Improve expired session and CSRF error handling

2022-09-16 18:14:50 +02:00 · 2022-09-16 18:14:50 +02:00 · b99552384c
commit b99552384c
parent 949365d8ba
5 changed files with 32 additions and 8 deletions
--- a/app/admin.py
+++ b/app/admin.py
@ -40,13 +40,22 @@ from app.utils import pagination
 from app.utils.emoji import EMOJIS_BY_NAME


-def user_session_or_redirect(
+async def user_session_or_redirect(
    request: Request,
    session: str | None = Cookie(default=None),
 ) -> None:
+    if request.method == "POST":
+        form_data = await request.form()
+        if "redirect_url" in form_data:
+            redirect_url = form_data["redirect_url"]
+        else:
+            redirect_url = request.url_for("admin_stream")
+    else:
+        redirect_url = str(request.url)
+
    _RedirectToLoginPage = HTTPException(
        status_code=302,
-        headers={"Location": request.url_for("login") + f"?redirect={request.url}"},
+        headers={"Location": request.url_for("login") + f"?redirect={redirect_url}"},
    )

    if not session:
--- a/app/config.py
+++ b/app/config.py
@ -200,10 +200,19 @@ def generate_csrf_token() -> str:
    return csrf_serializer.dumps(secrets.token_hex(16))  # type: ignore


-def verify_csrf_token(csrf_token: str = Form()) -> None:
+def verify_csrf_token(
+    csrf_token: str = Form(),
+    redirect_url: str | None = Form(None),
+) -> None:
+    please_try_again = "please try again"
+    if redirect_url:
+        please_try_again = f'<a href="{redirect_url}">please try again</a>'
    try:
        csrf_serializer.loads(csrf_token, max_age=1800)
    except (itsdangerous.BadData, itsdangerous.SignatureExpired):
        logger.exception("Failed to verify CSRF token")
-        raise HTTPException(status_code=403, detail="CSRF error")
+        raise HTTPException(
+            status_code=403,
+            detail=f"The security token expired, {please_try_again}",
+        )
    return None
--- a/app/scss/main.scss
+++ b/app/scss/main.scss
@ -509,3 +509,9 @@ nav.flexbox {
    }
  }
 }
+
+.error-title {
+  a {
+    text-decoration: underline;
+  }
+}
--- a/app/templates/error.html
+++ b/app/templates/error.html
@ -6,7 +6,7 @@
 {% endblock %}

 {% block content %}
-<div class="centered primary-color">
-    <h1>{{ title }}</h1>
+<div class="centered primary-color box">
+    <h1 class="error-title">{{ title | safe }}</h1>
 </div>
 {% endblock %}
--- a/docs/user_guide.md
+++ b/docs/user_guide.md
@ -33,7 +33,7 @@ Whenever one of these config items is updated, an `Update` activity will be sent

 The server will need to be restarted for taking changes into account.

-Before restarting, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking).
+Before restarting the server, you can ensure you haven't made any mistakes by running the [configuration checking task](/user_guide.html#configuration-checking).


 ### Profile metadata
@ -161,7 +161,7 @@ And only the last 20 interactions (likes/shares/webmentions) will be displayed,

 ## Admin section

-You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin`.
+You can login to the admin section by clicking on the `Admin` link in the footer or by visiting `https://yourdomain.tld/admin/login`.
 The password is the one set during the initial configuration.

 ### Lookup