diff --git a/routes/admin_api.py b/routes/admin_api.py index 6a77510..7f80ec5 100644 --- a/routes/admin_api.py +++ b/routes/admin_api.py @@ -11,6 +11,7 @@ import jwt from werkzeug.security import generate_password_hash import secrets from flask_login import login_user +from flask_wtf.csrf import csrf_exempt admin_api = Blueprint('admin_api', __name__) @@ -72,6 +73,7 @@ def validate_management_api_key(api_key): return False @admin_api.route('/login', methods=['POST']) +@csrf_exempt def admin_login(): try: # Check if this is an API request @@ -130,6 +132,7 @@ def admin_login(): return redirect(url_for('auth.login')) @admin_api.route('/management-token', methods=['POST']) +@csrf_exempt def get_management_token(): """Generate a JWT token for the management tool using API key authentication""" api_key = request.headers.get('X-API-Key') @@ -147,6 +150,7 @@ def get_management_token(): }) @admin_api.route('/management-api-key', methods=['POST']) +@csrf_exempt @token_required def create_management_api_key(current_user): """Create a new API key for the management tool (only accessible by admin users)""" @@ -174,6 +178,7 @@ def create_management_api_key(current_user): }), 201 @admin_api.route('/management-api-keys', methods=['GET']) +@csrf_exempt @token_required def list_management_api_keys(current_user): """List all management API keys (only accessible by admin users)""" @@ -191,6 +196,7 @@ def list_management_api_keys(current_user): } for key in keys]) @admin_api.route('/management-api-key/', methods=['DELETE']) +@csrf_exempt @token_required def revoke_management_api_key(current_user, key_id): """Revoke a management API key (only accessible by admin users)""" @@ -207,6 +213,7 @@ def revoke_management_api_key(current_user, key_id): # Key-Value Settings CRUD @admin_api.route('/key-value', methods=['GET']) +@csrf_exempt @token_required def get_key_values(current_user): settings = KeyValueSettings.query.all() @@ -221,6 +228,7 @@ def get_key_value(current_user, key): return jsonify({'key': setting.key, 'value': setting.value}) @admin_api.route('/key-value', methods=['POST']) +@csrf_exempt @token_required def create_key_value(current_user): data = request.get_json() @@ -233,6 +241,7 @@ def create_key_value(current_user): return jsonify({'message': 'Key-value pair created successfully'}), 201 @admin_api.route('/key-value/', methods=['PUT']) +@csrf_exempt @token_required def update_key_value(current_user, key): setting = KeyValueSettings.query.filter_by(key=key).first() @@ -248,6 +257,7 @@ def update_key_value(current_user, key): return jsonify({'message': 'Key-value pair updated successfully'}) @admin_api.route('/key-value/', methods=['DELETE']) +@csrf_exempt @token_required def delete_key_value(current_user, key): setting = KeyValueSettings.query.filter_by(key=key).first() @@ -260,6 +270,7 @@ def delete_key_value(current_user, key): # Contacts (Users) CRUD @admin_api.route('/contacts', methods=['GET']) +@csrf_exempt @token_required def get_contacts(current_user): users = User.query.all() @@ -276,6 +287,7 @@ def get_contacts(current_user): } for user in users]) @admin_api.route('/contacts/', methods=['GET']) +@csrf_exempt @token_required def get_contact(current_user, user_id): user = User.query.get(user_id) @@ -294,6 +306,7 @@ def get_contact(current_user, user_id): }) @admin_api.route('/contacts', methods=['POST']) +@csrf_exempt @token_required def create_contact(current_user): data = request.get_json() @@ -319,6 +332,7 @@ def create_contact(current_user): return jsonify({'message': 'Contact created successfully', 'id': user.id}), 201 @admin_api.route('/contacts/', methods=['PUT']) +@csrf_exempt @token_required def update_contact(current_user, user_id): user = User.query.get(user_id) @@ -345,6 +359,7 @@ def update_contact(current_user, user_id): return jsonify({'message': 'Contact updated successfully'}) @admin_api.route('/contacts/', methods=['DELETE']) +@csrf_exempt @token_required def delete_contact(current_user, user_id): user = User.query.get(user_id) @@ -357,6 +372,7 @@ def delete_contact(current_user, user_id): # Statistics @admin_api.route('/statistics', methods=['GET']) +@csrf_exempt @token_required def get_statistics(current_user): room_count = Room.query.count() @@ -376,6 +392,7 @@ def get_statistics(current_user): # Website Settings CRUD @admin_api.route('/settings', methods=['GET']) +@csrf_exempt @token_required def get_settings(current_user): settings = SiteSettings.get_settings() @@ -397,6 +414,7 @@ def get_settings(current_user): }) @admin_api.route('/settings', methods=['PUT']) +@csrf_exempt @token_required def update_settings(current_user): settings = SiteSettings.get_settings() @@ -411,6 +429,7 @@ def update_settings(current_user): # Website Logs @admin_api.route('/logs', methods=['GET']) +@csrf_exempt @token_required def get_logs(current_user): page = request.args.get('page', 1, type=int) @@ -437,6 +456,7 @@ def get_logs(current_user): # Mail Logs @admin_api.route('/mail-logs', methods=['GET']) +@csrf_exempt @token_required def get_mail_logs(current_user): page = request.args.get('page', 1, type=int) @@ -463,6 +483,7 @@ def get_mail_logs(current_user): # Resend Setup Mail @admin_api.route('/resend-setup-mail/', methods=['POST']) +@csrf_exempt @token_required def resend_setup_mail(current_user, user_id): user = User.query.get(user_id)