Bypass CSRF protection for the /yunohost/portalapi/login route

Allowing login from simple HTML form Also allow to pass username/password as two params instead of a combined "credentials"
2024-09-03 20:06:31 +02:00 · 2023-08-14 15:44:28 +02:00 · 2023-08-14 15:44:28 +02:00 · 7daa50459a
commit 7daa50459a
parent a6c7e55d1d
1 changed files with 7 additions and 3 deletions
--- a/moulinette/interfaces/api.py
+++ b/moulinette/interfaces/api.py
@ -272,13 +272,14 @@ class _ActionsMapPlugin:
            name="login",
            method="POST",
            callback=self.login,
-            skip=["actionsmap"],
+            skip=[filter_csrf, "actionsmap"],
        )
        app.route(
            "/logout",
            name="logout",
            method="GET",
            callback=self.logout,
+            # No need to bypass CSRF here because filter allows GET requests
            skip=["actionsmap"],
        )

@ -362,9 +363,12 @@ class _ActionsMapPlugin:
            credentials = request.json["credentials"]
            profile = request.json.get("profile", self.actionsmap.default_authentication)
        else:
-            if "credentials" not in request.params:
-                raise HTTPResponse("Missing credentials parameter", 400)
+            if "credentials" in request.params:
                credentials = request.params["credentials"]
+            elif "username" in request.params and "password" in request.params:
+                credentials = request.params["username"] + ":" + request.params["password"]
+            else:
+                raise HTTPResponse("Missing credentials parameter", 400)

            profile = request.params.get("profile", self.actionsmap.default_authentication)