Compare commits

..

No commits in common. "7673fccd222f93229f20648ebdcaacf9e8eb82f7" and "8060d84ac2870f4d403577c5f1c750d00afc3056" have entirely different histories.

5 changed files with 18 additions and 78 deletions

44
auth.py
View File

@ -30,7 +30,7 @@ def auth_required(func):
login_url = request.app.router['login'].url_for() login_url = request.app.router['login'].url_for()
sid = request.cookies.get('session') sid = request.cookies.get('session')
try: try:
user_id = int(request.cookies.get('userid')) user_id = int(request.cookies.get('userid', '0'))
except (ValueError, TypeError): except (ValueError, TypeError):
user_id = None user_id = None
if not sid or not user_id: if not sid or not user_id:
@ -62,14 +62,12 @@ def auth_required(func):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie(
'session', 'session',
sid, sid,
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
return resp return resp
else: else:
raise web.HTTPFound(location=login_url) raise web.HTTPFound(location=login_url)
@ -95,12 +93,7 @@ async def register_begin(request):
}, exist_cred, user_verification='discouraged') }, exist_cred, user_verification='discouraged')
resp = web.Response(body=cbor.encode(registration_data)) resp = web.Response(body=cbor.encode(registration_data))
resp.set_cookie( resp.set_cookie('state', json.dumps(state))
'state',
json.dumps(state),
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
@ -139,13 +132,7 @@ async def register_complete(request):
user_id, nick, auth_data.credential_data) user_id, nick, auth_data.credential_data)
resp = web.json_response({'ok': True}) resp = web.json_response({'ok': True})
resp.set_cookie( resp.set_cookie('state', '', max_age=0)
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
@ -165,12 +152,7 @@ async def authenticate_begin(request):
auth_data, state = server.authenticate_begin(credentials) auth_data, state = server.authenticate_begin(credentials)
resp = web.Response(body=cbor.encode(auth_data)) resp = web.Response(body=cbor.encode(auth_data))
resp.set_cookie( resp.set_cookie('state', json.dumps(state))
'state',
json.dumps(state),
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
@ -206,28 +188,15 @@ async def authenticate_complete(request):
if not url: if not url:
url = request.app.router['index'].url_for() url = request.app.router['index'].url_for()
resp = web.json_response({'ok': True, 'redirect': str(url)}) resp = web.json_response({'ok': True, 'redirect': str(url)})
resp.set_cookie( resp.set_cookie('state', '', max_age=0)
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie('redirect', '', max_age=0)
'redirect',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie(
'userid', 'userid',
user_id, user_id,
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
sid = secrets.token_urlsafe(64) sid = secrets.token_urlsafe(64)
ip_address = request.headers['X-Real-IP'] ip_address = request.headers['X-Real-IP']
async with request.app['pool'].acquire() as conn: async with request.app['pool'].acquire() as conn:
@ -243,6 +212,5 @@ async def authenticate_complete(request):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
return resp return resp

