From b99552384c4cd67e1e888c220d9f6baf55a5d051 Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Fri, 16 Sep 2022 18:14:50 +0200 Subject: [PATCH] Improve expired session and CSRF error handling --- app/admin.py | 13 +++++++++++-- app/config.py | 13 +++++++++++-- app/scss/main.scss | 6 ++++++ app/templates/error.html | 4 ++-- docs/user_guide.md | 4 ++-- 5 files changed, 32 insertions(+), 8 deletions(-) diff --git a/app/admin.py b/app/admin.py index 621a8ac..c6014b6 100644 --- a/app/admin.py +++ b/app/admin.py @@ -40,13 +40,22 @@ from app.utils import pagination from app.utils.emoji import EMOJIS_BY_NAME -def user_session_or_redirect( +async def user_session_or_redirect( request: Request, session: str | None = Cookie(default=None), ) -> None: + if request.method == "POST": + form_data = await request.form() + if "redirect_url" in form_data: + redirect_url = form_data["redirect_url"] + else: + redirect_url = request.url_for("admin_stream") + else: + redirect_url = str(request.url) + _RedirectToLoginPage = HTTPException( status_code=302, - headers={"Location": request.url_for("login") + f"?redirect={request.url}"}, + headers={"Location": request.url_for("login") + f"?redirect={redirect_url}"}, ) if not session: diff --git a/app/config.py b/app/config.py index 687bf65..f9c4ac7 100644 --- a/app/config.py +++ b/app/config.py @@ -200,10 +200,19 @@ def generate_csrf_token() -> str: return csrf_serializer.dumps(secrets.token_hex(16)) # type: ignore -def verify_csrf_token(csrf_token: str = Form()) -> None: +def verify_csrf_token( + csrf_token: str = Form(), + redirect_url: str | None = Form(None), +) -> None: + please_try_again = "please try again" + if redirect_url: + please_try_again = f'please try again' try: csrf_serializer.loads(csrf_token, max_age=1800) except (itsdangerous.BadData, itsdangerous.SignatureExpired): logger.exception("Failed to verify CSRF token") - raise HTTPException(status_code=403, detail="CSRF error") + raise HTTPException( + status_code=403, + detail=f"The security token expired, {please_try_again}", + ) return None diff --git a/app/scss/main.scss b/app/scss/main.scss index 760ed7c..49fcfe7 100644 --- a/app/scss/main.scss +++ b/app/scss/main.scss @@ -509,3 +509,9 @@ nav.flexbox { } } } + +.error-title { + a { + text-decoration: underline; + } +} diff --git a/app/templates/error.html b/app/templates/error.html index 1d93c59..99511b5 100644 --- a/app/templates/error.html +++ b/app/templates/error.html @@ -6,7 +6,7 @@ {% endblock %} {% block content %} -
-

{{ title }}

+
+

{{ title | safe }}

{% endblock %} diff --git a/docs/user_guide.md b/docs/user_guide.md index 3714e95..104340b 100644 --- a/docs/user_guide.md +++ b/docs/user_guide.md @@ -33,7 +33,7 @@ Whenever one of these config items is updated, an `Update` activity will be sent The server will need to be restarted for taking changes into account. -Before restarting, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking). +Before restarting the server, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking). ### Profile metadata @@ -161,7 +161,7 @@ And only the last 20 interactions (likes/shares/webmentions) will be displayed, ## Admin section -You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin`. +You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin/login`. The password is the one set during the initial configuration. ### Lookup