fix login redirect

This commit is contained in:
iou1name 2020-08-15 01:27:50 -04:00
parent 85c0f37e17
commit 7673fccd22
5 changed files with 73 additions and 14 deletions

42
auth.py
View File

@ -62,12 +62,14 @@ def auth_required(func):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie(
'session', 'session',
sid, sid,
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
return resp return resp
else: else:
raise web.HTTPFound(location=login_url) raise web.HTTPFound(location=login_url)
@ -93,7 +95,12 @@ async def register_begin(request):
}, exist_cred, user_verification='discouraged') }, exist_cred, user_verification='discouraged')
resp = web.Response(body=cbor.encode(registration_data)) resp = web.Response(body=cbor.encode(registration_data))
resp.set_cookie('state', json.dumps(state)) resp.set_cookie(
'state',
json.dumps(state),
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
@ -132,7 +139,13 @@ async def register_complete(request):
user_id, nick, auth_data.credential_data) user_id, nick, auth_data.credential_data)
resp = web.json_response({'ok': True}) resp = web.json_response({'ok': True})
resp.set_cookie('state', '', max_age=0) resp.set_cookie(
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
@ -152,7 +165,12 @@ async def authenticate_begin(request):
auth_data, state = server.authenticate_begin(credentials) auth_data, state = server.authenticate_begin(credentials)
resp = web.Response(body=cbor.encode(auth_data)) resp = web.Response(body=cbor.encode(auth_data))
resp.set_cookie('state', json.dumps(state)) resp.set_cookie(
'state',
json.dumps(state),
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
@ -188,15 +206,28 @@ async def authenticate_complete(request):
if not url: if not url:
url = request.app.router['index'].url_for() url = request.app.router['index'].url_for()
resp = web.json_response({'ok': True, 'redirect': str(url)}) resp = web.json_response({'ok': True, 'redirect': str(url)})
resp.set_cookie('state', '', max_age=0) resp.set_cookie(
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie('redirect', '', max_age=0) resp.set_cookie(
'redirect',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie(
'userid', 'userid',
user_id, user_id,
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
sid = secrets.token_urlsafe(64) sid = secrets.token_urlsafe(64)
ip_address = request.headers['X-Real-IP'] ip_address = request.headers['X-Real-IP']
async with request.app['pool'].acquire() as conn: async with request.app['pool'].acquire() as conn:
@ -212,5 +243,6 @@ async def authenticate_complete(request):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
return resp return resp

View File

@ -109,14 +109,24 @@ async def login(request):
if has_cred['exists'] and user_info['passwordless']: if has_cred['exists'] and user_info['passwordless']:
url_prefix = config.url_prefix url_prefix = config.url_prefix
resp = render_template("login_key.html", request, locals()) resp = render_template("login_key.html", request, locals())
resp.set_cookie('userid', user_info['id']) resp.set_cookie(
'userid',
user_info['id'],
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
if argon2.verify(password, user_info['password_hash']): if argon2.verify(password, user_info['password_hash']):
if has_cred['exists']: if has_cred['exists']:
url_prefix = config.url_prefix url_prefix = config.url_prefix
resp = render_template("login_key.html", request, locals()) resp = render_template("login_key.html", request, locals())
resp.set_cookie('userid', user_info['id']) resp.set_cookie(
'userid',
user_info['id'],
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
url = request.cookies.get('redirect') url = request.cookies.get('redirect')
@ -130,6 +140,7 @@ async def login(request):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
sid = secrets.token_urlsafe(64) sid = secrets.token_urlsafe(64)
ip_address = request.headers['X-Real-IP'] ip_address = request.headers['X-Real-IP']
async with request.app['pool'].acquire() as conn: async with request.app['pool'].acquire() as conn:
@ -144,6 +155,7 @@ async def login(request):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
raise resp raise resp
else: else:
login_failed = True login_failed = True

View File

@ -30,7 +30,14 @@ async def buckler_session(request, handler):
async with session.get(url, params=params) as resp: async with session.get(url, params=params) as resp:
data = await resp.json() data = await resp.json()
if data.get('error'): if data.get('error'):
raise web.HTTPFound(location=config.buckler['login_url']) resp = web.HTTPFound(config.buckler['login_url'])
resp.set_cookie(
'redirect',
request.url,
secure=True,
httponly=True)
#samesite='strict')
raise resp
request['session'] = data['session_data'] request['session'] = data['session_data']
request['meta'] = data['meta'] request['meta'] = data['meta']
@ -51,11 +58,13 @@ async def buckler_session(request, handler):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie(
'session', 'session',
user_sid, user_sid,
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
return resp return resp

View File

@ -76,13 +76,15 @@ class BucklerSessionInterface(SessionInterface):
session.cookies['userid'], session.cookies['userid'],
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True,
samesite='strict')
response.set_cookie( response.set_cookie(
'session', 'session',
session.cookies['session'], session.cookies['session'],
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True,
samesite='strict')
class BucklerSession(dict, SessionMixin): class BucklerSession(dict, SessionMixin):
@ -103,5 +105,10 @@ def require_auth():
""" """
if not hasattr(session, 'meta'): if not hasattr(session, 'meta'):
resp = redirect(config.buckler['login_url']) resp = redirect(config.buckler['login_url'])
resp.set_cookie('redirect', request.url) resp.set_cookie(
'redirect',
request.url,
secure=True,
httponly=True,
samesite='strict')
return resp return resp

View File

@ -32,7 +32,7 @@ function login() {
body: CBOR.encode({ body: CBOR.encode({
}) })
}).then(function(response) { }).then(function(response) {
if(!response.ok) { throw new Error('Error getting registration data!'); } if(!response.ok) { throw new Error('Error getting authentication data!'); }
return response.arrayBuffer(); return response.arrayBuffer();
}).then(CBOR.decode).then(function(options) { }).then(CBOR.decode).then(function(options) {
return navigator.credentials.get(options); return navigator.credentials.get(options);
@ -52,8 +52,7 @@ function login() {
}).then(function(response) { }).then(function(response) {
return response.json(); return response.json();
}).then(function(json) { }).then(function(json) {
console.log(json);
if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); } if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); }
window.location = url_prefix + '/'; window.location = json.redirect;
}); });
} }