From 52a24509298bd2841630192bfc035ada1d92f0f2 Mon Sep 17 00:00:00 2001 From: Tejas Saubhage Date: Mon, 30 Mar 2026 14:06:10 -0400 Subject: [PATCH 1/3] Fix username logging: set REMOTE_USER in LoginRequiredMiddleware for API token auth --- dojo/middleware.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dojo/middleware.py b/dojo/middleware.py index f3939d68c48..e75423093e5 100644 --- a/dojo/middleware.py +++ b/dojo/middleware.py @@ -71,6 +71,7 @@ def __call__(self, request): uwsgi = __import__("uwsgi", globals(), locals(), ["set_logvar"], 0) # this populates dd_user log var, so can appear in the uwsgi logs uwsgi.set_logvar("dd_user", str(request.user)) + request.META["REMOTE_USER"] = str(request.user) return response From 210e6ce355ce4980056fbeab34a3d036778ebd77 Mon Sep 17 00:00:00 2001 From: Tejas Saubhage Date: Wed, 20 May 2026 08:08:05 -0400 Subject: [PATCH 2/3] Fix API token username logging using custom DRF TokenAuthentication --- dojo/middleware.py | 22 ++++++++++++++++++++++ dojo/settings/settings.dist.py | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/dojo/middleware.py b/dojo/middleware.py index e75423093e5..fb9e5777eb8 100644 --- a/dojo/middleware.py +++ b/dojo/middleware.py @@ -310,3 +310,25 @@ def _trigger_async_index_update(self, model_groups): for i, batch in enumerate(batches, 1): logger.debug(f"AsyncSearchContextMiddleware: Triggering batch {i}/{len(batches)} for {model_name}: {len(batch)} instances") dojo_dispatch_task(update_watson_search_index_for_model, model_name, batch) + + +from rest_framework.authentication import TokenAuthentication as DRFTokenAuthentication + + +class DojoTokenAuthentication(DRFTokenAuthentication): + """Custom token authentication that logs the username to uWSGI.""" + + def authenticate(self, request): + result = super().authenticate(request) + + if result is not None: + user, _token = result + username = str(user) + + request.META["REMOTE_USER"] = username + + with suppress(ModuleNotFoundError): + uwsgi = __import__("uwsgi", globals(), locals(), ["set_logvar"], 0) + uwsgi.set_logvar("dd_user", username) + + return result diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index a1cd0cc5501..32134a6de7b 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -672,7 +672,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param } if API_TOKENS_ENABLED: - REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"] += ("rest_framework.authentication.TokenAuthentication",) + REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"] += ("dojo.middleware.DojoTokenAuthentication",) SPECTACULAR_SETTINGS = { "TITLE": "DefectDojo API v2", From f771b42d50184844c4140c255af13cf0e1379f1e Mon Sep 17 00:00:00 2001 From: Tejas Saubhage Date: Wed, 20 May 2026 08:38:43 -0400 Subject: [PATCH 3/3] Fix Ruff linting issues --- dojo/middleware.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dojo/middleware.py b/dojo/middleware.py index fb9e5777eb8..7cc20b765d0 100644 --- a/dojo/middleware.py +++ b/dojo/middleware.py @@ -10,6 +10,7 @@ from django.db import models from django.http import HttpResponseRedirect from django.urls import reverse +from rest_framework.authentication import TokenAuthentication as DRFTokenAuthentication from watson.middleware import SearchContextMiddleware from watson.search import search_context_manager @@ -312,10 +313,8 @@ def _trigger_async_index_update(self, model_groups): dojo_dispatch_task(update_watson_search_index_for_model, model_name, batch) -from rest_framework.authentication import TokenAuthentication as DRFTokenAuthentication - - class DojoTokenAuthentication(DRFTokenAuthentication): + """Custom token authentication that logs the username to uWSGI.""" def authenticate(self, request):