paul/jon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use session to store authentication info instead of cookie

Browse Source
This commit is contained in:
Paul Brinkmeier 2023-08-20 11:29:20 +02:00
parent a6ce11b10b
commit 9a6e439cda
4 changed files with 27 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jon/__init__.py
View File

@ -34,7 +34,8 @@ def create_app():
app.register_blueprint(location.bp) app.register_blueprint(location.bp)
app.register_blueprint(inventory.bp) app.register_blueprint(inventory.bp)
app.register_blueprint(entry.bp) app.register_blueprint(entry.bp)
app.register_blueprint(auth.auth) app.register_blueprint(auth.bp)
@app.route("/") @app.route("/")
def index(): def index():
return render_template("index.html") return render_template("index.html")

42
jon/auth.py
View File

@ -1,17 +1,18 @@
from flask import Blueprint, request, redirect, make_response
from . import db
import random import random
import string import string
auth = Blueprint('auth', __name__) from flask import Blueprint, make_response, request, redirect, session
bp = Blueprint('auth', __name__, url_prefix="/auth")
ACCESS_TOKEN = ''.join(random.choice(string.ascii_lowercase) for i in range(64)) ACCESS_TOKEN = ''.join(random.choice(string.ascii_lowercase) for i in range(64))
ERROR_TEXT = """ ERROR_TEXT = """
For security-reasons we must make sure you are the person who executed jon :D <br /> For security-reasons we must make sure you are the person who executed jon :D <br />
<form action="" method="get"> <form action="" method="get">
<input type="password" name="token" placeholder="Token" /> <input type="password" name="token" placeholder="Token" />
<input type="hidden" hidden name="next" value="{next}" />
<input type="submit" value="login" /> <input type="submit" value="login" />
</form> </form>
<hr /> <hr />
@ -20,25 +21,20 @@ ERROR_TEXT = """
def before_request(): def before_request():
token = request.cookies.get('token') """
if token == ACCESS_TOKEN: If the correct token query parameter is passed along with any request,
pass we mark this session authenticated by setting `session["authenticated"]`.
else: """
token = request.args.get('token') if "token" in request.args:
next: str = request.args.get('next') or "/" if request.args["token"] == ACCESS_TOKEN:
if token is None: session["authenticated"] = ()
# TODO: make template return redirect(request.path)
return ERROR_TEXT.format(next=next) + "No token provided!"
if token != ACCESS_TOKEN: if not "authenticated" in session:
return ERROR_TEXT.format(next=next) + "Invalid token!" return ERROR_TEXT, 403
else:
resp = make_response(redirect(next))
resp.set_cookie('token', token)
return resp
@auth.route('/logout') @bp.get("/logout")
def logout(): def logout():
resp = make_response(redirect("/")) session.pop("authenticated", None)
resp.set_cookie('token', "") return redirect("/")
return resp

2
jon/templates/base.html
View File

@ -88,7 +88,7 @@
{% endif %} {% endif %}
</a> </a>
</li> </li>
<li {{ "class=current-page" if request.path.startswith("/logout") else "" }}><a href="/logout">Logout</a></li> <li{{ " class=current-page" if request.path.startswith("/auth/logout") else "" }}><a href="/auth/logout">Logout</a></li>
</ul> </ul>
</nav> </nav>

2
jon/templates/location/index.html
View File

@ -1,7 +1,7 @@
{% extends "base.html" %} {% extends "base.html" %}
{% block content %} {% block content %}
<form method="POST" action="."> <form method="POST">
<select name="location_id"> <select name="location_id">
<option value="" {{ "selected" if "location" not in session else ""}}>-</option> <option value="" {{ "selected" if "location" not in session else ""}}>-</option>
{% for location in locations %} {% for location in locations %}