Mercurial > libervia-web
annotate libervia/web/pages/login/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
author | Goffi <goffi@goffi.org> |
---|---|
date | Fri, 23 Feb 2024 13:35:24 +0100 |
parents | 7941444c1671 |
children |
rev | line source |
---|---|
1216 | 1 #!/usr/bin/env python3 |
1239 | 2 |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
4 from libervia.backend.core.i18n import _ |
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
5 from libervia.backend.core import exceptions |
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
6 from libervia.web.server.constants import Const as C |
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
7 from libervia.web.server import session_iface |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
8 from twisted.internet import defer |
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
9 from libervia.backend.core.log import getLogger |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
10 |
1145
29eb15062416
pages: set __name__ for imported pages
Goffi <goffi@goffi.org>
parents:
1124
diff
changeset
|
11 log = getLogger(__name__) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 |
1595
7941444c1671
pages: set `own_local_jid` to avoid confusion with `own_jid`:
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
13 """Libervia Web log-in page, with link to create an account""" |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 |
1216 | 15 name = "login" |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 access = C.PAGES_ACCESS_PUBLIC |
1216 | 17 template = "login/login.html" |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
20 def prepare_render(self, request): |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
21 template_data = request.template_data |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
22 |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
23 # we redirect to logged page if a session is active |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
24 profile = self.get_profile(request) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
25 if profile is not None: |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
26 self.page_redirect("/login/logged", request) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
27 |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
28 # login error message |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
29 session_data = self.host.get_session_data(request, session_iface.IWebSession) |
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
30 login_error = session_data.pop_page_data(self, "login_error") |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
31 if login_error is not None: |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
32 template_data["S_C"] = C # we need server constants in template |
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
33 template_data["login_error"] = login_error |
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
34 template_data["empty_password_allowed"] = bool( |
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
35 self.host.options["empty_password_allowed_warning_dangerous_list"] |
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
36 ) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
37 |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
38 # register page url |
1404
6a35167a4e2c
pages (login, register): fix `allow_registration`:
Goffi <goffi@goffi.org>
parents:
1265
diff
changeset
|
39 if self.host.options["allow_registration"]: |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
40 template_data["register_url"] = self.get_page_redirect_url(request, "register") |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
41 |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
42 # if login is set, we put it in template to prefill field |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
43 template_data["login"] = session_data.pop_page_data(self, "login") |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
44 |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
46 def login_error(self, request, error_const): |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
47 """set login_error in page data |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
48 |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 @param error_const(unicode): one of login error constant |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
50 @return C.POST_NO_CONFIRM: avoid confirm message |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
51 """ |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
52 session_data = self.host.get_session_data(request, session_iface.IWebSession) |
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
53 session_data.set_page_data(self, "login_error", error_const) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
54 return C.POST_NO_CONFIRM |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
55 |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
56 |
1504
409d10211b20
server, browser: dynamic pages refactoring:
Goffi <goffi@goffi.org>
parents:
1404
diff
changeset
|
57 async def on_data_post(self, request): |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
58 profile = self.get_profile(request) |
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
59 type_ = self.get_posted_data(request, "type") |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
60 if type_ == "disconnect": |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
61 if profile is None: |
1216 | 62 log.warning(_("Disconnect called when no profile is logged")) |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
63 self.page_error(request, C.HTTP_BAD_REQUEST) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
64 else: |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
65 self.host.purge_session(request) |
1504
409d10211b20
server, browser: dynamic pages refactoring:
Goffi <goffi@goffi.org>
parents:
1404
diff
changeset
|
66 return C.POST_NO_CONFIRM |
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
67 elif type_ == "login": |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
68 login, password = self.get_posted_data(request, ("login", "password")) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
69 try: |
1504
409d10211b20
server, browser: dynamic pages refactoring:
Goffi <goffi@goffi.org>
parents:
1404
diff
changeset
|
70 status = await self.host.connect(request, login, password) |
1227
15f90fd688b5
pages (login): catch ProfileUnknownError and show a C.PROFILE_AUTH_ERROR:
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
71 except exceptions.ProfileUnknownError: |
15f90fd688b5
pages (login): catch ProfileUnknownError and show a C.PROFILE_AUTH_ERROR:
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
72 # the profile doesn't exist, we return the same error as for invalid password |
15f90fd688b5
pages (login): catch ProfileUnknownError and show a C.PROFILE_AUTH_ERROR:
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
73 # to avoid bruteforcing valid profiles |
15f90fd688b5
pages (login): catch ProfileUnknownError and show a C.PROFILE_AUTH_ERROR:
Goffi <goffi@goffi.org>
parents:
1216
diff
changeset
|
74 log.warning(f"login tentative with invalid profile: {login!r}") |
1504
409d10211b20
server, browser: dynamic pages refactoring:
Goffi <goffi@goffi.org>
parents:
1404
diff
changeset
|
75 return login_error(self, request, C.PROFILE_AUTH_ERROR) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
76 except ValueError as e: |
1265
24e2973378f6
pages (login): fixed log error handling
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
77 message = str(e) |
24e2973378f6
pages (login): fixed log error handling
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
78 if message in (C.XMPP_AUTH_ERROR, C.PROFILE_AUTH_ERROR): |
1504
409d10211b20
server, browser: dynamic pages refactoring:
Goffi <goffi@goffi.org>
parents:
1404
diff
changeset
|
79 return login_error(self, request, message) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
80 else: |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
81 # this error was not expected! |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
82 raise e |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
83 except exceptions.TimeOutError: |
1504
409d10211b20
server, browser: dynamic pages refactoring:
Goffi <goffi@goffi.org>
parents:
1404
diff
changeset
|
84 return login_error(self, request, C.NO_REPLY) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
85 else: |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
86 if status in (C.PROFILE_LOGGED, C.PROFILE_LOGGED_EXT_JID, C.SESSION_ACTIVE): |
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
87 # Profile has been logged correctly |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
88 self.redirect_or_continue(request) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
89 else: |
1216 | 90 log.error(_("Unhandled status: {status}".format(status=status))) |
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
91 else: |
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
92 self.page_error(request, C.HTTP_BAD_REQUEST) |