Compare commits

..

No commits in common. "50865a6619186da16de0347153f5ab3d50f3f62f" and "660fcfd138636b83ce3741409aeb3b409619339a" have entirely different histories.

5 changed files with 17 additions and 100 deletions

10
auth.py
View File

@ -73,7 +73,7 @@ def auth_required(func):
return wrapper
@routes.post('/register/begin', name='register_begin')
@routes.post(config.url_prefix + '/register/begin', name='register_begin')
@auth_required
async def register_begin(request):
user_id = request['session']['id']
@ -96,7 +96,7 @@ async def register_begin(request):
return resp
@routes.post('/register/complete',name='register_complete')
@routes.post(config.url_prefix + '/register/complete',name='register_complete')
@auth_required
async def register_complete(request):
user_id = request['session']['id']
@ -135,7 +135,8 @@ async def register_complete(request):
return resp
@routes.post('/authenticate/begin', name='authenticate_begin')
@routes.post(config.url_prefix + '/authenticate/begin',
name='authenticate_begin')
async def authenticate_begin(request):
user_id = int(request.cookies.get('userid'))
if not user_id:
@ -155,7 +156,8 @@ async def authenticate_begin(request):
return resp
@routes.post('/authenticate/complete', name='authenticate_complete')
@routes.post(config.url_prefix + '/authenticate/complete',
name='authenticate_complete')
async def authenticate_complete(request):
user_id = int(request.cookies.get('userid'))

View File

@ -23,8 +23,8 @@ import config
uvloop.install()
routes = web.RouteTableDef()
@routes.get('/', name='index')
@routes.post('/', name='index')
@routes.get(config.url_prefix + '/', name='index')
@routes.post(config.url_prefix + '/', name='index')
@auth.auth_required
async def index(request):
"""The index page."""
@ -77,8 +77,8 @@ async def index(request):
return render_template("index.html", request, locals())
@routes.get('/login', name='login')
@routes.post('/login', name='login')
@routes.get(config.url_prefix + '/login', name='login')
@routes.post(config.url_prefix + '/login', name='login')
async def login(request):
"""Handle login."""
login_failed = False
@ -91,7 +91,7 @@ async def login(request):
async with request.app['pool'].acquire() as conn:
user_info = await conn.fetchrow(
"SELECT * FROM user_info WHERE username = $1 AND active = TRUE",
"SELECT * FROM user_info WHERE username = $1",
username)
if user_info:
has_cred = await conn.fetchrow(
@ -147,8 +147,8 @@ async def login(request):
return render_template("login.html", request, locals())
@routes.get('/register', name='register')
@routes.post('/register', name='register')
@routes.get(config.url_prefix + '/register', name='register')
@routes.post(config.url_prefix + '/register', name='register')
async def register(request):
"""Register new accounts."""
confirm_token = request.query.get('confirm')
@ -208,7 +208,7 @@ async def register(request):
return render_template("register_result.html", request, locals())
@routes.get('/add_key', name='add_key')
@routes.get(config.url_prefix + '/add_key', name='add_key')
@auth.auth_required
async def add_key(request):
"""Add a new security key."""
@ -216,7 +216,7 @@ async def add_key(request):
return render_template("register_key.html", request, locals())
@routes.get('/get_session', name='get_session')
@routes.get(config.url_prefix + '/get_session', name='get_session')
async def get_session(request):
"""Returns a user's application session."""
# TODO: only allow LAN IPs
@ -284,7 +284,7 @@ async def get_session(request):
return web.json_response(error)
@routes.post('/set_session', name='set_session')
@routes.post(config.url_prefix + '/set_session', name='set_session')
async def set_session(request):
"""Allows an application to set a user app session."""
# TODO: only allow LAN IPs
@ -339,9 +339,6 @@ async def init_app():
app.router.add_routes(routes)
app.router.add_routes(auth.routes)
app_wrap = web.Application()
app_wrap.add_subapp(config.url_prefix, app)
return app
if __name__ == "__main__":

View File

@ -1,61 +0,0 @@
#!/usr/bin/env python3
"""
Session interface middlewares to integrate the aiohttp app with Buckler.
"""
import json
from datetime import datetime
import aiohttp
from aiohttp import web
import config
@web.middleware
async def buckler_session(request, handler):
"""
Verifies the user with the configured Buckler app and retrieves any
session data they may have. Redirects them to the login page otherwise.
"""
user_id = request.cookies.get('userid')
user_sid = request.cookies.get('session')
url = config.buckler['url'] + '/get_session'
params = {
'app_id': config.buckler['app_id'],
'app_key': config.buckler['app_key'],
'userid': user_id,
'session': user_sid
}
async with aiohttp.ClientSession() as session:
async with session.get(url, params=params) as resp:
data = await resp.json()
if data.get('error'):
raise web.HTTPFound(location=config.buckler['login_url'])
request['session'] = data['session_data']
request['meta'] = data['meta']
resp = await handler(request)
if request['session'] != data['session_data']: # session data modified
url = config.buckler['url'] + '/set_session'
data = json.dumps(request['session'])
session.post(url, params=params, data=data) # TODO: error handle?
last_used = datetime.fromisoformat(request['meta']['last_used'])
now = datetime.now(last_used.tzinfo)
delta = now - last_used
if delta.seconds > 600:
resp.set_cookie(
'userid',
user_id,
max_age=30*24*60*60,
secure=True,
httponly=True)
resp.set_cookie(
'session',
user_sid,
max_age=30*24*60*60,
secure=True,
httponly=True)
return resp

View File

@ -37,22 +37,3 @@ function perm_change(row) {
}
console.log("perms_changed = " + perms_changed);
}
function submit_user_perms(row) {
let row_perms = {};
for (let child of row.children) {
if (child.firstChild.type == "checkbox") {
if (child.firstChild.checked) {
row_perms[child.firstChild.dataset.appName] = true;
} else {
row_perms[child.firstChild.dataset.appName] = false;
}
}
}
console.log(row_perms);
fetch(window.location.pathname, {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: row_perms
});
}

View File

@ -32,7 +32,6 @@
<section>
<h2>Admin Panel</h2>
<article style="display: none;">
<hr>
<section class="sub_section">
<h3>User Permissions</h3>
<article style="display: none;">
@ -54,14 +53,13 @@
{% for name, value in values.items() %}
<td><input aria-label="{{ username }}-{{ name }}" data-app-name={{ name }} type="checkbox" onchange="perm_change(this.parentElement.parentElement)"{% if value %} checked{% endif %}></td>
{% endfor %}
<td><input type="submit" value="Save" onclick="submit_user_perms(this.parentElement.parentElement)"></td>
<td><input type="submit"></td>
</tr>
{% endfor %}
</tbody>
</table>
</article>
</section>
<br>
<section class="sub_section">
<h3>Invite New User</h3>
<article style="display: none;">