View File

@ -38,11 +38,11 @@ async def index(request):
'new_app': forms.new_app, 'new_app': forms.new_app,
'change_password': forms.change_password, 'change_password': forms.change_password,
'delete_key': forms.delete_key, 'delete_key': forms.delete_key,
'delete_session': forms.delete_session, 'delele_session': forms.delete_session,
} }
if not forms_.get(form): if not forms_.get(form):
errors = {'main': f"Unknown form id: {form}"} errors = {'main': "Unknown form id: {form}"}
else: else:
errors = await forms_[form](request) errors = await forms_[form](request)
@ -65,8 +65,7 @@ async def index(request):
request['session']['id']) request['session']['id'])
active_sessions = await conn.fetch( active_sessions = await conn.fetch(
"SELECT id, ip_address, date_created, last_used FROM user_session " "SELECT id, ip_address, date_created, last_used FROM user_session "
"WHERE user_id = $1 AND expires > NOW() " "WHERE user_id = $1 ORDER BY last_used DESC",
"ORDER BY last_used DESC",
request['session']['id']) request['session']['id'])
if request['session']['admin']: if request['session']['admin']:
@ -109,24 +108,14 @@ async def login(request):
if has_cred['exists'] and user_info['passwordless']: if has_cred['exists'] and user_info['passwordless']:
url_prefix = config.url_prefix url_prefix = config.url_prefix
resp = render_template("login_key.html", request, locals()) resp = render_template("login_key.html", request, locals())
resp.set_cookie( resp.set_cookie('userid', user_info['id'])
'userid',
user_info['id'],
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
if argon2.verify(password, user_info['password_hash']): if argon2.verify(password, user_info['password_hash']):
if has_cred['exists']: if has_cred['exists']:
url_prefix = config.url_prefix url_prefix = config.url_prefix
resp = render_template("login_key.html", request, locals()) resp = render_template("login_key.html", request, locals())
resp.set_cookie( resp.set_cookie('userid', user_info['id'])
'userid',
user_info['id'],
secure=True,
httponly=True)
#samesite='strict')
return resp return resp
url = request.cookies.get('redirect') url = request.cookies.get('redirect')
@ -140,7 +129,6 @@ async def login(request):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
sid = secrets.token_urlsafe(64) sid = secrets.token_urlsafe(64)
ip_address = request.headers['X-Real-IP'] ip_address = request.headers['X-Real-IP']
async with request.app['pool'].acquire() as conn: async with request.app['pool'].acquire() as conn:
@ -155,7 +143,6 @@ async def login(request):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
raise resp raise resp
else: else:
login_failed = True login_failed = True

View File

@ -30,14 +30,7 @@ async def buckler_session(request, handler):
async with session.get(url, params=params) as resp: async with session.get(url, params=params) as resp:
data = await resp.json() data = await resp.json()
if data.get('error'): if data.get('error'):
resp = web.HTTPFound(config.buckler['login_url']) raise web.HTTPFound(location=config.buckler['login_url'])
resp.set_cookie(
'redirect',
request.url,
secure=True,
httponly=True)
#samesite='strict')
raise resp
request['session'] = data['session_data'] request['session'] = data['session_data']
request['meta'] = data['meta'] request['meta'] = data['meta']
@ -58,13 +51,11 @@ async def buckler_session(request, handler):
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
resp.set_cookie( resp.set_cookie(
'session', 'session',
user_sid, user_sid,
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True) httponly=True)
#samesite='strict')
return resp return resp

View File

@ -76,15 +76,13 @@ class BucklerSessionInterface(SessionInterface):
session.cookies['userid'], session.cookies['userid'],
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True, httponly=True)
samesite='strict')
response.set_cookie( response.set_cookie(
'session', 'session',
session.cookies['session'], session.cookies['session'],
max_age=30*24*60*60, max_age=30*24*60*60,
secure=True, secure=True,
httponly=True, httponly=True)
samesite='strict')
class BucklerSession(dict, SessionMixin): class BucklerSession(dict, SessionMixin):
@ -105,10 +103,5 @@ def require_auth():
""" """
if not hasattr(session, 'meta'): if not hasattr(session, 'meta'):
resp = redirect(config.buckler['login_url']) resp = redirect(config.buckler['login_url'])
resp.set_cookie( resp.set_cookie('redirect', request.url)
'redirect',
request.url,
secure=True,
httponly=True,
samesite='strict')
return resp return resp

View File

@ -32,7 +32,7 @@ function login() {
body: CBOR.encode({ body: CBOR.encode({
}) })
}).then(function(response) { }).then(function(response) {
if(!response.ok) { throw new Error('Error getting authentication data!'); } if(!response.ok) { throw new Error('Error getting registration data!'); }
return response.arrayBuffer(); return response.arrayBuffer();
}).then(CBOR.decode).then(function(options) { }).then(CBOR.decode).then(function(options) {
return navigator.credentials.get(options); return navigator.credentials.get(options);
@ -52,7 +52,8 @@ function login() {
}).then(function(response) { }).then(function(response) {
return response.json(); return response.json();
}).then(function(json) { }).then(function(json) {
console.log(json);
if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); } if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); }
window.location = json.redirect; window.location = url_prefix + '/';
}); });
} }