Update admin_api.py

2025-06-09 22:52:06 +02:00
parent f71b461e29
commit f2361b94ba
1 changed files with 21 additions and 0 deletions
--- a/routes/admin_api.py
+++ b/routes/admin_api.py
@@ -11,6 +11,7 @@ import jwt
 from werkzeug.security import generate_password_hash
 import secrets
 from flask_login import login_user
+from flask_wtf.csrf import csrf_exempt

 admin_api = Blueprint('admin_api', __name__)

@@ -72,6 +73,7 @@ def validate_management_api_key(api_key):
    return False

@admin_api.route('/login', methods=['POST'])
+@csrf_exempt
 def admin_login():
    try:
        # Check if this is an API request
@@ -130,6 +132,7 @@ def admin_login():
        return redirect(url_for('auth.login'))

@admin_api.route('/management-token', methods=['POST'])
+@csrf_exempt 
 def get_management_token():
    """Generate a JWT token for the management tool using API key authentication"""
    api_key = request.headers.get('X-API-Key')
@@ -147,6 +150,7 @@ def get_management_token():
    })

@admin_api.route('/management-api-key', methods=['POST'])
+@csrf_exempt
@token_required
 def create_management_api_key(current_user):
    """Create a new API key for the management tool (only accessible by admin users)"""
@@ -174,6 +178,7 @@ def create_management_api_key(current_user):
    }), 201

@admin_api.route('/management-api-keys', methods=['GET'])
+@csrf_exempt
@token_required
 def list_management_api_keys(current_user):
    """List all management API keys (only accessible by admin users)"""
@@ -191,6 +196,7 @@ def list_management_api_keys(current_user):
    } for key in keys])

@admin_api.route('/management-api-key/<int:key_id>', methods=['DELETE'])
+@csrf_exempt
@token_required
 def revoke_management_api_key(current_user, key_id):
    """Revoke a management API key (only accessible by admin users)"""
@@ -207,6 +213,7 @@ def revoke_management_api_key(current_user, key_id):

 # Key-Value Settings CRUD
@admin_api.route('/key-value', methods=['GET'])
+@csrf_exempt
@token_required
 def get_key_values(current_user):
    settings = KeyValueSettings.query.all()
@@ -221,6 +228,7 @@ def get_key_value(current_user, key):
    return jsonify({'key': setting.key, 'value': setting.value})

@admin_api.route('/key-value', methods=['POST'])
+@csrf_exempt
@token_required
 def create_key_value(current_user):
    data = request.get_json()
@@ -233,6 +241,7 @@ def create_key_value(current_user):
    return jsonify({'message': 'Key-value pair created successfully'}), 201

@admin_api.route('/key-value/<key>', methods=['PUT'])
+@csrf_exempt
@token_required
 def update_key_value(current_user, key):
    setting = KeyValueSettings.query.filter_by(key=key).first()
@@ -248,6 +257,7 @@ def update_key_value(current_user, key):
    return jsonify({'message': 'Key-value pair updated successfully'})

@admin_api.route('/key-value/<key>', methods=['DELETE'])
+@csrf_exempt
@token_required
 def delete_key_value(current_user, key):
    setting = KeyValueSettings.query.filter_by(key=key).first()
@@ -260,6 +270,7 @@ def delete_key_value(current_user, key):

 # Contacts (Users) CRUD
@admin_api.route('/contacts', methods=['GET'])
+@csrf_exempt
@token_required
 def get_contacts(current_user):
    users = User.query.all()
@@ -276,6 +287,7 @@ def get_contacts(current_user):
    } for user in users])

@admin_api.route('/contacts/<int:user_id>', methods=['GET'])
+@csrf_exempt
@token_required
 def get_contact(current_user, user_id):
    user = User.query.get(user_id)
@@ -294,6 +306,7 @@ def get_contact(current_user, user_id):
    })

@admin_api.route('/contacts', methods=['POST'])
+@csrf_exempt
@token_required
 def create_contact(current_user):
    data = request.get_json()
@@ -319,6 +332,7 @@ def create_contact(current_user):
    return jsonify({'message': 'Contact created successfully', 'id': user.id}), 201

@admin_api.route('/contacts/<int:user_id>', methods=['PUT'])
+@csrf_exempt
@token_required
 def update_contact(current_user, user_id):
    user = User.query.get(user_id)
@@ -345,6 +359,7 @@ def update_contact(current_user, user_id):
    return jsonify({'message': 'Contact updated successfully'})

@admin_api.route('/contacts/<int:user_id>', methods=['DELETE'])
+@csrf_exempt
@token_required
 def delete_contact(current_user, user_id):
    user = User.query.get(user_id)
@@ -357,6 +372,7 @@ def delete_contact(current_user, user_id):

 # Statistics
@admin_api.route('/statistics', methods=['GET'])
+@csrf_exempt
@token_required
 def get_statistics(current_user):
    room_count = Room.query.count()
@@ -376,6 +392,7 @@ def get_statistics(current_user):

 # Website Settings CRUD
@admin_api.route('/settings', methods=['GET'])
+@csrf_exempt
@token_required
 def get_settings(current_user):
    settings = SiteSettings.get_settings()
@@ -397,6 +414,7 @@ def get_settings(current_user):
    })

@admin_api.route('/settings', methods=['PUT'])
+@csrf_exempt
@token_required
 def update_settings(current_user):
    settings = SiteSettings.get_settings()
@@ -411,6 +429,7 @@ def update_settings(current_user):

 # Website Logs
@admin_api.route('/logs', methods=['GET'])
+@csrf_exempt
@token_required
 def get_logs(current_user):
    page = request.args.get('page', 1, type=int)
@@ -437,6 +456,7 @@ def get_logs(current_user):

 # Mail Logs
@admin_api.route('/mail-logs', methods=['GET'])
+@csrf_exempt
@token_required
 def get_mail_logs(current_user):
    page = request.args.get('page', 1, type=int)
@@ -463,6 +483,7 @@ def get_mail_logs(current_user):

 # Resend Setup Mail
@admin_api.route('/resend-setup-mail/<int:user_id>', methods=['POST'])
+@csrf_exempt
@token_required
 def resend_setup_mail(current_user, user_id):
    user = User.query.get(user_id)