Mercurial > libervia-web
annotate libervia/web/pages/register/page_meta.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | 291a7026cb2b |
| children |
| rev | line source |
|---|---|
| 1216 | 1 #!/usr/bin/env python3 |
| 1239 | 2 |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
3 |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
4 from libervia.backend.core import exceptions |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
5 from libervia.backend.tools.common import data_format |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
6 from libervia.frontends.bridge.bridge_frontend import BridgeException |
|
1518
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
7 from libervia.web.server.constants import Const as C |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
8 from libervia.web.server import session_iface |
|
eb00d593801d
refactoring: rename `libervia` to `libervia.web` + update imports following backend changes
Goffi <goffi@goffi.org>
parents:
1509
diff
changeset
|
9 from libervia.backend.core.log import getLogger |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
10 |
|
1145
29eb15062416
pages: set __name__ for imported pages
Goffi <goffi@goffi.org>
parents:
1124
diff
changeset
|
11 log = getLogger(__name__) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
12 |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
13 """Libervia account registration page""" |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
14 |
| 1216 | 15 name = "register" |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
16 access = C.PAGES_ACCESS_PUBLIC |
| 1216 | 17 template = "login/register.html" |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
18 |
|
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
19 |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
20 def parse_url(self, request): |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
21 self.get_path_args( |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
22 request, |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
23 ("registration_id",), |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
24 ) |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
25 |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
26 |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
27 async def prepare_render(self, request): |
|
1404
6a35167a4e2c
pages (login, register): fix `allow_registration`:
Goffi <goffi@goffi.org>
parents:
1239
diff
changeset
|
28 if not self.host.options["allow_registration"]: |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
29 try: |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
30 await self.host.check_registration_id(request) |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
31 except exceptions.NotFound: |
|
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
32 self.page_error(request, C.HTTP_FORBIDDEN) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
33 profile = self.get_profile(request) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
34 if profile is not None: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
35 self.page_redirect("/login/logged", request) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
36 template_data = request.template_data |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
37 template_data["login_url"] = self.get_page_by_name("login").url |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
38 template_data["S_C"] = C # we need server constants in template |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
39 |
|
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
40 # login error message |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
41 session_data = self.host.get_session_data(request, session_iface.IWebSession) |
|
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
42 login_error = session_data.pop_page_data(self, "login_error") |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
43 if login_error is not None: |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
44 template_data["login_error"] = login_error |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
45 |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
46 # if fields were already filled, we reuse them |
| 1216 | 47 for k in ("login", "email", "password"): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
48 template_data[k] = session_data.pop_page_data(self, k) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
49 |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
50 |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
51 async def on_data_post(self, request): |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
52 type_ = self.get_posted_data(request, "type") |
| 1216 | 53 if type_ == "register": |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
54 login, email, password = self.get_posted_data( |
| 1216 | 55 request, ("login", "email", "password") |
|
1113
cdd389ef97bc
server: code style reformatting using black
Goffi <goffi@goffi.org>
parents:
963
diff
changeset
|
56 ) |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
57 status = await self.host.register_new_account(request, login, password, email) |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
58 session_data = self.host.get_session_data(request, session_iface.IWebSession) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
59 if status == C.REGISTRATION_SUCCEED: |
|
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
60 # we prefill login field for login page |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
61 session_data.set_page_data(self.get_page_by_name("login"), "login", login) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
62 # if we have a redirect_url we follow it |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
63 self.redirect_or_continue(request) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
64 # else we redirect to login page |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
65 self.http_redirect(request, self.get_page_by_name("login").url) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
66 else: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
67 session_data.set_page_data(self, "login_error", status) |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
68 l = locals() |
| 1216 | 69 for k in ("login", "email", "password"): |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
70 # we save fields so user doesn't have to enter them again |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
71 session_data.set_page_data(self, k, l[k]) |
|
1592
291a7026cb2b
server: handle new registration link feature, following backend implementation
Goffi <goffi@goffi.org>
parents:
1518
diff
changeset
|
72 return C.POST_NO_CONFIRM |
|
963
2932170bb526
pages: added login/logged and register pages
Goffi <goffi@goffi.org>
parents:
diff
changeset
|
73 else: |
|
1509
106bae41f5c8
massive refactoring from camelCase -> snake_case. See backend commit log for more details
Goffi <goffi@goffi.org>
parents:
1506
diff
changeset
|
74 self.page_error(request, C.HTTP_BAD_REQUEST) |