From 5520a84062c7c709c233ca8cfdf502efac3ab8fe Mon Sep 17 00:00:00 2001
From: sadnub <josh@torchlake.com>
Date: Tue, 22 Oct 2024 11:54:34 -0400
Subject: [PATCH] fix client ip not showing in audit log for sso logon and
 disable some unused urls and settings

---
 api/tacticalrmm/ee/sso/urls.py          | 19 +++++--------------
 api/tacticalrmm/ee/sso/views.py         | 22 +++++++++++++++++-----
 api/tacticalrmm/tacticalrmm/settings.py | 10 ++++++----
 3 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/api/tacticalrmm/ee/sso/urls.py b/api/tacticalrmm/ee/sso/urls.py
index 60f59a77..6519a160 100644
--- a/api/tacticalrmm/ee/sso/urls.py
+++ b/api/tacticalrmm/ee/sso/urls.py
@@ -6,10 +6,7 @@ For details, see: https://license.tacticalrmm.com/ee
 
 from django.urls import path, include, re_path
 from allauth.socialaccount.providers.openid_connect.views import callback
-from allauth.headless.socialaccount.views import (
-    RedirectToProviderView,
-    ManageProvidersView,
-)
+from allauth.headless.socialaccount.views import RedirectToProviderView
 from allauth.headless.base.views import ConfigView
 
 from . import views
@@ -31,6 +28,7 @@ urlpatterns = [
     path("ssoproviders/<int:pk>/", views.GetUpdateDeleteSSOProvider.as_view()),
     path("ssoproviders/token/", views.GetAccessToken.as_view()),
     path("ssoproviders/settings/", views.GetUpdateSSOSettings.as_view()),
+    path("ssoproviders/account/", views.DisconnectSSOAccount.as_view())
 ]
 
 allauth_urls = [
@@ -40,7 +38,7 @@ allauth_urls = [
             (
                 [
                     path(
-                        "config",
+                        "config/",
                         ConfigView.as_api_view(client="browser"),
                         name="config",
                     ),
@@ -50,19 +48,12 @@ allauth_urls = [
                             (
                                 [
                                     path(
-                                        "auth/provider/redirect",
+                                        "auth/provider/redirect/",
                                         RedirectToProviderView.as_api_view(
                                             client="browser"
                                         ),
                                         name="redirect_to_provider",
-                                    ),
-                                    path(
-                                        "providers",
-                                        ManageProvidersView.as_api_view(
-                                            client="browser"
-                                        ),
-                                        name="manage_providers",
-                                    ),
+                                    )
                                 ],
                                 "headless",
                             ),
diff --git a/api/tacticalrmm/ee/sso/views.py b/api/tacticalrmm/ee/sso/views.py
index 24d1d849..7a5ddffe 100644
--- a/api/tacticalrmm/ee/sso/views.py
+++ b/api/tacticalrmm/ee/sso/views.py
@@ -6,7 +6,7 @@ For details, see: https://license.tacticalrmm.com/ee
 
 import re
 
-from allauth.socialaccount.models import SocialApp
+from allauth.socialaccount.models import SocialApp, SocialAccount
 from django.contrib.auth import logout
 from django.shortcuts import get_object_or_404
 from knox.views import LoginView as KnoxLoginView
@@ -124,6 +124,17 @@ class GetUpdateDeleteSSOProvider(APIView):
         return Response("ok")
 
 
+class DisconnectSSOAccount(APIView):
+    permission_classes = [IsAuthenticated, AccountsPerms]
+
+    def delete(self, request):
+        account = get_object_or_404(SocialAccount, uid=request.data["account"], provider=request.data["provider"])
+
+        account.delete()
+
+        return Response("ok")
+
+
 class GetAccessToken(KnoxLoginView):
     permission_classes = [IsAuthenticated, SSOLoginPerms]
     authentication_classes = [SessionAuthentication]
@@ -151,16 +162,17 @@ class GetAccessToken(KnoxLoginView):
             else:
                 response.data["name"] = None
 
-            AuditLog.audit_user_login_successful_sso(
-                request.user.username, login_method["provider"], login_method
-            )
-
             # log ip
             ipw = IpWare()
             client_ip, _ = ipw.get_client_ip(request.META)
             if client_ip:
                 request.user.last_login_ip = str(client_ip)
                 request.user.save(update_fields=["last_login_ip"])
+                login_method["ip"] = str(client_ip)
+
+            AuditLog.audit_user_login_successful_sso(
+                request.user.username, login_method["provider"], login_method
+            )
 
             # invalid user session since we have an access token now
             logout(request)
diff --git a/api/tacticalrmm/tacticalrmm/settings.py b/api/tacticalrmm/tacticalrmm/settings.py
index 8abc2d04..2f4576e0 100644
--- a/api/tacticalrmm/tacticalrmm/settings.py
+++ b/api/tacticalrmm/tacticalrmm/settings.py
@@ -172,7 +172,6 @@ INSTALLED_APPS = [
     "django.contrib.contenttypes",
     "django.contrib.sessions",
     "django.contrib.staticfiles",
-    "django.contrib.messages",
     "channels",
     "rest_framework",
     "rest_framework.authtoken",
@@ -237,7 +236,6 @@ MIDDLEWARE = [
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
-    "django.contrib.messages.middleware.MessageMiddleware",
     "tacticalrmm.middleware.AuditMiddleware",
     "allauth.account.middleware.AccountMiddleware",
 ]
@@ -255,8 +253,12 @@ if DEBUG and not DEMO:
     MIDDLEWARE.insert(0, "silk.middleware.SilkyMiddleware")
 
 if ADMIN_ENABLED:
-    INSTALLED_APPS += ("django.contrib.admin",)
-
+    MIDDLEWARE += ("django.contrib.messages.middleware.MessageMiddleware",)
+    INSTALLED_APPS += (
+        "django.contrib.admin",
+        "django.contrib.messages",
+    )
+    
 if DEMO:
     MIDDLEWARE += ("tacticalrmm.middleware.DemoMiddleware",)