- Improved CSRF handling

- Wordpress plugin for Evie Chat
2024-08-13 14:31:29 +02:00
parent ab38dd7540
commit a237db339a
14 changed files with 944 additions and 23 deletions
--- a/eveai_app/views/security_views.py
+++ b/eveai_app/views/security_views.py
@@ -3,6 +3,7 @@ from flask import Blueprint, render_template, redirect, request, flash, current_
 from flask_security import current_user, login_required, login_user, logout_user
 from flask_security.utils import verify_and_update_password, get_message, do_flash, config_value, hash_password
 from flask_security.forms import LoginForm
+from flask_wtf.csrf import CSRFError, generate_csrf
 from urllib.parse import urlparse
 from datetime import datetime as dt, timezone as tz

@@ -45,27 +46,41 @@ def login():

    form = LoginForm()

-    if form.validate_on_submit():
-        current_app.logger.debug(f'Validating login form: {form.email.data}')
-        user = User.query.filter_by(email=form.email.data).first()
-        if user is None or not verify_and_update_password(form.password.data, user):
-            flash('Invalid username or password', 'danger')
+    if request.method == 'POST':
+        current_app.logger.debug(f"Starting login procedure for {form.email.data}")
+        try:
+            if form.validate_on_submit():
+                user = User.query.filter_by(email=form.email.data).first()
+                if user is None or not verify_and_update_password(form.password.data, user):
+                    flash('Invalid username or password', 'danger')
+                    current_app.logger.debug(f'Failed to login user')
+                    return redirect(prefixed_url_for('security_bp.login'))
+
+                if login_user(user):
+                    current_app.logger.info(f'Login successful! Current User is {current_user.email}')
+                    db.session.commit()
+                    if current_user.has_roles('Super User'):
+                        return redirect(prefixed_url_for('user_bp.select_tenant'))
+                    else:
+                        return redirect(prefixed_url_for('user_bp.tenant_overview'))
+                else:
+                    flash('Invalid username or password', 'danger')
+                    current_app.logger.debug(f'Failed to login user {user.email}')
+                    abort(401)
+            else:
+                current_app.logger.debug(f'Invalid login form: {form.errors}')
+
+        except CSRFError:
+            current_app.logger.warning('CSRF token mismatch during login attempt')
+            flash('Your session has expired. Please try logging in again.', 'danger')
            return redirect(prefixed_url_for('security_bp.login'))

-        if login_user(user):
-            current_app.logger.info(f'Login successful! Current User is {current_user.email}')
-            db.session.commit()
-            if current_user.has_roles('Super User'):
-                return redirect(prefixed_url_for('user_bp.select_tenant'))
-            else:
-                return redirect(prefixed_url_for('user_bp.tenant_overview'))
-        else:
-            flash('Invalid username or password', 'danger')
-            current_app.logger.debug(f'Failed to login user {user.email}')
-            abort(401)
-    else:
-        current_app.logger.debug(f'Invalid login form: {form.errors}')
+    if request.method == 'GET':
+        csrf_token = generate_csrf()
+        current_app.logger.debug(f'Generated new CSRF token: {csrf_token}')

+    # current_app.logger.debug(f"Login route completed - Session ID: {session.sid}")
+    current_app.logger.debug(f"Login route completed - Session data: {session}")
    return render_template('security/login_user.html', login_user_form=form)