            # Set the user for token-based authentication
+            if hasattr(g, 'auth_token_user_id'):
+                from app.datamgmt.manage.manage_users_db import get_user
+                user = get_user(g.auth_token_user_id)
+                if not user:
+                    return response_error('User not found', status=404)
 
-            if not _user_has_at_least_a_required_permission(permissions):
-                return response_error('Permission denied', status=403)
+                # Create a compatibility layer for token auth
+                g.token_user = user
+
+                # Check permissions
+                if not _user_has_at_least_a_required_permission(permissions):
+                    return response_error('Permission denied', status=403)
+            else:
+                # Session-based auth - use the normal approach
+                if 'permissions' not in session:
+                    session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+
+                if not _user_has_at_least_a_required_permission(permissions):
+                    return response_error('Permission denied', status=403)
 
             return f(*args, **kwargs)
+
         return wrap
+
     return inner_wrap
 
 
@@ -342,7 +387,7 @@ def inner_wrap(f):
         @wraps(f)
         def wrap(*args, **kwargs):
             client_id = kwargs.get('client_id')
-            if not user_has_client_access(current_user.id, client_id):
+            if not user_has_client_access(iris_current_user.id, client_id):
                 return _ac_return_access_denied()
 
             return f(*args, **kwargs)
@@ -364,7 +409,7 @@ def wrap(*args, **kwargs):
                 else:
                     return _ac_return_access_denied(caseid=0)
 
-                access = ac_fast_check_user_has_case_access(current_user.id, case_id, access_level)
+                access = ac_fast_check_user_has_case_access(iris_current_user.id, case_id, access_level)
                 if not access:
                     return _ac_return_access_denied(caseid=case_id)
 
@@ -375,7 +420,7 @@ def wrap(*args, **kwargs):
 
 
 def ac_api_return_access_denied(caseid: int = None):
-    user_id = current_user.id if hasattr(current_user, 'id') else 'Anonymous'
+    user_id = iris_current_user.id if hasattr(iris_current_user, 'id') else 'Anonymous'
     error_uuid = uuid.uuid4()
     log.warning(f"EID {error_uuid} - Access denied with case #{caseid} for user ID {user_id} "
                 f"accessing URI {request.full_path}")
@@ -392,7 +437,7 @@ def inner_wrap(f):
         @wraps(f)
         def wrap(*args, **kwargs):
             client_id = kwargs.get('client_id')
-            if not user_has_client_access(current_user.id, client_id):
+            if not user_has_client_access(iris_current_user.id, client_id):
                 return response_error("Permission denied", status=403)
 
             return f(*args, **kwargs)
@@ -497,7 +542,32 @@ def _oidc_proxy_authentication_process(incoming_request: Request):
 
