Mercurial > libervia-web
annotate libervia/web/pages/chat/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | 7941444c1671 |
| children |
| rev | line source |
|---|---|
| 1216 | 1 #!/usr/bin/env python3 |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
2 |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
3 from libervia.backend.core.i18n import _ |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
4 from twisted.internet import defer |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
5 from libervia.backend.core.log import getLogger |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
6 from libervia.backend.tools.common import data_objects |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
7 from libervia.backend.tools.common import data_format |
| 1536 | 8 from libervia.frontends.tools import jid |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
9 from libervia.web.server.constants import Const as C |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
10 from libervia.web.server import session_iface |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
11 |
|
1241
921e9f2a97af
pages (chat): renamed `extra` argument to `extra_s` as it is now serialised
Goffi <goffi@goffi.org>
parents:
1232
diff
changeset
|
12 |
|
921e9f2a97af
pages (chat): renamed `extra` argument to `extra_s` as it is now serialised
Goffi <goffi@goffi.org>
parents:
1232
diff
changeset
|
13 log = getLogger(__name__) |
|
921e9f2a97af
pages (chat): renamed `extra` argument to `extra_s` as it is now serialised
Goffi <goffi@goffi.org>
parents:
1232
diff
changeset
|
14 |
| 1216 | 15 name = "chat" |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 access = C.PAGES_ACCESS_PROFILE |
| 1216 | 17 template = "chat/chat.html" |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 dynamic = True |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 def parse_url(self, request): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
22 rdata = self.get_r_data(request) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
23 |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
24 try: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
25 target_jid_s = self.next_path(request) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
26 except IndexError: |
|
1000
4cc4d49e1d0f
pages (chat): moved rendering preparation in prepare_render, and redirect to page_select if no jid is specified.
Goffi <goffi@goffi.org>
parents:
996
diff
changeset
|
27 # not chat jid, we redirect to jid selection page |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
28 self.page_redirect("chat_select", request) |
| 1536 | 29 return |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
30 |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 try: |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
32 target_jid = jid.JID(target_jid_s) |
| 1536 | 33 if not target_jid.local: |
| 1216 | 34 raise ValueError(_("invalid jid for chat (no local part)")) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
35 except Exception as e: |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
36 log.warning( |
| 1536 | 37 _("bad chat jid entered: {jid} ({msg})").format(jid=target_jid_s, msg=e) |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
38 ) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
39 self.page_error(request, C.HTTP_BAD_REQUEST) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 else: |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
41 rdata["target"] = target_jid |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
42 |
|
1000
4cc4d49e1d0f
pages (chat): moved rendering preparation in prepare_render, and redirect to page_select if no jid is specified.
Goffi <goffi@goffi.org>
parents:
996
diff
changeset
|
43 |
| 1536 | 44 async def prepare_render(self, request): |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
45 # Â FIXME: bug on room filtering (currently display messages from all rooms) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
46 session = self.host.get_session_data(request, session_iface.IWebSession) |
|
1000
4cc4d49e1d0f
pages (chat): moved rendering preparation in prepare_render, and redirect to page_select if no jid is specified.
Goffi <goffi@goffi.org>
parents:
996
diff
changeset
|
47 template_data = request.template_data |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
48 rdata = self.get_r_data(request) |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
49 target_jid = rdata["target"] |
|
1000
4cc4d49e1d0f
pages (chat): moved rendering preparation in prepare_render, and redirect to page_select if no jid is specified.
