dimagi · gherceg · Jan 28, 2025 · Jan 28, 2025 · Jan 28, 2025 · Jan 28, 2025
@@ -157,7 +157,7 @@ def real_decorator(view):
         def wrapper(request, *args, **kwargs):
             username, password = get_username_and_password_from_request(request)
             if username and password:
-                request.check_for_password_as_api_key = True
+                request.check_for_api_key_as_password = True
                 user = authenticate(username=username, password=password, request=request)
                 if user is not None and user.is_active:
                     request.user = user
@@ -212,7 +212,7 @@ def _inner(request, *args, **kwargs):
 class ApiKeyFallbackBackend(object):
 
     def authenticate(self, request, username, password):
-        if not getattr(request, 'check_for_password_as_api_key', False):
+        if not getattr(request, 'check_for_api_key_as_password', False):
             return None
 
         try:

@@ -364,7 +364,9 @@ def login_or_oauth2_ex(allow_cc_users=False, allow_sessions=True, require_domain
     )
 
 
-def get_multi_auth_decorator(default, allow_formplayer=False, oauth_scopes=None, allow_creds_in_data=True):
+def get_multi_auth_decorator(
+    default, allow_formplayer=False, oauth_scopes=None, allow_creds_in_data=True, allow_api_key_as_password=False
+):
     """
     :param allow_formplayer: If True this will allow one additional auth mechanism which is used
          by Formplayer:
@@ -373,6 +375,7 @@ def get_multi_auth_decorator(default, allow_formplayer=False, oauth_scopes=None,
              formplayer can not use the session cookie to auth. To allow formplayer access to the
              endpoints we validate each formplayer request using a shared key. See the auth
              function for more details.
+    :param allow_api_key_as_password: If True, allows API Key to be used in BASIC auth
     """
     oauth_scopes = oauth_scopes or ['access_apis']
 
@@ -391,6 +394,7 @@ def _inner(request, *args, **kwargs):
                 allow_cc_users=True,
                 oauth_scopes=oauth_scopes,
                 allow_creds_in_data=allow_creds_in_data,
+                allow_api_key_as_password=allow_api_key_as_password,
             )[authtype]
             return function_wrapper(fn)(request, *args, **kwargs)
         return _inner
@@ -410,12 +414,13 @@ def wrapped_view(*args, **kwargs):
     return wraps(view_func)(wrapped_view)
 
 
-def api_auth(*, allow_creds_in_data=True, oauth_scopes=None):
+def api_auth(*, allow_creds_in_data=True, oauth_scopes=None, allow_api_key_as_password=False):
     """Allow any auth type basic, digest, session, apikey, or oauth"""
     return get_multi_auth_decorator(
         default=DIGEST,
         oauth_scopes=oauth_scopes,
         allow_creds_in_data=allow_creds_in_data,
+        allow_api_key_as_password=allow_api_key_as_password,
     )
 
 
@@ -435,6 +440,7 @@ def get_auth_decorator_map(
         allow_sessions=True,
         oauth_scopes=None,
         allow_creds_in_data=True,
+        allow_api_key_as_password=False,
 ):
     # get a mapped set of decorators for different auth types with the specified parameters
     oauth_scopes = oauth_scopes or ['access_apis']
@@ -443,9 +449,17 @@ def get_auth_decorator_map(
         'require_domain': require_domain,
         'allow_sessions': allow_sessions,
     }
+
-
+
+    assert not allow_api_key_as_password or require_domain, \
+        "It is unexpected to allow API key as password and not require domain"
-
+
+    assert not allow_api_key_as_password or require_domain, \
+        "It is unexpected to allow API key as password and not require domain"
+    if allow_api_key_as_password:
+        copied_kwargs = decorator_function_kwargs.copy()
+        copied_kwargs.pop('require_domain')
+        basic_auth_fn = login_or_basic_or_api_key_ex(**copied_kwargs)
+    else:
+        basic_auth_fn = login_or_basic_ex(**decorator_function_kwargs)
+
     return {
         DIGEST: login_or_digest_ex(**decorator_function_kwargs),
-        BASIC: login_or_basic_ex(**decorator_function_kwargs),
+        BASIC: basic_auth_fn,
         API_KEY: login_or_api_key_ex(allow_creds_in_data=allow_creds_in_data,
                                      **decorator_function_kwargs),
         OAUTH2: login_or_oauth2_ex(oauth_scopes=oauth_scopes, **decorator_function_kwargs),

diff --git a/corehq/apps/domain/tests/test_api_key_auth.py b/corehq/apps/domain/tests/test_api_key_auth.py
@@ -1,3 +1,5 @@
+import base64
+
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpResponse
 from django.test import RequestFactory, TestCase
@@ -53,9 +55,9 @@ def setUpClass(cls):
         cls.user = WebUser.create(cls.domain, USERNAME, 'password', None, None)
         cls.api_key = HQApiKey.objects.create(user=cls.user.get_django_user()).plaintext_key
 
-    def call_api(self, request, allow_creds_in_data):
+    def call_api(self, request, allow_creds_in_data=False, allow_api_key_as_password=False):
 
-        @api_auth(allow_creds_in_data=allow_creds_in_data)
+        @api_auth(allow_creds_in_data=allow_creds_in_data, allow_api_key_as_password=allow_api_key_as_password)
         def api_view(request, domain):
             return HttpResponse()
 
@@ -80,3 +82,14 @@ def test_credentials_in_data(self):
 
         res = self.call_api(request, allow_creds_in_data=False)
         self.assertEqual(res.status_code, 401)
+
+    def test_credentials_with_basic_auth(self):
+        request = self.factory.get('/myapi/')
+        encoded_creds = base64.b64encode(f"{USERNAME}:{self.api_key}".encode('utf-8')).decode('utf-8')
+        request.META['HTTP_AUTHORIZATION'] = f"basic {encoded_creds}"
+
+        res = self.call_api(request, allow_api_key_as_password=False)
+        self.assertEqual(res.status_code, 401)
+
+        res = self.call_api(request, allow_api_key_as_password=True)
+        self.assertEqual(res.status_code, 200)
diff --git a/corehq/apps/domain/tests/test_auth.py b/corehq/apps/domain/tests/test_auth.py
@@ -195,7 +195,7 @@ def _create_request(cls, can_use_api_key=True, for_domain='test-domain', ip='127
             request.META['HTTP_X_FORWARDED_FOR'] = ip
 
         if can_use_api_key:
-            request.check_for_password_as_api_key = True
+            request.check_for_api_key_as_password = True
 
         return request
 

diff --git a/corehq/apps/export/views/list.py b/corehq/apps/export/views/list.py
@@ -806,7 +806,7 @@ def can_download_daily_saved_export(export, domain, couch_user):
 
 @location_safe
 @csrf_exempt
-@api_auth()
+@api_auth(allow_api_key_as_password=True)
 @require_GET
 def download_daily_saved_export(req, domain, export_instance_id):
     with CriticalSection(['export-last-accessed-{}'.format(export_instance_id)]):