 
 def _local_authentication_process(incoming_request: Request):
-    return current_user.is_authenticated
+    return iris_current_user.is_authenticated
+
+
+def _token_authentication_process(incoming_request: Request):
+    """
+    Process authentication using an Authorization header with Bearer token
+    """
+    auth_header = incoming_request.headers.get('Authorization', '')
+    if not auth_header.startswith('Bearer '):
+        return False
+
+    parts = auth_header.split(' ')
+    if len(parts) < 2:
+        return False
+
+    token = parts[1]
+    user_data = validate_auth_token(token)
+
+    if not user_data:
+        return False
+
+    # Store user data for later use
+    g.auth_user = user_data
+    g.auth_token_user_id = user_data['user_id']
+
-def _token_authentication_process(incoming_request: Request):
-    """
-    Process authentication using an Authorization header with Bearer token
-    """
-    auth_header = incoming_request.headers.get('Authorization', '')
-    if not auth_header.startswith('Bearer '):
-        return False
-
-    parts = auth_header.split(' ')
-    if len(parts) < 2:
-        return False
-
-    token = parts[1]
-    user_data = validate_auth_token(token)
-
-    if not user_data:
-        return False
-
-    # Store user data for later use
-    g.auth_user = user_data
-    g.auth_token_user_id = user_data['user_id']
+def _token_authentication_process(incoming_request: Request):
+    """
+    Process authentication using an Authorization header with Bearer token
+    """
+    auth_header = incoming_request.headers.get('Authorization', '')
+    if not auth_header.startswith('Bearer '):
+        return False
+
+    parts = auth_header.split(' ')
+    if len(parts) < 2:
+        return False
+
+    token = parts[1]
+    user_data = validate_auth_token(token)
+    if user_data and user_data.get('type') == 'refresh':
+        # Prevent privilege escalation with long‑lived refresh tokens
+        return False
+
+    if not user_data:
+        return False
+
+    # Store user data for later use
+    g.auth_user = user_data
+    g.auth_token_user_id = user_data['user_id']
-def _token_authentication_process(incoming_request: Request):
-    """
-    Process authentication using an Authorization header with Bearer token
-    """
-    auth_header = incoming_request.headers.get('Authorization', '')
-    if not auth_header.startswith('Bearer '):
-        return False
-
-    parts = auth_header.split(' ')
-    if len(parts) < 2:
-        return False
-
-    token = parts[1]
-    user_data = validate_auth_token(token)
-
-    if not user_data:
-        return False
-
-    # Store user data for later use
-    g.auth_user = user_data
-    g.auth_token_user_id = user_data['user_id']
+def _token_authentication_process(incoming_request: Request):
+    """
+    Process authentication using an Authorization header with Bearer token
+    """
+    auth_header = incoming_request.headers.get('Authorization', '')
+    if not auth_header.startswith('Bearer '):
+        return False
+
+    parts = auth_header.split(' ')
+    if len(parts) < 2:
+        return False
+
+    token = parts[1]
+    user_data = validate_auth_token(token)
+    if user_data and user_data.get('type') == 'refresh':
+        # Prevent privilege escalation with long‑lived refresh tokens
+        return False
+
+    if not user_data:
+        return False
+
+    # Store user data for later use
+    g.auth_user = user_data
+    g.auth_token_user_id = user_data['user_id']
+    return True
 
 
 def is_user_authenticated(incoming_request: Request):
@@ -508,6 +578,9 @@ def is_user_authenticated(incoming_request: Request):
         "oidc": _local_authentication_process,
     }
 
+    if _token_authentication_process(incoming_request):
+        return True
+
     return authentication_mapper.get(app.config.get("AUTHENTICATION_TYPE"))(incoming_request)
 
 

diff --git a/source/app/blueprints/graphql/graphql_route.py b/source/app/blueprints/graphql/graphql_route.py
@@ -21,7 +21,6 @@
 from flask import request
 from flask_wtf import FlaskForm
 from flask import Blueprint
-from flask_login import current_user
 
 from graphql_server.flask import GraphQLView
 from graphene import ObjectType
@@ -51,6 +50,7 @@
 
 from app.business.cases import cases_get_by_identifier
 from app.business.iocs import iocs_get
+from app.iris_engine.access_control.iris_user import iris_current_user
 from app.blueprints.graphql.permissions import permissions_check_current_user_has_some_case_access
 import warnings
 
@@ -70,7 +70,7 @@ class Query(ObjectType):
     @staticmethod
     def resolve_cases(root, info, classification_id=None, client_id=None, state_id=None, owner_id=None, open_date=None, name=None, soc_id=None,
                       severity_id=None, tags=None, open_since=None, **kwargs):
-        return build_filter_case_query(current_user.id, start_open_date=open_date, end_open_date=None, case_customer_id=client_id, case_ids=None,
+        return build_filter_case_query(iris_current_user.id, start_open_date=open_date, end_open_date=None, case_customer_id=client_id, case_ids=None,
                                        case_name=name, case_description=None, case_classification_id=classification_id, case_owner_id=owner_id,
                                        case_opening_user_id=None, case_severity_id=severity_id, case_state_id=state_id, case_soc_id=soc_id,
                                        case_tags=tags, case_open_since=open_since)

diff --git a/source/app/blueprints/graphql/permissions.py b/source/app/blueprints/graphql/permissions.py
@@ -20,10 +20,10 @@
 from uuid import uuid4
 
 from flask import session
-from flask_login import current_user
 from flask import request
 
 from app.blueprints.access_controls import get_case_access_from_api
+from app.iris_engine.access_control.iris_user import iris_current_user
 from app.iris_engine.access_control.utils import ac_get_effective_permissions_of_user
 from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
 
@@ -66,7 +66,7 @@ def permissions_check_current_user_has_some_case_access_stricter(access_levels):
 # this method is used to replace annotation ac_api_requires
 def permissions_check_current_user_has_some_permission(permissions):
     if 'permissions' not in session:
-        session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+        session['permissions'] = ac_get_effective_permissions_of_user(iris_current_user)
 
     for permission in permissions:
         if session['permissions'] & permission.value:

diff --git a/source/app/blueprints/pages/alerts/alerts_routes.py b/source/app/blueprints/pages/alerts/alerts_routes.py
@@ -20,7 +20,6 @@
 from flask import render_template
 from flask import redirect
 from flask import url_for
-from flask_login import current_user
 from flask_wtf import FlaskForm
 from typing import Union
 from werkzeug import Response
@@ -30,6 +29,7 @@
 from app.models.authorization import Permissions
 from app.blueprints.responses import response_error
 from app.blueprints.access_controls import ac_requires
+from app.iris_engine.access_control.iris_user import iris_current_user
 
 alerts_blueprint = Blueprint(
     'alerts',
@@ -78,7 +78,7 @@ def alert_comment_modal(cur_id, caseid, url_redir):
     if not alert:
         return response_error('Invalid alert ID')
 
-    if not user_has_client_access(current_user.id, alert.alert_customer_id):
+    if not user_has_client_access(iris_current_user.id, alert.alert_customer_id):
         return response_error('User not entitled to update alerts for the client', status=403)
 
     return render_template("modal_conversation.html", element_id=cur_id, element_type='alerts',

diff --git a/source/app/blueprints/pages/case/case_tasks_routes.py b/source/app/blueprints/pages/case/case_tasks_routes.py
@@ -20,9 +20,9 @@
 from flask import redirect
 from flask import render_template
 from flask import url_for
-from flask_login import current_user
 from flask_wtf import FlaskForm
 
+from app.iris_engine.access_control.iris_user import iris_current_user
 from app.datamgmt.case.case_db import get_case
 from app.datamgmt.case.case_tasks_db import get_case_tasks_comments_count
 from app.datamgmt.case.case_tasks_db import get_task
@@ -65,7 +65,7 @@ def case_add_task_modal(caseid, url_redir):
     form.task_status_id.choices = [(a.id, a.status_name) for a in get_tasks_status()]
     form.task_assignees_id.choices = []
 
-    return render_template("modal_add_case_task.html", form=form, task=task, uid=current_user.id, user_name=None,
+    return render_template("modal_add_case_task.html", form=form, task=task, uid=iris_current_user.id, user_name=None,
                            attributes=task.custom_attributes)
 
 

diff --git a/source/app/blueprints/pages/dashboard/dashboard_routes.py b/source/app/blueprints/pages/dashboard/dashboard_routes.py
@@ -20,10 +20,10 @@
 from flask import redirect
 from flask import render_template
 from flask import url_for
-from flask_login import current_user
 from flask_wtf import FlaskForm
 
 from app import app
+from app.iris_engine.access_control.iris_user import iris_current_user
 from app.datamgmt.dashboard.dashboard_db import get_tasks_status
 from app.forms import CaseGlobalTaskForm
 from app.iris_engine.access_control.utils import ac_get_user_case_counts
@@ -60,7 +60,7 @@ def index(caseid, url_redir):
 
     msg = None
 
-    acgucc = ac_get_user_case_counts(current_user.id)
+    acgucc = ac_get_user_case_counts(iris_current_user.id)
 
     data = {
         "user_open_count": acgucc[2],
@@ -87,7 +87,7 @@ def add_gtask_modal(caseid, url_redir):
     form.task_assignee_id.choices = [(user.id, user.name) for user in User.query.filter(User.active == True).order_by(User.name).all()]
     form.task_status_id.choices = [(a.id, a.status_name) for a in get_tasks_status()]
 
-    return render_template("modal_add_global_task.html", form=form, task=task, uid=current_user.id, user_name=None)
+    return render_template("modal_add_global_task.html", form=form, task=task, uid=iris_current_user.id, user_name=None)
 
 
 @dashboard_blueprint.route('/global/tasks/update/<int:cur_id>/modal', methods=['GET'])