YunoHost/dynette
1
0
Fork 0
mirror of https://github.com/YunoHost/dynette.git synced 2024-09-03 20:06:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

Fixes after deploying in real life

Browse source
This commit is contained in:
Alexandre Aubin 2023-04-07 16:51:00 +02:00
parent e1b0bcb0b0
commit 8ce490a8e7
1 changed files with 14 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
app.py
View file

@ -8,6 +8,8 @@ import bcrypt
from flask import Flask, jsonify, request from flask import Flask, jsonify, request
from flask_limiter import Limiter from flask_limiter import Limiter
from flask_limiter.util import get_remote_address from flask_limiter.util import get_remote_address
from werkzeug.middleware.proxy_fix import ProxyFix
DOMAIN_REGEX = re.compile( DOMAIN_REGEX = re.compile(
r"^([a-z0-9]{1}([a-z0-9\-]*[a-z0-9])*)(\.[a-z0-9]{1}([a-z0-9\-]*[a-z0-9])*)*(\.[a-z]{1}([a-z0-9\-]*[a-z0-9])*)$" r"^([a-z0-9]{1}([a-z0-9\-]*[a-z0-9])*)(\.[a-z0-9]{1}([a-z0-9\-]*[a-z0-9])*)*(\.[a-z]{1}([a-z0-9\-]*[a-z0-9])*)$"
@ -15,6 +17,8 @@ DOMAIN_REGEX = re.compile(
app = Flask(__name__) app = Flask(__name__)
app.config.from_file("config.yml", load=yaml.safe_load) app.config.from_file("config.yml", load=yaml.safe_load)
# cf. https://flask-limiter.readthedocs.io/en/stable/recipes.html#deploying-an-application-behind-a-proxy
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1)
limiter = Limiter( limiter = Limiter(
get_remote_address, get_remote_address,
app=app, app=app,
@ -65,7 +69,7 @@ def availability(domain):
return error return error
if _is_available(domain): if _is_available(domain):
return f"Domain {domain} is available", 200 return f'"Domain {domain} is available"', 200
else: else:
return {"error": f"Subdomain already taken: {domain}"}, 409 return {"error": f"Subdomain already taken: {domain}"}, 409
@ -83,12 +87,11 @@ def register(key):
return {"error": "Key format is invalid"}, 400 return {"error": "Key format is invalid"}, 400
try: try:
data = request.get_json(force=True) data = dict(request.form) # get_json(force=True)
assert isinstance(data, dict)
subdomain = data.get("subdomain") subdomain = data.get("subdomain")
assert isinstance(subdomain, str) assert isinstance(subdomain, str)
except Exception: except Exception as e:
return {"error": "Invalid request"}, 400 return {"error": f"Invalid request: {str(request.form)}"}, 400
error = _validate_domain(subdomain) error = _validate_domain(subdomain)
if error: if error:
@ -117,7 +120,7 @@ def register(key):
with open(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password", "w") as f: with open(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password", "w") as f:
f.write(recovery_password) f.write(recovery_password)
return "OK", 201 return '"OK"', 201
@app.route("/domains/<subdomain>", methods=["DELETE"]) @app.route("/domains/<subdomain>", methods=["DELETE"])
@ -126,8 +129,7 @@ def delete_using_recovery_password_or_key(subdomain):
try: try:
assert isinstance(subdomain, str) assert isinstance(subdomain, str)
data = request.get_json(force=True) data = dict(request.data) # get_json(force=True)
assert isinstance(data, dict)
recovery_password = data.get("recovery_password") recovery_password = data.get("recovery_password")
key = data.get("key") key = data.get("key")
assert (recovery_password and isinstance(recovery_password, str)) or ( assert (recovery_password and isinstance(recovery_password, str)) or (
@ -148,21 +150,21 @@ def delete_using_recovery_password_or_key(subdomain):
if key: if key:
with open(f"{app.config['DB_FOLDER']}/{subdomain}.key") as f: with open(f"{app.config['DB_FOLDER']}/{subdomain}.key") as f:
if not hmac.compare_digest(key, f.read()): if not hmac.compare_digest(key, f.read()):
return "Access denied", 403 return '"Access denied"', 403
if recovery_password: if recovery_password:
if not os.path.exists( if not os.path.exists(
f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password" f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password"
): ):
return "Access denied", 403 return '"Access denied"', 403
with open(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password") as f: with open(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password") as f:
hashed = base64.b64decode(f.read()) hashed = base64.b64decode(f.read())
if not bcrypt.checkpw(recovery_password.encode(), hashed): if not bcrypt.checkpw(recovery_password.encode(), hashed):
return "Access denied", 403 return '"Access denied"', 403
if os.path.exists(f"{app.config['DB_FOLDER']}/{subdomain}.key"): if os.path.exists(f"{app.config['DB_FOLDER']}/{subdomain}.key"):
os.remove(f"{app.config['DB_FOLDER']}/{subdomain}.key") os.remove(f"{app.config['DB_FOLDER']}/{subdomain}.key")
if os.path.exists(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password"): if os.path.exists(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password"):
os.remove(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password") os.remove(f"{app.config['DB_FOLDER']}/{subdomain}.recovery_password")
return "OK", 200 return '"OK"', 200