forked from GithubBackups/healthchecks
Prevent email clients from opening the one-time login links. Fixes #255
This commit is contained in:
parent
78c9ee3e9e
commit
8f6726d1ee
@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
|
||||
### Bug Fixes
|
||||
- Fix badges for tags containing special characters (#240, #237)
|
||||
- Fix the "Integrations" page for when the user has no active project
|
||||
- Prevent email clients from opening the one-time login links (#255)
|
||||
|
||||
|
||||
## 1.7.0 - 2019-05-02
|
||||
|
@ -119,7 +119,12 @@ def login(request):
|
||||
|
||||
profile = Profile.objects.for_user(magic_form.user)
|
||||
profile.send_instant_login_link(redirect_url=redirect_url)
|
||||
return redirect("hc-login-link-sent")
|
||||
response = redirect("hc-login-link-sent")
|
||||
|
||||
# check_token_submit looks for this cookie to decide if
|
||||
# it needs to do the extra POST step.
|
||||
response.set_cookie("auto-login", "1", max_age=300, httponly=True)
|
||||
return response
|
||||
|
||||
bad_link = request.session.pop("bad_link", None)
|
||||
ctx = {
|
||||
@ -169,12 +174,13 @@ def check_token(request, username, token):
|
||||
return _redirect_after_login(request)
|
||||
|
||||
# Some email servers open links in emails to check for malicious content.
|
||||
# To work around this, we sign user in if the method is POST.
|
||||
# To work around this, we sign user in if the method is POST
|
||||
# *or* if the browser presents a cookie we had set when sending the login link.
|
||||
#
|
||||
# If the method is GET, we instead serve a HTML form and a piece
|
||||
# of Javascript to automatically submit it.
|
||||
|
||||
if request.method == "POST":
|
||||
if request.method == "POST" or "auto-login" in request.COOKIES:
|
||||
user = authenticate(username=username, token=token)
|
||||
if user is not None and user.is_active:
|
||||
user.profile.token = ""
|
||||
|
@ -8,9 +8,6 @@
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<form id="form" method="post">{% csrf_token %}</form>
|
||||
<script>document.getElementById("form").submit();</script>
|
||||
|
||||
<style>
|
||||
body {
|
||||
font-family: Arial;
|
||||
@ -39,19 +36,17 @@
|
||||
}
|
||||
</style>
|
||||
|
||||
<noscript>
|
||||
<p>You are about to log into {% site_name %}.</p>
|
||||
<p>Please press the button below to continue:</p>
|
||||
<br />
|
||||
<form method="post">
|
||||
<p>You are about to log into {% site_name %}.</p>
|
||||
<p>Please press the button below to continue:</p>
|
||||
<br />
|
||||
<form method="post">
|
||||
{% csrf_token %}
|
||||
<input
|
||||
id="submit-btn"
|
||||
type="submit"
|
||||
class="btn btn-lg btn-primary"
|
||||
value="Continue to {% site_name %}">
|
||||
</form>
|
||||
</noscript>
|
||||
</form>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
Loading…
x
Reference in New Issue
Block a user