YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #340 from selfhoster1312/bypass-csrf-login

Browse source 
portal-api: Bypass CSRF protection for login route
This commit is contained in:
Alexandre Aubin 2024-08-20 16:27:23 +02:00 committed by GitHub
commit 0d7a143c01
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
moulinette/interfaces/api.py
View file

@ -269,13 +269,14 @@ class _ActionsMapPlugin:
name="login", name="login",
method="POST", method="POST",
callback=self.login, callback=self.login,
skip=["actionsmap"], skip=[filter_csrf, "actionsmap"],
) )
app.route( app.route(
"/logout", "/logout",
name="logout", name="logout",
method="GET", method="GET",
callback=self.logout, callback=self.logout,
# No need to bypass CSRF here because filter allows GET requests
skip=["actionsmap"], skip=["actionsmap"],
) )
@ -359,9 +360,12 @@ class _ActionsMapPlugin:
credentials = request.json["credentials"] credentials = request.json["credentials"]
profile = request.json.get("profile", self.actionsmap.default_authentication) profile = request.json.get("profile", self.actionsmap.default_authentication)
else: else:
if "credentials" not in request.params: if "credentials" in request.params:
credentials = request.params["credentials"]
elif "username" in request.params and "password" in request.params:
credentials = request.params["username"] + ":" + request.params["password"]
else:
raise HTTPResponse("Missing credentials parameter", 400) raise HTTPResponse("Missing credentials parameter", 400)
credentials = request.params["credentials"]
profile = request.params.get("profile", self.actionsmap.default_authentication) profile = request.params.get("profile", self.actionsmap.default_authentication)