only allow SCIM basic auth for testing and debug

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/sources/scim/migrations/0001_initial.py

@@ -1,4 +1,4 @@
-# Generated by Django 4.0.5 on 2022-06-06 21:03
+# Generated by Django 4.0.5 on 2022-06-06 21:37
 
 import django.db.models.deletion
 from django.db import migrations, models
@@ -38,7 +38,8 @@ class Migration(migrations.Migration):
                 ),
             ],
             options={
-                "abstract": False,
+                "verbose_name": "SCIM Source",
+                "verbose_name_plural": "SCIM Sources",
             },
             bases=("authentik_core.source",),
         ),

authentik/sources/scim/views/v2/auth.py

@@ -2,6 +2,7 @@
 from base64 import b64decode
 from typing import Any, Optional, Union
 
+from django.conf import settings
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.request import Request
 
@@ -11,8 +12,10 @@ from authentik.core.models import Token, TokenIntents, User
 class SCIMTokenAuth(BaseAuthentication):
     """SCIM Token auth"""
 
-    def legacy(self, key: str, source_slug: str) -> Optional[Token]:
+    def legacy(self, key: str, source_slug: str) -> Optional[Token]:  # pragma: no cover
         """Legacy HTTP-Basic auth for testing"""
+        if not settings.TEST or not settings.DEBUG:
+            return None
         _username, _, password = b64decode(key.encode()).decode().partition(":")
         token = self.check_token(password, source_slug)
         if token: