mirror of
https://git.sr.ht/~tsileo/microblog.pub
synced 2024-12-22 21:24:28 +00:00
Enable the CSRF check for the login page
This commit is contained in:
parent
8af33d866d
commit
2befde27d5
3 changed files with 5 additions and 2 deletions
|
@ -293,6 +293,8 @@ class BaseActivity(object):
|
||||||
def _should_purge_cache(self) -> bool:
|
def _should_purge_cache(self) -> bool:
|
||||||
raise NotImplementedError
|
raise NotImplementedError
|
||||||
|
|
||||||
|
# FIXME(tsileo): _pre_process_from_inbox, _pre_post_to_outbox, allow to prevent saving, check for undo, delete, update both inbox and outbox
|
||||||
|
|
||||||
def process_from_inbox(self) -> None:
|
def process_from_inbox(self) -> None:
|
||||||
logger.debug(f'calling main process from inbox hook for {self}')
|
logger.debug(f'calling main process from inbox hook for {self}')
|
||||||
self.verify()
|
self.verify()
|
||||||
|
@ -719,7 +721,6 @@ class Update(BaseActivity):
|
||||||
# TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox)
|
# TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox)
|
||||||
|
|
||||||
def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None:
|
def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None:
|
||||||
print('UPDATE')
|
|
||||||
obj = self._data['object']
|
obj = self._data['object']
|
||||||
|
|
||||||
update_prefix = 'activity.object.'
|
update_prefix = 'activity.object.'
|
||||||
|
|
3
app.py
3
app.py
|
@ -73,7 +73,7 @@ app.secret_key = get_secret_key('flask')
|
||||||
app.config.update(
|
app.config.update(
|
||||||
WTF_CSRF_CHECK_DEFAULT=False,
|
WTF_CSRF_CHECK_DEFAULT=False,
|
||||||
)
|
)
|
||||||
# csrf = CSRFProtect(app)
|
csrf = CSRFProtect(app)
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@ -287,6 +287,7 @@ def login():
|
||||||
devices = [doc['device'] for doc in DB.u2f.find()]
|
devices = [doc['device'] for doc in DB.u2f.find()]
|
||||||
u2f_enabled = True if devices else False
|
u2f_enabled = True if devices else False
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
|
csrf.protect()
|
||||||
pwd = request.form.get('pass')
|
pwd = request.form.get('pass')
|
||||||
if pwd and verify_pass(pwd):
|
if pwd and verify_pass(pwd):
|
||||||
if devices:
|
if devices:
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
{% if session.logged_in %}logged{% else%}not logged{%endif%}
|
{% if session.logged_in %}logged{% else%}not logged{%endif%}
|
||||||
|
|
||||||
<form id="login-form" method="POST">
|
<form id="login-form" method="POST">
|
||||||
|
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
|
||||||
<input type="password" name="pass" placeholder="password">
|
<input type="password" name="pass" placeholder="password">
|
||||||
{% if u2f_enabled %}
|
{% if u2f_enabled %}
|
||||||
<input type="hidden" name="resp" id="sig-payload" value="">
|
<input type="hidden" name="resp" id="sig-payload" value="">
|
||||||
|
|
Loading…
Reference in a new issue