Compare commits

...

2 Commits

Author SHA1 Message Date
7673fccd22 fix login redirect 2020-08-15 01:27:50 -04:00
85c0f37e17 fix delete_session() 2020-08-14 23:47:25 -04:00
5 changed files with 78 additions and 18 deletions

44
auth.py
View File

@ -30,7 +30,7 @@ def auth_required(func):
login_url = request.app.router['login'].url_for()
sid = request.cookies.get('session')
try:
user_id = int(request.cookies.get('userid', '0'))
user_id = int(request.cookies.get('userid'))
except (ValueError, TypeError):
user_id = None
if not sid or not user_id:
@ -62,12 +62,14 @@ def auth_required(func):
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie(
'session',
sid,
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
return resp
else:
raise web.HTTPFound(location=login_url)
@ -93,7 +95,12 @@ async def register_begin(request):
}, exist_cred, user_verification='discouraged')
resp = web.Response(body=cbor.encode(registration_data))
resp.set_cookie('state', json.dumps(state))
resp.set_cookie(
'state',
json.dumps(state),
secure=True,
httponly=True)
#samesite='strict')
return resp
@ -132,7 +139,13 @@ async def register_complete(request):
user_id, nick, auth_data.credential_data)
resp = web.json_response({'ok': True})
resp.set_cookie('state', '', max_age=0)
resp.set_cookie(
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
return resp
@ -152,7 +165,12 @@ async def authenticate_begin(request):
auth_data, state = server.authenticate_begin(credentials)
resp = web.Response(body=cbor.encode(auth_data))
resp.set_cookie('state', json.dumps(state))
resp.set_cookie(
'state',
json.dumps(state),
secure=True,
httponly=True)
#samesite='strict')
return resp
@ -188,15 +206,28 @@ async def authenticate_complete(request):
if not url:
url = request.app.router['index'].url_for()
resp = web.json_response({'ok': True, 'redirect': str(url)})
resp.set_cookie('state', '', max_age=0)
resp.set_cookie(
'state',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie('redirect', '', max_age=0)
resp.set_cookie(
'redirect',
'',
max_age=0,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie(
'userid',
user_id,
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
sid = secrets.token_urlsafe(64)
ip_address = request.headers['X-Real-IP']
async with request.app['pool'].acquire() as conn:
@ -212,5 +243,6 @@ async def authenticate_complete(request):
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
return resp

View File

@ -38,11 +38,11 @@ async def index(request):
'new_app': forms.new_app,
'change_password': forms.change_password,
'delete_key': forms.delete_key,
'delele_session': forms.delete_session,
'delete_session': forms.delete_session,
}
if not forms_.get(form):
errors = {'main': "Unknown form id: {form}"}
errors = {'main': f"Unknown form id: {form}"}
else:
errors = await forms_[form](request)
@ -65,7 +65,8 @@ async def index(request):
request['session']['id'])
active_sessions = await conn.fetch(
"SELECT id, ip_address, date_created, last_used FROM user_session "
"WHERE user_id = $1 ORDER BY last_used DESC",
"WHERE user_id = $1 AND expires > NOW() "
"ORDER BY last_used DESC",
request['session']['id'])
if request['session']['admin']:
@ -108,14 +109,24 @@ async def login(request):
if has_cred['exists'] and user_info['passwordless']:
url_prefix = config.url_prefix
resp = render_template("login_key.html", request, locals())
resp.set_cookie('userid', user_info['id'])
resp.set_cookie(
'userid',
user_info['id'],
secure=True,
httponly=True)
#samesite='strict')
return resp
if argon2.verify(password, user_info['password_hash']):
if has_cred['exists']:
url_prefix = config.url_prefix
resp = render_template("login_key.html", request, locals())
resp.set_cookie('userid', user_info['id'])
resp.set_cookie(
'userid',
user_info['id'],
secure=True,
httponly=True)
#samesite='strict')
return resp
url = request.cookies.get('redirect')
@ -129,6 +140,7 @@ async def login(request):
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
sid = secrets.token_urlsafe(64)
ip_address = request.headers['X-Real-IP']
async with request.app['pool'].acquire() as conn:
@ -143,6 +155,7 @@ async def login(request):
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
raise resp
else:
login_failed = True

View File

@ -30,7 +30,14 @@ async def buckler_session(request, handler):
async with session.get(url, params=params) as resp:
data = await resp.json()
if data.get('error'):
raise web.HTTPFound(location=config.buckler['login_url'])
resp = web.HTTPFound(config.buckler['login_url'])
resp.set_cookie(
'redirect',
request.url,
secure=True,
httponly=True)
#samesite='strict')
raise resp
request['session'] = data['session_data']
request['meta'] = data['meta']
@ -51,11 +58,13 @@ async def buckler_session(request, handler):
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
resp.set_cookie(
'session',
user_sid,
max_age=30*24*60*60,
secure=True,
httponly=True)
#samesite='strict')
return resp

View File

@ -76,13 +76,15 @@ class BucklerSessionInterface(SessionInterface):
session.cookies['userid'],
max_age=30*24*60*60,
secure=True,
httponly=True)
httponly=True,
samesite='strict')
response.set_cookie(
'session',
session.cookies['session'],
max_age=30*24*60*60,
secure=True,
httponly=True)
httponly=True,
samesite='strict')
class BucklerSession(dict, SessionMixin):
@ -103,5 +105,10 @@ def require_auth():
"""
if not hasattr(session, 'meta'):
resp = redirect(config.buckler['login_url'])
resp.set_cookie('redirect', request.url)
resp.set_cookie(
'redirect',
request.url,
secure=True,
httponly=True,
samesite='strict')
return resp

View File

@ -32,7 +32,7 @@ function login() {
body: CBOR.encode({
})
}).then(function(response) {
if(!response.ok) { throw new Error('Error getting registration data!'); }
if(!response.ok) { throw new Error('Error getting authentication data!'); }
return response.arrayBuffer();
}).then(CBOR.decode).then(function(options) {
return navigator.credentials.get(options);
@ -52,8 +52,7 @@ function login() {
}).then(function(response) {
return response.json();
}).then(function(json) {
console.log(json);
if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); }
window.location = url_prefix + '/';
window.location = json.redirect;
});
}