Bypass CSRF protection for the /yunohost/portalapi/login route

Allowing login from simple HTML form
2024-09-03 20:06:31 +02:00 · 2023-08-14 15:44:28 +02:00 · 2023-08-14 15:44:28 +02:00 · 2cc4dfc057
commit 2cc4dfc057
parent a6c7e55d1d
1 changed files with 6 additions and 3 deletions
--- a/moulinette/interfaces/api.py
+++ b/moulinette/interfaces/api.py
@ -272,7 +272,7 @@ class _ActionsMapPlugin:
            name="login",
            method="POST",
            callback=self.login,
-            skip=["actionsmap"],
+            skip=[filter_csrf, "actionsmap"],
        )
        app.route(
            "/logout",
@ -362,9 +362,12 @@ class _ActionsMapPlugin:
            credentials = request.json["credentials"]
            profile = request.json.get("profile", self.actionsmap.default_authentication)
        else:
-            if "credentials" not in request.params:
+            if "credentials" in request.params:
+                credentials = request.params["credentials"]
+            else:
+                if "username" in request.params and "password" in request.params:
+                    credentials = request.params["username"] + ":" + request.params["password"]
                raise HTTPResponse("Missing credentials parameter", 400)
-            credentials = request.params["credentials"]

            profile = request.params.get("profile", self.actionsmap.default_authentication)