mirror of
https://github.com/simple-login/app.git
synced 2024-09-30 05:31:30 +02:00
add alias suffix anti-tampering to oauth authorize
This commit is contained in:
parent
9874422700
commit
abeb246b2c
@ -108,7 +108,7 @@
|
|||||||
style="padding-left: 5px">
|
style="padding-left: 5px">
|
||||||
<select class="form-control" name="suffix">
|
<select class="form-control" name="suffix">
|
||||||
{% for suffix in suffixes %}
|
{% for suffix in suffixes %}
|
||||||
<option value="{{ suffix[1] }}">
|
<option value="{{ suffix[2] }}">
|
||||||
{% if suffix[0] %}
|
{% if suffix[0] %}
|
||||||
{{ suffix[1] }} (your domain)
|
{{ suffix[1] }} (your domain)
|
||||||
{% else %}
|
{% else %}
|
||||||
|
@ -3,10 +3,12 @@ from urllib.parse import urlparse
|
|||||||
|
|
||||||
from flask import request, render_template, redirect, flash
|
from flask import request, render_template, redirect, flash
|
||||||
from flask_login import current_user
|
from flask_login import current_user
|
||||||
|
from itsdangerous import SignatureExpired
|
||||||
|
|
||||||
from app.config import EMAIL_DOMAIN, ALIAS_DOMAINS, DISABLE_ALIAS_SUFFIX
|
from app.config import EMAIL_DOMAIN, ALIAS_DOMAINS, DISABLE_ALIAS_SUFFIX
|
||||||
from app.email_utils import get_email_domain_part
|
from app.email_utils import get_email_domain_part
|
||||||
from app.extensions import db
|
from app.extensions import db
|
||||||
|
from app.dashboard.views.custom_alias import available_suffixes, signer
|
||||||
from app.jose_utils import make_id_token
|
from app.jose_utils import make_id_token
|
||||||
from app.log import LOG
|
from app.log import LOG
|
||||||
from app.models import (
|
from app.models import (
|
||||||
@ -109,23 +111,8 @@ def authorize():
|
|||||||
user_custom_domains = [
|
user_custom_domains = [
|
||||||
cd.domain for cd in current_user.verified_custom_domains()
|
cd.domain for cd in current_user.verified_custom_domains()
|
||||||
]
|
]
|
||||||
# List of (is_custom_domain, alias-suffix)
|
# List of (is_custom_domain, alias-suffix, time-signed alias-suffix)
|
||||||
suffixes = []
|
suffixes = available_suffixes(current_user)
|
||||||
|
|
||||||
# put custom domain first
|
|
||||||
for alias_domain in user_custom_domains:
|
|
||||||
suffixes.append((True, "@" + alias_domain))
|
|
||||||
|
|
||||||
# then default domain
|
|
||||||
for domain in ALIAS_DOMAINS:
|
|
||||||
suffixes.append(
|
|
||||||
(
|
|
||||||
False,
|
|
||||||
("" if DISABLE_ALIAS_SUFFIX else "." + random_word())
|
|
||||||
+ "@"
|
|
||||||
+ domain,
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
return render_template(
|
return render_template(
|
||||||
"oauth/authorize.html",
|
"oauth/authorize.html",
|
||||||
@ -155,7 +142,7 @@ def authorize():
|
|||||||
LOG.d("user %s has already allowed client %s", current_user, client)
|
LOG.d("user %s has already allowed client %s", current_user, client)
|
||||||
else:
|
else:
|
||||||
alias_prefix = request.form.get("prefix")
|
alias_prefix = request.form.get("prefix")
|
||||||
alias_suffix = request.form.get("suffix")
|
signed_suffix = request.form.get("suffix")
|
||||||
|
|
||||||
alias = None
|
alias = None
|
||||||
|
|
||||||
@ -165,6 +152,18 @@ def authorize():
|
|||||||
if not current_user.can_create_new_alias():
|
if not current_user.can_create_new_alias():
|
||||||
raise Exception(f"User {current_user} cannot create custom email")
|
raise Exception(f"User {current_user} cannot create custom email")
|
||||||
|
|
||||||
|
# hypothesis: user will click on the button in the 300 secs
|
||||||
|
try:
|
||||||
|
alias_suffix = signer.unsign(signed_suffix, max_age=300).decode()
|
||||||
|
except SignatureExpired:
|
||||||
|
LOG.error("Alias creation time expired")
|
||||||
|
flash("Alias creation time is expired, please retry", "warning")
|
||||||
|
return redirect(request.url)
|
||||||
|
except Exception:
|
||||||
|
LOG.error("Alias suffix is tampered, user %s", current_user)
|
||||||
|
flash("Unknown error, refresh the page", "error")
|
||||||
|
return redirect(request.url)
|
||||||
|
|
||||||
user_custom_domains = [
|
user_custom_domains = [
|
||||||
cd.domain for cd in current_user.verified_custom_domains()
|
cd.domain for cd in current_user.verified_custom_domains()
|
||||||
]
|
]
|
||||||
|
Loading…
Reference in New Issue
Block a user