Bypass CSRF protection for the /yunohost/portalapi/login route

Allowing login from simple HTML form
Also allow to pass username/password as two params instead of a combined "credentials"
This commit is contained in:
selfhoster1312 2023-08-14 15:44:28 +02:00
parent a6c7e55d1d
commit 7daa50459a

View file

@ -272,13 +272,14 @@ class _ActionsMapPlugin:
name="login", name="login",
method="POST", method="POST",
callback=self.login, callback=self.login,
skip=["actionsmap"], skip=[filter_csrf, "actionsmap"],
) )
app.route( app.route(
"/logout", "/logout",
name="logout", name="logout",
method="GET", method="GET",
callback=self.logout, callback=self.logout,
# No need to bypass CSRF here because filter allows GET requests
skip=["actionsmap"], skip=["actionsmap"],
) )
@ -362,9 +363,12 @@ class _ActionsMapPlugin:
credentials = request.json["credentials"] credentials = request.json["credentials"]
profile = request.json.get("profile", self.actionsmap.default_authentication) profile = request.json.get("profile", self.actionsmap.default_authentication)
else: else:
if "credentials" not in request.params: if "credentials" in request.params:
credentials = request.params["credentials"]
elif "username" in request.params and "password" in request.params:
credentials = request.params["username"] + ":" + request.params["password"]
else:
raise HTTPResponse("Missing credentials parameter", 400) raise HTTPResponse("Missing credentials parameter", 400)
credentials = request.params["credentials"]
profile = request.params.get("profile", self.actionsmap.default_authentication) profile = request.params.get("profile", self.actionsmap.default_authentication)