Mercurial > libervia-web
view libervia/pages/login/page_meta.py @ 1227:15f90fd688b5
pages (login): catch ProfileUnknownError and show a C.PROFILE_AUTH_ERROR:
ProfileUnknownError where not catched, resulting in an internal error when an invalid
profile was entered. This patch fixes it by displaying a PROFILE_AUTH_ERROR, the same one
as for invalid password.
author | Goffi <goffi@goffi.org> |
---|---|
date | Fri, 08 Nov 2019 17:07:02 +0100 |
parents | b2d067339de3 |
children | f511f8fbbf8a |
line wrap: on
line source
#!/usr/bin/env python3 # -*- coding: utf-8 -*- from sat.core.i18n import _ from sat.core import exceptions from libervia.server.constants import Const as C from libervia.server import session_iface from twisted.internet import defer from sat.core.log import getLogger log = getLogger(__name__) """SàT log-in page, with link to create an account""" name = "login" access = C.PAGES_ACCESS_PUBLIC template = "login/login.html" def prepare_render(self, request): template_data = request.template_data # we redirect to logged page if a session is active profile = self.getProfile(request) if profile is not None: self.pageRedirect("/login/logged", request) # login error message session_data = self.host.getSessionData(request, session_iface.ISATSession) login_error = session_data.popPageData(self, "login_error") if login_error is not None: template_data["S_C"] = C # we need server constants in template template_data["login_error"] = login_error template_data["empty_password_allowed"] = bool( self.host.options["empty_password_allowed_warning_dangerous_list"] ) # register page url template_data["register_url"] = self.getPageRedirectURL(request, "register") # if login is set, we put it in template to prefill field template_data["login"] = session_data.popPageData(self, "login") def login_error(self, request, error_const): """set login_error in page data @param error_const(unicode): one of login error constant @return C.POST_NO_CONFIRM: avoid confirm message """ session_data = self.host.getSessionData(request, session_iface.ISATSession) session_data.setPageData(self, "login_error", error_const) return C.POST_NO_CONFIRM @defer.inlineCallbacks def on_data_post(self, request): profile = self.getProfile(request) type_ = self.getPostedData(request, "type") if type_ == "disconnect": if profile is None: log.warning(_("Disconnect called when no profile is logged")) self.pageError(request, C.HTTP_BAD_REQUEST) else: self.host.purgeSession(request) defer.returnValue(C.POST_NO_CONFIRM) elif type_ == "login": login, password = self.getPostedData(request, ("login", "password")) try: status = yield self.host.connect(request, login, password) except exceptions.ProfileUnknownError: # the profile doesn't exist, we return the same error as for invalid password # to avoid bruteforcing valid profiles log.warning(f"login tentative with invalid profile: {login!r}") defer.returnValue(login_error(self, request, C.PROFILE_AUTH_ERROR)) except ValueError as e: if e.message in (C.XMPP_AUTH_ERROR, C.PROFILE_AUTH_ERROR): defer.returnValue(login_error(self, request, e.message)) else: # this error was not expected! raise e except exceptions.TimeOutError: defer.returnValue(login_error(self, request, C.NO_REPLY)) else: if status in (C.PROFILE_LOGGED, C.PROFILE_LOGGED_EXT_JID, C.SESSION_ACTIVE): # Profile has been logged correctly self.redirectOrContinue(request) else: log.error(_("Unhandled status: {status}".format(status=status))) else: self.pageError(request, C.HTTP_BAD_REQUEST)