2
0

login/logout only valid from some origin as host (and host is already checked by hypercorn)

This commit is contained in:
Stefan Bühler 2022-04-08 17:39:58 +02:00
parent 156e11a882
commit 2a778ff46c
3 changed files with 22 additions and 3 deletions

View File

@ -21,8 +21,8 @@ packages = find:
python_requires = >=3.9 python_requires = >=3.9
install_requires = install_requires =
trio trio
quart-trio
quart quart
quart-trio
hypercorn[trio] hypercorn[trio]
PyYAML PyYAML
protobuf protobuf

View File

@ -1,9 +1,9 @@
from __future__ import annotations
from .app_cls import MyQuartApp from .app_cls import MyQuartApp
app = MyQuartApp(__name__) app = MyQuartApp(__name__)
__import__('capport.api.setup') __import__('capport.api.setup')
__import__('capport.api.lang') __import__('capport.api.lang')
__import__('capport.api.views') __import__('capport.api.views')

View File

@ -96,6 +96,23 @@ async def user_lookup() -> cptypes.MacPublicState:
# return app.my_hub.database.as_json() # return app.my_hub.database.as_json()
def check_self_origin():
origin = quart.request.headers.get('Origin', None)
if origin is None:
# not a request by a modern browser - probably curl or something similar. don't care.
return
origin_parts = origin.split('/')
# Origin should look like: protocol://hostname (possibly a /path suffix?)
if len(origin_parts) < 3:
quart.abort(400, 'Broken Origin header')
origin_host = origin_parts[2].lower()
host = quart.request.headers.get('Host', None)
if host is None:
quart.abort(400, 'Missing Host header')
if host.lower() != origin_host:
quart.abort(400, 'Origin mismatch')
@app.route('/', methods=['GET']) @app.route('/', methods=['GET'])
async def index(missing_accept: bool=False): async def index(missing_accept: bool=False):
state = await user_lookup() state = await user_lookup()
@ -109,6 +126,7 @@ async def index(missing_accept: bool=False):
@app.route('/login', methods=['POST']) @app.route('/login', methods=['POST'])
async def login(): async def login():
check_self_origin()
with trio.fail_after(5.0): with trio.fail_after(5.0):
form = await quart.request.form form = await quart.request.form
if form.get('accept') != '1': if form.get('accept') != '1':
@ -126,6 +144,7 @@ async def login():
@app.route('/logout', methods=['POST']) @app.route('/logout', methods=['POST'])
async def logout(): async def logout():
check_self_origin()
with trio.fail_after(5.0): with trio.fail_after(5.0):
form = await quart.request.form form = await quart.request.form
req_mac = form.get('mac') req_mac = form.get('mac')