Mercurial > libervia-web

view libervia/web/pages/register/page_meta.py @ 1598:86c7a3a625d5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443
author Goffi <goffi@goffi.org>
date Fri, 23 Feb 2024 13:35:24 +0100
parents 291a7026cb2b
children
line wrap: on
line source

#!/usr/bin/env python3


from libervia.backend.core import exceptions
from libervia.backend.tools.common import data_format
from libervia.frontends.bridge.bridge_frontend import BridgeException
from libervia.web.server.constants import Const as C
from libervia.web.server import session_iface
from libervia.backend.core.log import getLogger

log = getLogger(__name__)

"""Libervia account registration page"""

name = "register"
access = C.PAGES_ACCESS_PUBLIC
template = "login/register.html"


def parse_url(self, request):
    self.get_path_args(
        request,
        ("registration_id",),
    )


async def prepare_render(self, request):
    if not self.host.options["allow_registration"]:
        try:
            await self.host.check_registration_id(request)
        except exceptions.NotFound:
            self.page_error(request, C.HTTP_FORBIDDEN)
    profile = self.get_profile(request)
    if profile is not None:
        self.page_redirect("/login/logged", request)
    template_data = request.template_data
    template_data["login_url"] = self.get_page_by_name("login").url
    template_data["S_C"] = C  # we need server constants in template

    # login error message
    session_data = self.host.get_session_data(request, session_iface.IWebSession)
    login_error = session_data.pop_page_data(self, "login_error")
    if login_error is not None:
        template_data["login_error"] = login_error

    #  if fields were already filled, we reuse them
    for k in ("login", "email", "password"):
        template_data[k] = session_data.pop_page_data(self, k)


async def on_data_post(self, request):
    type_ = self.get_posted_data(request, "type")
    if type_ == "register":
        login, email, password = self.get_posted_data(
            request, ("login", "email", "password")
        )
        status = await self.host.register_new_account(request, login, password, email)
        session_data = self.host.get_session_data(request, session_iface.IWebSession)
        if status == C.REGISTRATION_SUCCEED:
            # we prefill login field for login page
            session_data.set_page_data(self.get_page_by_name("login"), "login", login)
            # if we have a redirect_url we follow it
            self.redirect_or_continue(request)
            # else we redirect to login page
            self.http_redirect(request, self.get_page_by_name("login").url)
        else:
            session_data.set_page_data(self, "login_error", status)
            l = locals()
            for k in ("login", "email", "password"):
                # we save fields so user doesn't have to enter them again
                session_data.set_page_data(self, k, l[k])
            return C.POST_NO_CONFIRM
    else:
        self.page_error(request, C.HTTP_BAD_REQUEST)