mirror of
https://github.com/YunoHost/moulinette.git
synced 2024-09-03 20:06:31 +02:00
Bypass CSRF protection for the /yunohost/portalapi/login route
Allowing login from simple HTML form Also allow to pass username/password as two params instead of a combined "credentials"
This commit is contained in:
parent
a6c7e55d1d
commit
7daa50459a
1 changed files with 7 additions and 3 deletions
|
@ -272,13 +272,14 @@ class _ActionsMapPlugin:
|
||||||
name="login",
|
name="login",
|
||||||
method="POST",
|
method="POST",
|
||||||
callback=self.login,
|
callback=self.login,
|
||||||
skip=["actionsmap"],
|
skip=[filter_csrf, "actionsmap"],
|
||||||
)
|
)
|
||||||
app.route(
|
app.route(
|
||||||
"/logout",
|
"/logout",
|
||||||
name="logout",
|
name="logout",
|
||||||
method="GET",
|
method="GET",
|
||||||
callback=self.logout,
|
callback=self.logout,
|
||||||
|
# No need to bypass CSRF here because filter allows GET requests
|
||||||
skip=["actionsmap"],
|
skip=["actionsmap"],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -362,9 +363,12 @@ class _ActionsMapPlugin:
|
||||||
credentials = request.json["credentials"]
|
credentials = request.json["credentials"]
|
||||||
profile = request.json.get("profile", self.actionsmap.default_authentication)
|
profile = request.json.get("profile", self.actionsmap.default_authentication)
|
||||||
else:
|
else:
|
||||||
if "credentials" not in request.params:
|
if "credentials" in request.params:
|
||||||
|
credentials = request.params["credentials"]
|
||||||
|
elif "username" in request.params and "password" in request.params:
|
||||||
|
credentials = request.params["username"] + ":" + request.params["password"]
|
||||||
|
else:
|
||||||
raise HTTPResponse("Missing credentials parameter", 400)
|
raise HTTPResponse("Missing credentials parameter", 400)
|
||||||
credentials = request.params["credentials"]
|
|
||||||
|
|
||||||
profile = request.params.get("profile", self.actionsmap.default_authentication)
|
profile = request.params.get("profile", self.actionsmap.default_authentication)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue