forked from forks/microblog.pub
Improve expired session and CSRF error handling
This commit is contained in:
parent
949365d8ba
commit
b99552384c
5 changed files with 32 additions and 8 deletions
13
app/admin.py
13
app/admin.py
|
@ -40,13 +40,22 @@ from app.utils import pagination
|
|||
from app.utils.emoji import EMOJIS_BY_NAME
|
||||
|
||||
|
||||
def user_session_or_redirect(
|
||||
async def user_session_or_redirect(
|
||||
request: Request,
|
||||
session: str | None = Cookie(default=None),
|
||||
) -> None:
|
||||
if request.method == "POST":
|
||||
form_data = await request.form()
|
||||
if "redirect_url" in form_data:
|
||||
redirect_url = form_data["redirect_url"]
|
||||
else:
|
||||
redirect_url = request.url_for("admin_stream")
|
||||
else:
|
||||
redirect_url = str(request.url)
|
||||
|
||||
_RedirectToLoginPage = HTTPException(
|
||||
status_code=302,
|
||||
headers={"Location": request.url_for("login") + f"?redirect={request.url}"},
|
||||
headers={"Location": request.url_for("login") + f"?redirect={redirect_url}"},
|
||||
)
|
||||
|
||||
if not session:
|
||||
|
|
|
@ -200,10 +200,19 @@ def generate_csrf_token() -> str:
|
|||
return csrf_serializer.dumps(secrets.token_hex(16)) # type: ignore
|
||||
|
||||
|
||||
def verify_csrf_token(csrf_token: str = Form()) -> None:
|
||||
def verify_csrf_token(
|
||||
csrf_token: str = Form(),
|
||||
redirect_url: str | None = Form(None),
|
||||
) -> None:
|
||||
please_try_again = "please try again"
|
||||
if redirect_url:
|
||||
please_try_again = f'<a href="{redirect_url}">please try again</a>'
|
||||
try:
|
||||
csrf_serializer.loads(csrf_token, max_age=1800)
|
||||
except (itsdangerous.BadData, itsdangerous.SignatureExpired):
|
||||
logger.exception("Failed to verify CSRF token")
|
||||
raise HTTPException(status_code=403, detail="CSRF error")
|
||||
raise HTTPException(
|
||||
status_code=403,
|
||||
detail=f"The security token expired, {please_try_again}",
|
||||
)
|
||||
return None
|
||||
|
|
|
@ -509,3 +509,9 @@ nav.flexbox {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
.error-title {
|
||||
a {
|
||||
text-decoration: underline;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<div class="centered primary-color">
|
||||
<h1>{{ title }}</h1>
|
||||
<div class="centered primary-color box">
|
||||
<h1 class="error-title">{{ title | safe }}</h1>
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
|
@ -33,7 +33,7 @@ Whenever one of these config items is updated, an `Update` activity will be sent
|
|||
|
||||
The server will need to be restarted for taking changes into account.
|
||||
|
||||
Before restarting, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking).
|
||||
Before restarting the server, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking).
|
||||
|
||||
|
||||
### Profile metadata
|
||||
|
@ -161,7 +161,7 @@ And only the last 20 interactions (likes/shares/webmentions) will be displayed,
|
|||
|
||||
## Admin section
|
||||
|
||||
You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin`.
|
||||
You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin/login`.
|
||||
The password is the one set during the initial configuration.
|
||||
|
||||
### Lookup
|
||||
|
|
Loading…
Reference in a new issue