harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Prevent email clients from opening the one-time login links. Fixes #255

Browse Source
This commit is contained in:
Pēteris Caune 2019-05-21 11:26:55 +03:00
parent 78c9ee3e9e
commit 8f6726d1ee
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
3 changed files with 21 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
### Bug Fixes ### Bug Fixes
- Fix badges for tags containing special characters (#240, #237) - Fix badges for tags containing special characters (#240, #237)
- Fix the "Integrations" page for when the user has no active project - Fix the "Integrations" page for when the user has no active project
- Prevent email clients from opening the one-time login links (#255)
## 1.7.0 - 2019-05-02 ## 1.7.0 - 2019-05-02

12
hc/accounts/views.py
View File

@ -119,7 +119,12 @@ def login(request):
profile = Profile.objects.for_user(magic_form.user) profile = Profile.objects.for_user(magic_form.user)
profile.send_instant_login_link(redirect_url=redirect_url) profile.send_instant_login_link(redirect_url=redirect_url)
return redirect("hc-login-link-sent") response = redirect("hc-login-link-sent")
# check_token_submit looks for this cookie to decide if
# it needs to do the extra POST step.
response.set_cookie("auto-login", "1", max_age=300, httponly=True)
return response
bad_link = request.session.pop("bad_link", None) bad_link = request.session.pop("bad_link", None)
ctx = { ctx = {
@ -169,12 +174,13 @@ def check_token(request, username, token):
return _redirect_after_login(request) return _redirect_after_login(request)
# Some email servers open links in emails to check for malicious content. # Some email servers open links in emails to check for malicious content.
# To work around this, we sign user in if the method is POST. # To work around this, we sign user in if the method is POST
# *or* if the browser presents a cookie we had set when sending the login link.
# #
# If the method is GET, we instead serve a HTML form and a piece # If the method is GET, we instead serve a HTML form and a piece
# of Javascript to automatically submit it. # of Javascript to automatically submit it.
if request.method == "POST": if request.method == "POST" or "auto-login" in request.COOKIES:
user = authenticate(username=username, token=token) user = authenticate(username=username, token=token)
if user is not None and user.is_active: if user is not None and user.is_active:
user.profile.token = "" user.profile.token = ""

27
templates/accounts/check_token_submit.html
View File

@ -8,9 +8,6 @@
</head> </head>
<body> <body>
<form id="form" method="post">{% csrf_token %}</form>
<script>document.getElementById("form").submit();</script>
<style> <style>
body { body {
font-family: Arial; font-family: Arial;
@ -39,19 +36,17 @@
} }
</style> </style>
<noscript> <p>You are about to log into {% site_name %}.</p>
<p>You are about to log into {% site_name %}.</p> <p>Please press the button below to continue:</p>
<p>Please press the button below to continue:</p> <br />
<br /> <form method="post">
<form method="post"> {% csrf_token %}
{% csrf_token %} <input
<input id="submit-btn"
id="submit-btn" type="submit"
type="submit" class="btn btn-lg btn-primary"
class="btn btn-lg btn-primary" value="Continue to {% site_name %}">
value="Continue to {% site_name %}"> </form>
</form>
</noscript>
</body> </body>
</html> </html>