Browse Source

Prevent email clients from opening the one-time login links. Fixes #255

pull/230/head
Pēteris Caune 6 years ago
parent
commit
8f6726d1ee
No known key found for this signature in database GPG Key ID: E28D7679E9A9EDE2
3 changed files with 21 additions and 19 deletions
  1. +1
    -0
      CHANGELOG.md
  2. +9
    -3
      hc/accounts/views.py
  3. +11
    -16
      templates/accounts/check_token_submit.html

+ 1
- 0
CHANGELOG.md View File

@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
### Bug Fixes ### Bug Fixes
- Fix badges for tags containing special characters (#240, #237) - Fix badges for tags containing special characters (#240, #237)
- Fix the "Integrations" page for when the user has no active project - Fix the "Integrations" page for when the user has no active project
- Prevent email clients from opening the one-time login links (#255)
## 1.7.0 - 2019-05-02 ## 1.7.0 - 2019-05-02


+ 9
- 3
hc/accounts/views.py View File

@ -119,7 +119,12 @@ def login(request):
profile = Profile.objects.for_user(magic_form.user) profile = Profile.objects.for_user(magic_form.user)
profile.send_instant_login_link(redirect_url=redirect_url) profile.send_instant_login_link(redirect_url=redirect_url)
return redirect("hc-login-link-sent")
response = redirect("hc-login-link-sent")
# check_token_submit looks for this cookie to decide if
# it needs to do the extra POST step.
response.set_cookie("auto-login", "1", max_age=300, httponly=True)
return response
bad_link = request.session.pop("bad_link", None) bad_link = request.session.pop("bad_link", None)
ctx = { ctx = {
@ -169,12 +174,13 @@ def check_token(request, username, token):
return _redirect_after_login(request) return _redirect_after_login(request)
# Some email servers open links in emails to check for malicious content. # Some email servers open links in emails to check for malicious content.
# To work around this, we sign user in if the method is POST.
# To work around this, we sign user in if the method is POST
# *or* if the browser presents a cookie we had set when sending the login link.
# #
# If the method is GET, we instead serve a HTML form and a piece # If the method is GET, we instead serve a HTML form and a piece
# of Javascript to automatically submit it. # of Javascript to automatically submit it.
if request.method == "POST":
if request.method == "POST" or "auto-login" in request.COOKIES:
user = authenticate(username=username, token=token) user = authenticate(username=username, token=token)
if user is not None and user.is_active: if user is not None and user.is_active:
user.profile.token = "" user.profile.token = ""


+ 11
- 16
templates/accounts/check_token_submit.html View File

@ -8,9 +8,6 @@
</head> </head>
<body> <body>
<form id="form" method="post">{% csrf_token %}</form>
<script>document.getElementById("form").submit();</script>
<style> <style>
body { body {
font-family: Arial; font-family: Arial;
@ -39,19 +36,17 @@
} }
</style> </style>
<noscript>
<p>You are about to log into {% site_name %}.</p>
<p>Please press the button below to continue:</p>
<br />
<form method="post">
{% csrf_token %}
<input
id="submit-btn"
type="submit"
class="btn btn-lg btn-primary"
value="Continue to {% site_name %}">
</form>
</noscript>
<p>You are about to log into {% site_name %}.</p>
<p>Please press the button below to continue:</p>
<br />
<form method="post">
{% csrf_token %}
<input
id="submit-btn"
type="submit"
class="btn btn-lg btn-primary"
value="Continue to {% site_name %}">
</form>
</body> </body>
</html> </html>

Loading…
Cancel
Save