diff options
| author | vuko <vuko@hackerspace.pl> | 2021-01-11 12:32:47 +0100 |
|---|---|---|
| committer | vuko <vuko@hackerspace.pl> | 2021-01-11 12:32:47 +0100 |
| commit | 6780e85614ddd1c3c196d2afeb74a8612f878a34 (patch) | |
| tree | e8eb6c7a8d4d8a06689e8482301cf89176f5ea80 | |
| parent | 84e8475fc01782de779422e405348e18d983e2ac (diff) | |
| download | checkinator-6780e85614ddd1c3c196d2afeb74a8612f878a34.tar.gz checkinator-6780e85614ddd1c3c196d2afeb74a8612f878a34.tar.bz2 checkinator-6780e85614ddd1c3c196d2afeb74a8612f878a34.zip | |
authorization bypass in debug mode
| -rw-r--r-- | at/web.py | 55 |
1 files changed, 44 insertions, 11 deletions
@@ -5,7 +5,8 @@ from datetime import datetime from typing import NamedTuple, Iterable, Iterator, List from functools import wraps from flask import Flask, render_template, abort, g, \ - redirect, request, url_for, make_response + redirect, request, url_for, make_response, send_file +from base64 import b64decode from spaceauth import SpaceAuth, login_required, current_user, cap_required @@ -57,6 +58,37 @@ def app(instance_path, devices_api, config): app.space_auth = SpaceAuth(app) + + def auth_get_user(): + if config.get('DEBUG', False): + if "User" in request.headers: + return request.headers.get("User") + if "Authorization" in request.headers: + raw = b64decode(request.headers.get('Authorization').split(' ')[1]) + app.logger.info(f'Raw authorization: {raw!s}') + return raw.decode().split(':')[0] + app.logger.info(request.headers) + raise Exception('username not supplied') + else: + return current_user.id + + def auth_login_required(f): + if config.get('DEBUG', False): + @wraps(f) + def wrapper(*args, **kwargs): + try: + auth_get_user() + except Exception: + app.logger.exception("auth get exception") + response = make_response('', 401) + response.headers['WWW-Authenticate'] = 'Basic realm="at.hackerspace.pl", charset="UTF-8"' + return response + return f(*args, **kwargs) + return wrapper + else: + return login_required(f) + + def restrict_ip(prefixes : List[str] = [], exclude : List[str] = []): def decorator(f): @wraps(f) @@ -165,7 +197,7 @@ def app(instance_path, devices_api, config): @app.route('/claim', methods=['GET']) @restrict_to_hs - @login_required + @auth_login_required def claim_form(): hwaddr, name = app.updater.get_device(v4addr()) return render_template('claim.html', hwaddr=hwaddr, name=name) @@ -178,14 +210,14 @@ def app(instance_path, devices_api, config): @app.route('/claim', methods=['POST']) @restrict_to_hs - @login_required + @auth_login_required def claim(): hwaddr, lease_name = app.updater.get_device(v4addr()) ctx = None if not hwaddr: ctx = dict(error='Invalid device.') else: - login = current_user.id + login = auth_get_user() try: g.db.execute(''' insert into devices (hwaddr, name, owner, ignored) values (?, ?, ?, ?)''', @@ -207,9 +239,9 @@ def app(instance_path, devices_api, config): @app.route('/account', methods=['GET']) - @login_required + @auth_login_required def account(): - devices = get_user_devices(g.db, current_user.id) + devices = get_user_devices(g.db, auth_get_user()) return render_template('account.html', devices=devices) @@ -225,9 +257,9 @@ def app(instance_path, devices_api, config): [hwaddr, user]) @app.route('/devices/<id>/<action>/') - @login_required + @auth_login_required def device(id, action): - user = current_user.id + user = auth_get_user() if action == 'hide': set_ignored(g.db, id, user, True) if action == 'show': @@ -242,8 +274,9 @@ def app(instance_path, devices_api, config): def admin(): data = now_at() return render_template('admin.html', data=data) + + @app.route('/static/css/basic.css') + def css(): + return send_file(str(Path('./static/css/basic.css').absolute())) return app - -#if __name__ == '__main__': -# app(Path.cwd().absolute()).run('0.0.0.0', 8080, debug=True) |