From 69b5013edb97260f006487623677979eac337a6b Mon Sep 17 00:00:00 2001 From: TheoLechemia Date: Mon, 11 Sep 2023 11:13:36 +0200 Subject: [PATCH 1/3] logout : do not use redirect if no redirect query string --- src/pypnusershub/routes.py | 96 +++++++++++++++++++++----------------- 1 file changed, 54 insertions(+), 42 deletions(-) diff --git a/src/pypnusershub/routes.py b/src/pypnusershub/routes.py index 2a8eacf..15bf873 100755 --- a/src/pypnusershub/routes.py +++ b/src/pypnusershub/routes.py @@ -13,17 +13,7 @@ import datetime from functools import wraps -from flask import ( - Blueprint, - escape, - request, - Response, - current_app, - redirect, - g, - jsonify, - session, -) +from flask import Blueprint, escape, request, Response, current_app, redirect, g, make_response from sqlalchemy.orm import exc import sqlalchemy as sa @@ -69,7 +59,6 @@ class ConfigurableBlueprint(Blueprint): def register(self, app, *args, **kwargs): - # set cookie autorenew expiration = app.config.get("COOKIE_EXPIRATION", 3600) cookie_autorenew = app.config.get("COOKIE_AUTORENEW", True) @@ -86,10 +75,20 @@ def after_request(response): if is_token_set and not is_setting_token: cookie_exp = datetime.datetime.utcnow() cookie_exp += datetime.timedelta(seconds=expiration) - set_cookie(response=response, application_url=current_app.config.get("URL_APPLICATION"), - key="token", value=request.cookies["token"], expires=cookie_exp) - set_cookie(response=response, application_url=current_app.config.get("URL_APPLICATION"), - key="currentUser", value=request.cookies["currentUser"], expires=cookie_exp) + set_cookie( + response=response, + application_url=current_app.config.get("URL_APPLICATION"), + key="token", + value=request.cookies["token"], + expires=cookie_exp, + ) + set_cookie( + response=response, + application_url=current_app.config.get("URL_APPLICATION"), + key="currentUser", + value=request.cookies["currentUser"], + expires=cookie_exp, + ) return response # TODO: replace the generic exception by a specific one except Exception: @@ -135,8 +134,13 @@ def __check_auth(*args, **kwargs): res = redirect(redirect_on_expiration, code=302) else: res = Response("Token Expired", 403) - set_cookie(response=res, application_url=current_app.config.get("URL_APPLICATION"), - key="token", value="", expires=0) + set_cookie( + response=res, + application_url=current_app.config.get("URL_APPLICATION"), + key="token", + value="", + expires=0, + ) return res except KeyError as e: @@ -152,17 +156,18 @@ def __check_auth(*args, **kwargs): if redirect_on_invalid_token: res = redirect(redirect_on_invalid_token, code=302) else: - res = Response( - "Token BadSignature or token not coresponding to the app", 403 - ) - set_cookie(response=res, application_url=current_app.config.get("URL_APPLICATION"), - key="token", value="", expires=0) + res = Response("Token BadSignature or token not coresponding to the app", 403) + set_cookie( + response=res, + application_url=current_app.config.get("URL_APPLICATION"), + key="token", + value="", + expires=0, + ) return res except Exception as e: - trap_all_exceptions = current_app.config.get( - "TRAP_ALL_EXCEPTIONS", True - ) + trap_all_exceptions = current_app.config.get("TRAP_ALL_EXCEPTIONS", True) if not trap_all_exceptions: raise log.critical(e) @@ -208,7 +213,6 @@ def login(): user_dict = user.as_dict() user_dict["apps"] = {s.id_application: s.id_droit_max for s in sub_app} except (exc.NoResultFound, AssertionError) as e: - msg = json.dumps( { "type": "login", @@ -237,26 +241,31 @@ def login(): # Génération d'un token token = user_to_token(user) cookie_exp = datetime.datetime.utcnow() - cookie_exp += datetime.timedelta( - seconds=current_app.config["COOKIE_EXPIRATION"] - ) + cookie_exp += datetime.timedelta(seconds=current_app.config["COOKIE_EXPIRATION"]) resp = Response(json.dumps({"user": user_dict, "expires": str(cookie_exp)})) - set_cookie(response=resp, application_url=current_app.config.get("URL_APPLICATION"), - key="token", value=token, expires=cookie_exp) + set_cookie( + response=resp, + application_url=current_app.config.get("URL_APPLICATION"), + key="token", + value=token, + expires=cookie_exp, + ) return resp except Exception as e: msg = json.dumps({"login": False, "msg": repr(e)}) return Response(msg, status=403) + @routes.route("/public_login", methods=["POST"]) def public_login(): - if not current_app.config.get("PUBLIC_ACCESS_USERNAME", {}): raise Forbidden user = ( - models.AppUser.query.filter(models.AppUser.identifiant == current_app.config.get("PUBLIC_ACCESS_USERNAME")) + models.AppUser.query.filter( + models.AppUser.identifiant == current_app.config.get("PUBLIC_ACCESS_USERNAME") + ) .filter(models.AppUser.id_application == get_current_app_id()) .one() ) @@ -264,22 +273,26 @@ def public_login(): # Génération d'un token token = user_to_token(user) cookie_exp = datetime.datetime.utcnow() - cookie_exp += datetime.timedelta( - seconds=current_app.config["COOKIE_EXPIRATION"] - ) + cookie_exp += datetime.timedelta(seconds=current_app.config["COOKIE_EXPIRATION"]) resp = Response(json.dumps({"user": user_dict, "expires": str(cookie_exp)})) - set_cookie(response=resp, application_url=current_app.config.get("URL_APPLICATION"), - key="token", value=token, expires=cookie_exp) + set_cookie( + response=resp, + application_url=current_app.config.get("URL_APPLICATION"), + key="token", + value=token, + expires=cookie_exp, + ) return resp + @routes.route("/logout", methods=["GET", "POST"]) def logout(): params = request.args if "redirect" in params: resp = redirect(params["redirect"], code=302) else: - resp = redirect("", code=302) + resp = make_response() resp.delete_cookie("token") return resp @@ -295,10 +308,9 @@ def insert_or_update_organism(organism): return organism_schema.dump(organism) - def insert_or_update_role(data): """ - Insert or update a role (also add groups if provided) + Insert or update a role (also add groups if provided) """ user_schema = UserSchema(only=["groups"]) user = user_schema.load(data) From 24379e05fc8f758ddceab38353a5d55f58ecb9bf Mon Sep 17 00:00:00 2001 From: TheoLechemia Date: Mon, 11 Sep 2023 11:52:00 +0200 Subject: [PATCH 2/3] changelo --- docs/changelog.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/changelog.rst b/docs/changelog.rst index 4333ee8..7b8007d 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -1,6 +1,13 @@ CHANGELOG ********* +1.6.10 (unreleased) +------------------ + +**🐛 Corrections** + +* Correction d'une mauvaise utilisation de la redirection sur la route de `logout` + 1.6.9 (2023-08-08) ------------------ From 65d7c3e72b650469c41ed8312c1f695b296297cb Mon Sep 17 00:00:00 2001 From: TheoLechemia Date: Thu, 14 Sep 2023 10:04:38 +0200 Subject: [PATCH 3/3] prepa release --- VERSION | 2 +- docs/changelog.rst | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/VERSION b/VERSION index 15d45d4..a9904f7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.6.9 +1.6.10 \ No newline at end of file diff --git a/docs/changelog.rst b/docs/changelog.rst index 7b8007d..a2701a0 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -1,8 +1,8 @@ CHANGELOG ********* -1.6.10 (unreleased) ------------------- +1.6.10 (2023-09-14) +------------------- **🐛 Corrections**