indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Validate nickname at login

main
bashrc 2026-04-16 15:45:45 +01:00
parent 6991e535a1
commit 6c2664ed06
4 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
auth.py
View File

@ -18,6 +18,7 @@ from utils import data_dir
from utils import has_users_path from utils import has_users_path
from utils import text_in_file from utils import text_in_file
from utils import remove_eol from utils import remove_eol
from utils import valid_nickname
from timeFunctions import date_utcnow from timeFunctions import date_utcnow
@ -89,7 +90,7 @@ def create_basic_auth_header(nickname: str, password: str) -> str:
def authorize_basic(base_dir: str, path: str, auth_header: str, def authorize_basic(base_dir: str, path: str, auth_header: str,
debug: bool) -> bool: debug: bool, domain: str) -> bool:
"""HTTP basic auth """HTTP basic auth
""" """
if ' ' not in auth_header: if ' ' not in auth_header:
@ -140,6 +141,10 @@ def authorize_basic(base_dir: str, path: str, auth_header: str,
') does not match the one in the Authorization header (' + ') does not match the one in the Authorization header (' +
nickname + ')') nickname + ')')
return False return False
if not valid_nickname(domain, nickname):
if debug:
print('AUTH: invalid nickname ' + nickname)
return False
if is_memorial_account(base_dir, nickname): if is_memorial_account(base_dir, nickname):
print('basic auth - attempted login using memorial account ' + print('basic auth - attempted login using memorial account ' +
nickname + ' in Auth header') nickname + ' in Auth header')
@ -248,11 +253,12 @@ def remove_password(base_dir: str, nickname: str) -> None:
return return
def authorize(base_dir: str, path: str, auth_header: str, debug: bool) -> bool: def authorize(base_dir: str, path: str, auth_header: str, debug: bool,
domain: str) -> bool:
"""Authorize using http header """Authorize using http header
""" """
if auth_header.lower().startswith('basic '): if auth_header.lower().startswith('basic '):
return authorize_basic(base_dir, path, auth_header, debug) return authorize_basic(base_dir, path, auth_header, debug, domain)
return False return False

3
daemon_post_login.py
View File

@ -141,7 +141,8 @@ def post_login_screen(self, calling_domain: str, cookie: str,
print('Login attempt from IP: ' + str(ip_address)) print('Login attempt from IP: ' + str(ip_address))
if not authorize_basic(base_dir, '/users/' + if not authorize_basic(base_dir, '/users/' +
login_nickname + '/outbox', login_nickname + '/outbox',
auth_header, False): auth_header, False,
domain):
print('Login failed: ' + login_nickname) print('Login failed: ' + login_nickname)
clear_login_details(self, login_nickname, calling_domain) clear_login_details(self, login_nickname, calling_domain)
fail_time = int(time.time()) fail_time = int(time.time())

3
daemon_utils.py
View File

@ -626,7 +626,8 @@ def is_authorized(self) -> bool:
if self.headers.get('Authorization'): if self.headers.get('Authorization'):
if authorize(self.server.base_dir, self.path, if authorize(self.server.base_dir, self.path,
self.headers['Authorization'], self.headers['Authorization'],
self.server.debug): self.server.debug,
self.server.domain):
return True return True
print('AUTH: C2S Basic auth did not authorize ' + print('AUTH: C2S Basic auth did not authorize ' +
self.headers['Authorization']) self.headers['Authorization'])

11
tests.py
View File

@ -3277,24 +3277,25 @@ def _test_authentication(base_dir: str) -> None:
assert store_basic_credentials(base_dir, 'badnick', 'otherpa:ss') is False assert store_basic_credentials(base_dir, 'badnick', 'otherpa:ss') is False
assert store_basic_credentials(base_dir, nickname, password) assert store_basic_credentials(base_dir, nickname, password)
domain = "test.domain"
auth_header = create_basic_auth_header(nickname, password) auth_header = create_basic_auth_header(nickname, password)
assert authorize_basic(base_dir, '/users/' + nickname + '/inbox', assert authorize_basic(base_dir, '/users/' + nickname + '/inbox',
auth_header, False) auth_header, False, domain)
assert authorize_basic(base_dir, '/users/' + nickname, assert authorize_basic(base_dir, '/users/' + nickname,
auth_header, False) is False auth_header, False, domain) is False
assert authorize_basic(base_dir, '/users/othernick/inbox', assert authorize_basic(base_dir, '/users/othernick/inbox',
auth_header, False) is False auth_header, False, domain) is False
auth_header = create_basic_auth_header(nickname, password + '1') auth_header = create_basic_auth_header(nickname, password + '1')
assert authorize_basic(base_dir, '/users/' + nickname + '/inbox', assert authorize_basic(base_dir, '/users/' + nickname + '/inbox',
auth_header, False) is False auth_header, False, domain) is False
password = 'someOtherPassword' password = 'someOtherPassword'
assert store_basic_credentials(base_dir, nickname, password) assert store_basic_credentials(base_dir, nickname, password)
auth_header = create_basic_auth_header(nickname, password) auth_header = create_basic_auth_header(nickname, password)
assert authorize_basic(base_dir, '/users/' + nickname + '/inbox', assert authorize_basic(base_dir, '/users/' + nickname + '/inbox',
auth_header, False) auth_header, False, domain)
os.chdir(curr_dir) os.chdir(curr_dir)
shutil.rmtree(base_dir, ignore_errors=False) shutil.rmtree(base_dir, ignore_errors=False)