LDAP Profile management service
https://profile.hackerspace.pl
q3k
a435e15698
This adds a /avatar/<uid> endpoint which serves any jpegPhoto associated with a given user account. In true 'lol ldap' fashion, only `photo` and `jpegPhoto` fields are defined. The first one is for G3 photos (a fax format!). The latter is technically for JPEG. But we expect to abuse this and basically contain _any_ sensible photo format in there, as long as Python's PIL can parse it. The serving function always resamples images to a 256x256 PNG. This makes sure people don't leak EXIF and lets us depend on square avatars. This entire code assumes that it is safe to PIL.Image.open untrusted user data. My understanding is that it is, bar some DoS for very large images. We limit the potential for DoS by storing the images in LDAP, which I hope has some kind of field length limit... Oh, and this also adds a 'default avatar' functionality which serves simple generative mermaid art for any user who doesn't have an explicit avatar set. To prevent leaking the existence of users who don't have an avatar set, we serve such a generated avatar for all UIDs, including UIDs which don't exist. |
||
|---|---|---|
| webapp | ||
| .gitignore | ||
| .python-version | ||
| Dockerfile | ||
| README.md | ||
| krb5.conf | ||
| poetry.lock | ||
| pyproject.toml | ||
| syrenka.png | ||
README.md
ldap-web aka profile.hackerspace.pl
quick start locally
poetry install
FLASK_ENV=development FLASK_APP=webapp poetry run flask run -p 5001
Open app at localhost:5001
To test changing password locally, you must add HACKERSPACE.PL realm to your /etc/krb5.conf. See krb5.conf for an example
quick start (dockerized)
docker build -t ldapweb .
docker run -p 8000:8000 ldapweb
Open app at localhost:8000
deployment
Look for ldapweb.libsonnet in hscloud repo