This adds a /avatar/<uid> endpoint which serves any jpegPhoto associated with a given user account. In true 'lol ldap' fashion, only `photo` and `jpegPhoto` fields are defined. The first one is for G3 photos (a fax format!). The latter is technically for JPEG. But we expect to abuse this and basically contain _any_ sensible photo format in there, as long as Python's PIL can parse it. The serving function always resamples images to a 256x256 PNG. This makes sure people don't leak EXIF and lets us depend on square avatars. This entire code assumes that it is safe to PIL.Image.open untrusted user data. My understanding is that it is, bar some DoS for very large images. We limit the potential for DoS by storing the images in LDAP, which I hope has some kind of field length limit... Oh, and this also adds a 'default avatar' functionality which serves simple generative mermaid art for any user who doesn't have an explicit avatar set. To prevent leaking the existence of users who don't have an avatar set, we serve such a generated avatar for all UIDs, including UIDs which don't exist.
24 lines
431 B
TOML
24 lines
431 B
TOML
[tool.poetry]
|
|
name = "ldap-web"
|
|
version = "0.1.0"
|
|
description = ""
|
|
authors = []
|
|
readme = "README.md"
|
|
|
|
[tool.poetry.dependencies]
|
|
python = "~3.11"
|
|
Flask = "^2.3"
|
|
Flask-WTF = "^1"
|
|
itsdangerous = "^2.0"
|
|
Jinja2 = "^3.0"
|
|
kerberos = "^1.3.0"
|
|
MarkupSafe = "^2.0"
|
|
pillow = "^10.0.1"
|
|
python-ldap = "^3.2.0"
|
|
uWSGI = "^2.0"
|
|
Werkzeug = "^2.0"
|
|
WTForms = "^3"
|
|
|
|
[build-system]
|
|
requires = ["poetry-core"]
|
|
build-backend = "poetry.core.masonry.api"
|