pieter/eveAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Improved CSRF handling

Browse Source 
- Wordpress plugin for Evie Chat
This commit is contained in:
Josako
2024-08-13 14:31:29 +02:00
parent ab38dd7540
commit a237db339a
14 changed files with 944 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
eveai_app/views/basic_views.py
View File

@@ -1,5 +1,6 @@
from flask import request, render_template, Blueprint, session, current_app, jsonify
from flask_security import roles_required, roles_accepted
from flask_wtf.csrf import generate_csrf
from .basic_forms import SessionDefaultsForm
@@ -59,3 +60,14 @@ def set_user_timezone():
def health():
return jsonify({'status': 'ok'}), 200
@basic_bp.route('/check_csrf', methods=['GET'])
def check_csrf():
csrf_token = generate_csrf()
return jsonify({
'csrf_token_in_session': session.get('csrf_token'),
'generated_csrf_token': csrf_token,
'session_id': session.sid if hasattr(session, 'sid') else None,
'session_data': dict(session)
})

51
eveai_app/views/security_views.py
View File

@@ -3,6 +3,7 @@ from flask import Blueprint, render_template, redirect, request, flash, current_
from flask_security import current_user, login_required, login_user, logout_user
from flask_security.utils import verify_and_update_password, get_message, do_flash, config_value, hash_password
from flask_security.forms import LoginForm
from flask_wtf.csrf import CSRFError, generate_csrf
from urllib.parse import urlparse
from datetime import datetime as dt, timezone as tz
@@ -45,27 +46,41 @@ def login():
form = LoginForm()
if form.validate_on_submit():
current_app.logger.debug(f'Validating login form: {form.email.data}')
user = User.query.filter_by(email=form.email.data).first()
if user is None or not verify_and_update_password(form.password.data, user):
flash('Invalid username or password', 'danger')
if request.method == 'POST':
current_app.logger.debug(f"Starting login procedure for {form.email.data}")
try:
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if user is None or not verify_and_update_password(form.password.data, user):
flash('Invalid username or password', 'danger')
current_app.logger.debug(f'Failed to login user')
return redirect(prefixed_url_for('security_bp.login'))
if login_user(user):
current_app.logger.info(f'Login successful! Current User is {current_user.email}')
db.session.commit()
if current_user.has_roles('Super User'):
return redirect(prefixed_url_for('user_bp.select_tenant'))
else:
return redirect(prefixed_url_for('user_bp.tenant_overview'))
else:
flash('Invalid username or password', 'danger')
current_app.logger.debug(f'Failed to login user {user.email}')
abort(401)
else:
current_app.logger.debug(f'Invalid login form: {form.errors}')
except CSRFError:
current_app.logger.warning('CSRF token mismatch during login attempt')
flash('Your session has expired. Please try logging in again.', 'danger')
return redirect(prefixed_url_for('security_bp.login'))
if login_user(user):
current_app.logger.info(f'Login successful! Current User is {current_user.email}')
db.session.commit()
if current_user.has_roles('Super User'):
return redirect(prefixed_url_for('user_bp.select_tenant'))
else:
return redirect(prefixed_url_for('user_bp.tenant_overview'))
else:
flash('Invalid username or password', 'danger')
current_app.logger.debug(f'Failed to login user {user.email}')
abort(401)
else:
current_app.logger.debug(f'Invalid login form: {form.errors}')
if request.method == 'GET':
csrf_token = generate_csrf()
current_app.logger.debug(f'Generated new CSRF token: {csrf_token}')
# current_app.logger.debug(f"Login route completed - Session ID: {session.sid}")
current_app.logger.debug(f"Login route completed - Session data: {session}")
return render_template('security/login_user.html', login_user_form=form)