fix: custom stylesheet and js are not loaded after OIDC authentication

* fix: allow access to assets and static endpoint * docs: improve details about authentication
writer · Aug 28, 2024 · e77d369 · e77d369
1 parent 9d3783d
commit e77d369
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/docs/framework/authentication.mdx b/docs/framework/authentication.mdx
@@ -9,6 +9,10 @@ The Writer Framework authentication module allows you to restrict access to your
   trigger authentication for certain pages exclusively.
 </Warning>
 
+<Warning>
+  Static assets exposed through `/static` and `/assets` endpoints are not protected with Authentication.
+</Warning>
+
 ## Use Basic Auth
 
 Basic Auth is a simple authentication method that uses a username and password. Authentication configuration is done in the [server_setup.py module](/framework/custom-server).

diff --git a/src/writer/auth.py b/src/writer/auth.py
@@ -191,14 +191,15 @@ def register(self,
         redirect_url = urljoin(self.host_url, self.callback_authorize)
         host_url_path = urlpath(self.host_url)
         callback_authorize_path = urljoin(host_url_path, self.callback_authorize)
-        static_assets_path = urljoin(host_url_path, "static")
+
+        auth_ignored_prefix_paths = [urljoin(host_url_path, "static"), urljoin(host_url_path, "assets")]
 
         logger.debug(f"[auth] oidc - url redirect: {redirect_url}")
         logger.debug(f"[auth] oidc - endpoint authorize: {self.url_authorize}")
         logger.debug(f"[auth] oidc - endpoint token: {self.url_oauthtoken}")
         logger.debug(f"[auth] oidc - path: {host_url_path}")
-        logger.debug(f"[auth] oidc - authorize path: {callback_authorize_path}")
-        logger.debug(f"[auth] oidc - static asset path: {static_assets_path}")
+        logger.debug(f"[auth] oidc - callback authorize path: {callback_authorize_path}")
+        logger.debug(f"[auth] oidc - auth ignored prefix paths: {auth_ignored_prefix_paths}")
         self.authlib = OAuth2Session(
             client_id=self.client_id,
             client_secret=self.client_secret,
@@ -215,7 +216,8 @@ def register(self,
         async def oidc_middleware(request: Request, call_next):
             session = request.cookies.get('session')
 
-            if session is not None or request.url.path in [callback_authorize_path] or request.url.path.startswith(static_assets_path):
+            is_one_of_url_prefix_allowed = any(request.url.path.startswith(url_prefix) for url_prefix in auth_ignored_prefix_paths)
+            if session is not None or request.url.path in [callback_authorize_path] or is_one_of_url_prefix_allowed:
                 response: Response = await call_next(request)
                 return response
             else: