Compare commits
2 Commits
8060d84ac2
...
7673fccd22
| Author | SHA1 | Date | |
|---|---|---|---|
| 7673fccd22 | |||
| 85c0f37e17 |
44
auth.py
44
auth.py
|
|
@ -30,7 +30,7 @@ def auth_required(func):
|
|||
login_url = request.app.router['login'].url_for()
|
||||
sid = request.cookies.get('session')
|
||||
try:
|
||||
user_id = int(request.cookies.get('userid', '0'))
|
||||
user_id = int(request.cookies.get('userid'))
|
||||
except (ValueError, TypeError):
|
||||
user_id = None
|
||||
if not sid or not user_id:
|
||||
|
|
@ -62,12 +62,14 @@ def auth_required(func):
|
|||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
resp.set_cookie(
|
||||
'session',
|
||||
sid,
|
||||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
return resp
|
||||
else:
|
||||
raise web.HTTPFound(location=login_url)
|
||||
|
|
@ -93,7 +95,12 @@ async def register_begin(request):
|
|||
}, exist_cred, user_verification='discouraged')
|
||||
|
||||
resp = web.Response(body=cbor.encode(registration_data))
|
||||
resp.set_cookie('state', json.dumps(state))
|
||||
resp.set_cookie(
|
||||
'state',
|
||||
json.dumps(state),
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
return resp
|
||||
|
||||
|
||||
|
|
@ -132,7 +139,13 @@ async def register_complete(request):
|
|||
user_id, nick, auth_data.credential_data)
|
||||
|
||||
resp = web.json_response({'ok': True})
|
||||
resp.set_cookie('state', '', max_age=0)
|
||||
resp.set_cookie(
|
||||
'state',
|
||||
'',
|
||||
max_age=0,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
return resp
|
||||
|
||||
|
||||
|
|
@ -152,7 +165,12 @@ async def authenticate_begin(request):
|
|||
|
||||
auth_data, state = server.authenticate_begin(credentials)
|
||||
resp = web.Response(body=cbor.encode(auth_data))
|
||||
resp.set_cookie('state', json.dumps(state))
|
||||
resp.set_cookie(
|
||||
'state',
|
||||
json.dumps(state),
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
return resp
|
||||
|
||||
|
||||
|
|
@ -188,15 +206,28 @@ async def authenticate_complete(request):
|
|||
if not url:
|
||||
url = request.app.router['index'].url_for()
|
||||
resp = web.json_response({'ok': True, 'redirect': str(url)})
|
||||
resp.set_cookie('state', '', max_age=0)
|
||||
resp.set_cookie(
|
||||
'state',
|
||||
'',
|
||||
max_age=0,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
|
||||
resp.set_cookie('redirect', '', max_age=0)
|
||||
resp.set_cookie(
|
||||
'redirect',
|
||||
'',
|
||||
max_age=0,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
resp.set_cookie(
|
||||
'userid',
|
||||
user_id,
|
||||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
sid = secrets.token_urlsafe(64)
|
||||
ip_address = request.headers['X-Real-IP']
|
||||
async with request.app['pool'].acquire() as conn:
|
||||
|
|
@ -212,5 +243,6 @@ async def authenticate_complete(request):
|
|||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
|
||||
return resp
|
||||
|
|
|
|||
23
buckler.py
23
buckler.py
|
|
@ -38,11 +38,11 @@ async def index(request):
|
|||
'new_app': forms.new_app,
|
||||
'change_password': forms.change_password,
|
||||
'delete_key': forms.delete_key,
|
||||
'delele_session': forms.delete_session,
|
||||
'delete_session': forms.delete_session,
|
||||
}
|
||||
|
||||
if not forms_.get(form):
|
||||
errors = {'main': "Unknown form id: {form}"}
|
||||
errors = {'main': f"Unknown form id: {form}"}
|
||||
else:
|
||||
errors = await forms_[form](request)
|
||||
|
||||
|
|
@ -65,7 +65,8 @@ async def index(request):
|
|||
request['session']['id'])
|
||||
active_sessions = await conn.fetch(
|
||||
"SELECT id, ip_address, date_created, last_used FROM user_session "
|
||||
"WHERE user_id = $1 ORDER BY last_used DESC",
|
||||
"WHERE user_id = $1 AND expires > NOW() "
|
||||
"ORDER BY last_used DESC",
|
||||
request['session']['id'])
|
||||
|
||||
if request['session']['admin']:
|
||||
|
|
@ -108,14 +109,24 @@ async def login(request):
|
|||
if has_cred['exists'] and user_info['passwordless']:
|
||||
url_prefix = config.url_prefix
|
||||
resp = render_template("login_key.html", request, locals())
|
||||
resp.set_cookie('userid', user_info['id'])
|
||||
resp.set_cookie(
|
||||
'userid',
|
||||
user_info['id'],
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
return resp
|
||||
|
||||
if argon2.verify(password, user_info['password_hash']):
|
||||
if has_cred['exists']:
|
||||
url_prefix = config.url_prefix
|
||||
resp = render_template("login_key.html", request, locals())
|
||||
resp.set_cookie('userid', user_info['id'])
|
||||
resp.set_cookie(
|
||||
'userid',
|
||||
user_info['id'],
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
return resp
|
||||
|
||||
url = request.cookies.get('redirect')
|
||||
|
|
@ -129,6 +140,7 @@ async def login(request):
|
|||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
sid = secrets.token_urlsafe(64)
|
||||
ip_address = request.headers['X-Real-IP']
|
||||
async with request.app['pool'].acquire() as conn:
|
||||
|
|
@ -143,6 +155,7 @@ async def login(request):
|
|||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
raise resp
|
||||
else:
|
||||
login_failed = True
|
||||
|
|
|
|||
|
|
@ -30,7 +30,14 @@ async def buckler_session(request, handler):
|
|||
async with session.get(url, params=params) as resp:
|
||||
data = await resp.json()
|
||||
if data.get('error'):
|
||||
raise web.HTTPFound(location=config.buckler['login_url'])
|
||||
resp = web.HTTPFound(config.buckler['login_url'])
|
||||
resp.set_cookie(
|
||||
'redirect',
|
||||
request.url,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
raise resp
|
||||
request['session'] = data['session_data']
|
||||
request['meta'] = data['meta']
|
||||
|
||||
|
|
@ -51,11 +58,13 @@ async def buckler_session(request, handler):
|
|||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
resp.set_cookie(
|
||||
'session',
|
||||
user_sid,
|
||||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
#samesite='strict')
|
||||
|
||||
return resp
|
||||
|
|
|
|||
|
|
@ -76,13 +76,15 @@ class BucklerSessionInterface(SessionInterface):
|
|||
session.cookies['userid'],
|
||||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
httponly=True,
|
||||
samesite='strict')
|
||||
response.set_cookie(
|
||||
'session',
|
||||
session.cookies['session'],
|
||||
max_age=30*24*60*60,
|
||||
secure=True,
|
||||
httponly=True)
|
||||
httponly=True,
|
||||
samesite='strict')
|
||||
|
||||
|
||||
class BucklerSession(dict, SessionMixin):
|
||||
|
|
@ -103,5 +105,10 @@ def require_auth():
|
|||
"""
|
||||
if not hasattr(session, 'meta'):
|
||||
resp = redirect(config.buckler['login_url'])
|
||||
resp.set_cookie('redirect', request.url)
|
||||
resp.set_cookie(
|
||||
'redirect',
|
||||
request.url,
|
||||
secure=True,
|
||||
httponly=True,
|
||||
samesite='strict')
|
||||
return resp
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ function login() {
|
|||
body: CBOR.encode({
|
||||
})
|
||||
}).then(function(response) {
|
||||
if(!response.ok) { throw new Error('Error getting registration data!'); }
|
||||
if(!response.ok) { throw new Error('Error getting authentication data!'); }
|
||||
return response.arrayBuffer();
|
||||
}).then(CBOR.decode).then(function(options) {
|
||||
return navigator.credentials.get(options);
|
||||
|
|
@ -52,8 +52,7 @@ function login() {
|
|||
}).then(function(response) {
|
||||
return response.json();
|
||||
}).then(function(json) {
|
||||
console.log(json);
|
||||
if (!json.ok) { throw new Error('HTTP error, status = ' + json.status + ', message = ' + json.message); }
|
||||
window.location = url_prefix + '/';
|
||||
window.location = json.redirect;
|
||||
});
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user