paul/jon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use session to store authentication info instead of cookie

Browse Source
This commit is contained in:
Paul Brinkmeier 2023-08-20 11:29:20 +02:00
parent 031097e2e2
commit e1214eeb40
4 changed files with 27 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jon/__init__.py
View File

@ -34,7 +34,8 @@ def create_app():
app.register_blueprint(location.bp)
app.register_blueprint(inventory.bp)
app.register_blueprint(entry.bp)
app.register_blueprint(auth.auth)
app.register_blueprint(auth.bp)
@app.route("/")
def index():
return render_template("index.html")

42
jon/auth.py
View File

@ -1,17 +1,18 @@
from flask import Blueprint, request, redirect, make_response
from . import db
import random
import string
auth = Blueprint('auth', __name__)
from flask import Blueprint, make_response, request, redirect, session
bp = Blueprint('auth', __name__, url_prefix="/auth")
ACCESS_TOKEN = ''.join(random.choice(string.ascii_lowercase) for i in range(64))
ERROR_TEXT = """
For security-reasons we must make sure you are the person who executed jon :D <br />
<form action="" method="get">
<input type="password" name="token" placeholder="Token" />
<input type="hidden" hidden name="next" value="{next}" />
<input type="submit" value="login" />
</form>
<hr />
@ -20,25 +21,20 @@ ERROR_TEXT = """
def before_request():
token = request.cookies.get('token')
if token == ACCESS_TOKEN:
pass
else:
token = request.args.get('token')
next: str = request.args.get('next') or "/"
if token is None:
# TODO: make template
return ERROR_TEXT.format(next=next) + "No token provided!"
if token != ACCESS_TOKEN:
return ERROR_TEXT.format(next=next) + "Invalid token!"
else:
resp = make_response(redirect(next))
resp.set_cookie('token', token)
return resp
"""
If the correct token query parameter is passed along with any request,
we mark this session authenticated by setting `session["authenticated"]`.
"""
if "token" in request.args:
if request.args["token"] == ACCESS_TOKEN:
session["authenticated"] = ()
return redirect(request.path)
if not "authenticated" in session:
return ERROR_TEXT, 403
@auth.route('/logout')
@bp.get("/logout")
def logout():
resp = make_response(redirect("/"))
resp.set_cookie('token', "")
return resp
session.pop("authenticated", None)
return redirect("/")

10
jon/templates/base.html
View File

@ -76,10 +76,10 @@
<h1>jon</h1>
<nav>
<ul>
<li {{ "class=current-page" if request.path == "/" else "" }}><a href="/">Home</a></li>
<li {{ "class=current-page" if request.path.startswith("/inventory") else "" }}><a href="/inventory">Inventar</a></li>
<li {{ "class=current-page" if request.path.startswith("/entry") else "" }}><a href="/entry">Eintragen</a></li>
<li {{ "class=current-page" if request.path.startswith("/location") else "" }}>
<li{{ " class=current-page" if request.path == "/" else "" }}><a href="/">Home</a></li>
<li{{ " class=current-page" if request.path.startswith("/inventory") else "" }}><a href="/inventory">Inventar</a></li>
<li{{ " class=current-page" if request.path.startswith("/entry") else "" }}><a href="/entry">Eintragen</a></li>
<li{{ " class=current-page" if request.path.startswith("/location") else "" }}>
<a href="/location">
{% if "location" not in session %}
Raum wählen
@ -88,7 +88,7 @@
{% endif %}
</a>
</li>
<li {{ "class=current-page" if request.path.startswith("/logout") else "" }}><a href="/logout">Logout</a></li>
<li{{ " class=current-page" if request.path.startswith("/auth/logout") else "" }}><a href="/auth/logout">Logout</a></li>
</ul>
</nav>

2
jon/templates/location/index.html
View File

@ -1,7 +1,7 @@
{% extends "base.html" %}
{% block content %}
<form method="POST" action=".">
<form method="POST">
<select name="location_id">
<option value="" {{ "selected" if "location" not in session else ""}}>-</option>
{% for location in locations %}