-
Notifications
You must be signed in to change notification settings - Fork 159
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add single-user authentication. Closes #11.
Adds a single-user password-only authentication mechanism behind which all web client views are protected. The app password, as well as the app's secret key, can be managed from dagobahd.yml. This also includes a site-wide rate limit on bad auth requests of 30 bad requests per minute. This should be invisible to users under normal usage but still prevent any sort of brute force on the app password.
- Loading branch information
Showing
12 changed files
with
151 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
""" Authentication classes and views for Dagobahd. """ | ||
|
||
from datetime import datetime, timedelta | ||
|
||
from flask import render_template, request, url_for, redirect | ||
from flask_login import UserMixin, login_user, logout_user, login_required | ||
|
||
from dagobah.daemon.app import app, login_manager | ||
|
||
class User(UserMixin): | ||
def get_id(self): | ||
return 1 | ||
|
||
SingleAuthUser = User() | ||
|
||
|
||
@login_manager.user_loader | ||
def load_user(userid): | ||
return SingleAuthUser | ||
|
||
|
||
@app.route('/login', methods=['GET']) | ||
def login(): | ||
return render_template('login.html', alert=request.args.get('alert')) | ||
|
||
|
||
@app.route('/do-login', methods=['POST']) | ||
def do_login(): | ||
""" Attempt to auth using single login. Rate limited at the site level. """ | ||
|
||
dt_filter = lambda x: x >= datetime.utcnow() - timedelta(seconds=60) | ||
app.config['AUTH_ATTEMPTS'] = filter(dt_filter, app.config['AUTH_ATTEMPTS']) | ||
|
||
if len(app.config['AUTH_ATTEMPTS']) > app.config['AUTH_RATE_LIMIT']: | ||
return redirect(url_for('login', | ||
alert="Rate limit exceeded. Try again in 60 seconds.")) | ||
|
||
if request.form.get('password') == app.config['APP_PASSWORD']: | ||
login_user(SingleAuthUser) | ||
return redirect('/') | ||
|
||
app.config['AUTH_ATTEMPTS'].append(datetime.utcnow()) | ||
return redirect(url_for('login', alert="Incorrect password.")) | ||
|
||
|
||
@app.route('/do-logout', methods=['GET', 'POST']) | ||
@login_required | ||
def do_logout(): | ||
logout_user() | ||
return redirect(url_for('login')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
form { | ||
margin-top: 15px; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
{% extends 'base.html' %} | ||
|
||
{% block head %} | ||
{{ super() }} | ||
<link rel="stylesheet" type="text/css" href="/static/css/login.css"></link> | ||
{% endblock head %} | ||
|
||
{% block body_scripts %} | ||
<script> | ||
$(document).ready(function() { | ||
$('#password').select(); | ||
}); | ||
</script> | ||
{% endblock body_scripts %} | ||
|
||
{% block content %} | ||
|
||
<div class='row'> | ||
<div class='span6 offset3'> | ||
|
||
{% if alert %} | ||
<div class='alert alert-error'>{{ alert }}</div> | ||
{% endif %} | ||
|
||
<form class='form form-horizontal' action='{{ url_for('do_login') }}' method='post'> | ||
|
||
<div class='control-group'> | ||
<label class='control-label' for='password'>Password</label> | ||
<div class='controls'> | ||
<input type='password' id='password' name='password' placeholder='Password'></input> | ||
</div> | ||
</div> | ||
|
||
<div class='control-group'> | ||
<div class='controls'> | ||
<button id='submit' type='submit' class='btn btn-success'>Authenticate</button> | ||
</div> | ||
</div> | ||
|
||
</form> | ||
|
||
</div> | ||
</div> | ||
|
||
{% endblock content %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,3 +11,4 @@ six==1.3.0 | |
wsgiref==0.1.2 | ||
zope.interface==4.0.5 | ||
premailer==1.13 | ||
flask-login==0.1.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Whoooops, will push a fix and rebase