From 0e2ecab78f6f6b979d67a3b27efdbb51f52a797b Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Mon, 8 Apr 2019 18:01:02 +0200
Subject: [PATCH] Fix login

---
 app.py | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/app.py b/app.py
index 2cbbe7c..5235402 100644
--- a/app.py
+++ b/app.py
@@ -597,8 +597,18 @@ def admin_login():
     u2f_enabled = True if devices else False
     if request.method == "POST":
         csrf.protect()
+        # 1. Check regular password login flow
         pwd = request.form.get("pass")
-        if devices:
+        if pwd:
+            if verify_pass(pwd):
+                session["logged_in"] = True
+                return redirect(
+                    request.args.get("redirect") or url_for("admin_notifications")
+                )
+            else:
+                abort(403)
+        # 2. Check for U2F payload, if any
+        elif devices:
             resp = json.loads(request.form.get("resp"))
             try:
                 u2f.complete_authentication(session["challenge"], resp)
@@ -613,13 +623,6 @@ def admin_login():
             return redirect(
                 request.args.get("redirect") or url_for("admin_notifications")
             )
-        elif pwd and verify_pass(pwd):
-            session["logged_in"] = True
-            return redirect(
-                request.args.get("redirect") or url_for("admin_notifications")
-            )
-        elif pwd:
-            abort(403)
         else:
             abort(401)