support hypercorn server_names against dns rebind attacks, add cookie sessions to flash messages

src/capport/api/__init__.py

@@ -131,7 +131,8 @@ async def _run_hub(*, task_status=trio.TASK_STATUS_IGNORED) -> None:
 @app.before_serving
 async def init():
     global config
-    config = Config.load()
+    config = Config.load_default_once()
+    app.secret_key = config.cookie_secret
     capport.utils.cli.init_logger(config)
     await app.nursery.start(_run_hub)
 
@@ -152,6 +153,7 @@ async def login():
     address = get_client_ip()
     mac = await get_client_mac(address)
     await user_login(address, mac)
+    await quart.flash('Logged in')
     return quart.redirect('/', code=303)
 
 
@@ -159,6 +161,7 @@ async def login():
 async def logout():
     mac = await get_client_mac()
     await user_logout(mac)
+    await quart.flash('Logged out')
     return quart.redirect('/', code=303)
 
 

src/capport/api/hypercorn_conf.py

@@ -0,0 +1,12 @@
+from __future__ import annotations
+
+import capport.config
+
+_config = capport.config.Config.load_default_once()
+
+worker_class = 'trio'
+
+if _config.server_names:
+    server_names = _config.server_names
+elif not _config.debug:
+    raise Exception("production setup requires server-names in config (list of accepted hostnames in http requests)")

src/capport/api/templates/base.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8" />
+        <title>{% block title %}Captive Portal Universität Stuttgart{% endblock %}</title>
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    </head>
+    <body>
+        {% block content %}{% endblock %}
+        {% for message in get_flashed_messages() %}
+        <div class="flash">{{ message }}</div>
+        {% endfor %}
+    </body>
+</html>

src/capport/api/templates/index.html

@@ -1,22 +1,16 @@
-<!DOCTYPE html>
-<html>
-    <head>
-        <meta charset="utf-8" />
-        <title>Captive Portal Universität Stuttgart</title>
-        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    </head>
-    <body>
-        {% if not state.mac %}
-        It seems you're accessing this site from outside the network this captive portal is running for.
-        {% elif state.captive %}
-        To get access to the internet please accept our usage guidelines by clicking this button:
-        <form method="POST" action="/login"><button type="submit">Accept</button></form>
-        {% else %}
-        You already accepted out conditions and are currently granted access to the internet:
-        <form method="POST" action="/login"><button type="submit">Renew session</button></form>
-        <form method="POST" action="/logout"><button type="submit">Close session</button></form>
-        <br>
-        Your current session will last for {{ state.allowed_remaining }} seconds.
-        {% endif %}
-    </body>
-</html>
+{% extends "base.html" %}
+{% block content %}
+    {% if not state.mac %}
+    <p>It seems you're accessing this site from outside the network this captive portal is running for.</p>
+    <p>Your clients IP address is {{ state.address }}</p>
+    {% elif state.captive %}
+    To get access to the internet please accept our usage guidelines by clicking this button:
+    <form method="POST" action="/login"><button type="submit">Accept</button></form>
+    {% else %}
+    You already accepted out conditions and are currently granted access to the internet:
+    <form method="POST" action="/login"><button type="submit">Renew session</button></form>
+    <form method="POST" action="/logout"><button type="submit">Close session</button></form>
+    <br>
+    Your current session will last for {{ state.allowed_remaining }} seconds.
+    {% endif %}
+{% endblock %}