forks/microblog.pub
1
0
Fork 1
mirror of https://git.sr.ht/~tsileo/microblog.pub synced 2024-12-22 13:14:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

Enable the CSRF check for the login page

Browse source
This commit is contained in:
Thomas Sileo 2018-06-01 21:54:43 +02:00
parent 8af33d866d
commit 2befde27d5
3 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
activitypub.py
View file

@ -293,6 +293,8 @@ class BaseActivity(object):
def _should_purge_cache(self) -> bool: def _should_purge_cache(self) -> bool:
raise NotImplementedError raise NotImplementedError
# FIXME(tsileo): _pre_process_from_inbox, _pre_post_to_outbox, allow to prevent saving, check for undo, delete, update both inbox and outbox
def process_from_inbox(self) -> None: def process_from_inbox(self) -> None:
logger.debug(f'calling main process from inbox hook for {self}') logger.debug(f'calling main process from inbox hook for {self}')
self.verify() self.verify()
@ -719,7 +721,6 @@ class Update(BaseActivity):
# TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox) # TODO(tsileo): implements _should_purge_cache if it's a reply of a published activity (i.e. in the outbox)
def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None: def _post_to_outbox(self, obj_id: str, activity: ObjectType, recipients: List[str]) -> None:
print('UPDATE')
obj = self._data['object'] obj = self._data['object']
update_prefix = 'activity.object.' update_prefix = 'activity.object.'

3
app.py
View file

@ -73,7 +73,7 @@ app.secret_key = get_secret_key('flask')
app.config.update( app.config.update(
WTF_CSRF_CHECK_DEFAULT=False, WTF_CSRF_CHECK_DEFAULT=False,
) )
# csrf = CSRFProtect(app) csrf = CSRFProtect(app)
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -287,6 +287,7 @@ def login():
devices = [doc['device'] for doc in DB.u2f.find()] devices = [doc['device'] for doc in DB.u2f.find()]
u2f_enabled = True if devices else False u2f_enabled = True if devices else False
if request.method == 'POST': if request.method == 'POST':
csrf.protect()
pwd = request.form.get('pass') pwd = request.form.get('pass')
if pwd and verify_pass(pwd): if pwd and verify_pass(pwd):
if devices: if devices:

1
templates/login.html
View file

@ -8,6 +8,7 @@
{% if session.logged_in %}logged{% else%}not logged{%endif%} {% if session.logged_in %}logged{% else%}not logged{%endif%}
<form id="login-form" method="POST"> <form id="login-form" method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="password" name="pass" placeholder="password"> <input type="password" name="pass" placeholder="password">
{% if u2f_enabled %} {% if u2f_enabled %}
<input type="hidden" name="resp" id="sig-payload" value=""> <input type="hidden" name="resp" id="sig-payload" value="">