Goffi <goffi@goffi.org>
parents:
996
diff
changeset
|
50 profile = session.profile |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
51 profile_jid = session.jid |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
52 |
| 1536 | 53 disco = await self.host.bridge_call( |
| 54 "disco_infos", target_jid.domain, "", True, profile | |
| 55 ) | |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
56 if "conference" in [i[0] for i in disco[1]]: |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
57 chat_type = C.CHAT_GROUP |
| 1536 | 58 join_ret = await self.host.bridge_call( |
| 59 "muc_join", target_jid.bare, "", "", profile | |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
60 ) |
|
1232
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
61 (already_joined, |
|
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
62 room_jid_s, |
|
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
63 occupants, |
|
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
64 user_nick, |
|
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
65 room_subject, |
|
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
66 room_statuses, |
|
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
67 __) = join_ret |
| 1216 | 68 template_data["subject"] = room_subject |
|
1232
4ccc5bb65be2
pages (chat): handle room statuses following backend change
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
69 template_data["room_statuses"] = room_statuses |
|
1595
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1543
diff
changeset
|
70 own_local_jid = jid.JID(room_jid_s) |
|
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1543
diff
changeset
|
71 own_local_jid = own_local_jid.change_resource(user_nick) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
72 else: |
| 1536 | 73 room_subject = None |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
74 chat_type = C.CHAT_ONE2ONE |
|
1595
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1543
diff
changeset
|
75 own_local_jid = profile_jid |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
76 rdata["chat_type"] = chat_type |
|
1595
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1543
diff
changeset
|
77 template_data["own_local_jid"] = own_local_jid |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
78 |
| 1536 | 79 history = await self.host.bridge_call( |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
80 "history_get", |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
81 profile_jid.userhost(), |
| 1536 | 82 target_jid.bare, |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
83 20, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
84 True, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
85 {}, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
86 profile, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
87 ) |
| 1536 | 88 |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
89 authors = {m[2] for m in history} |
|
1266
6b7f9c3558cc
server, pages: better identities handling:
Goffi <goffi@goffi.org>
parents:
1243
diff
changeset
|
90 identities = session.identities |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
91 for author in authors: |
| 1536 | 92 id_raw = await self.host.bridge_call( |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
93 "identity_get", author, [], True, profile) |
|
1243
8aff742d0dd0
pages: updated `identityGet` call, following backend changes
Goffi <goffi@goffi.org>
parents:
1241
diff
changeset
|
94 identities[author] = data_format.deserialise(id_raw) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
95 |
| 1216 | 96 template_data["messages"] = data_objects.Messages(history) |
|
1266
6b7f9c3558cc
server, pages: better identities handling:
Goffi <goffi@goffi.org>
parents:
1243
diff
changeset
|
97 rdata['identities'] = identities |
| 1216 | 98 template_data["target_jid"] = target_jid |
| 99 template_data["chat_type"] = chat_type | |
| 1536 | 100 self.expose_to_scripts( |
| 101 request, | |
| 102 room_subject=room_subject, | |
|
1595
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1543
diff
changeset
|
103 own_local_jid=str(own_local_jid), |
| 1536 | 104 target_jid=target_jid, |
| 105 chat_type=chat_type, | |
| 106 ) | |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
107 |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
108 |
|
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
109 def on_data(self, request, data): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
110 session = self.host.get_session_data(request, session_iface.IWebSession) |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
111 rdata = self.get_r_data(request) |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
112 target = rdata["target"] |
| 1216 | 113 data_type = data.get("type", "") |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
114 if data_type == "msg": |
| 1216 | 115 message = data["body"] |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
116 mess_type = ( |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
117 C.MESS_TYPE_GROUPCHAT |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
118 if rdata["chat_type"] == C.CHAT_GROUP |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
119 else C.MESS_TYPE_CHAT |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
120 ) |
| 1216 | 121 log.debug("message received: {}".format(message)) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
122 self.host.bridge_call( |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
123 "message_send", |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
124 target.full(), |
| 1216 | 125 {"": message}, |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
126 {}, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
127 mess_type, |
| 1429 | 128 "", |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
129 session.profile, |
|
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
1091
diff
changeset
|
130 ) |
|
996
d821c112e656
pages (chat): implementation of chat page using new dynamic pages, first draft
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
131 else: |
| 1216 | 132 log.warning("unknown message type: {type}".format(type=data_type)) |