Mercurial > gemma
changeset 484:2ac37419f593
Implemented wamos/issue114 (Improve code consistency: For login use json body, disallow GET).
| author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
|---|---|
| date | Fri, 24 Aug 2018 11:36:11 +0200 |
| parents | 27502291e564 |
| children | 7a8644e9e50e |
| files | client/package.json client/src/stores/user.js client/yarn.lock pkg/controllers/routes.go pkg/controllers/token.go pkg/models/types.go |
| diffstat | 6 files changed, 24 insertions(+), 23 deletions(-) [+] |
line wrap: on
line diff
--- a/client/package.json Fri Aug 24 10:50:58 2018 +0200 +++ b/client/package.json Fri Aug 24 11:36:11 2018 +0200 @@ -18,7 +18,6 @@ "font-awesome": "^4.7.0", "locale2": "^2.2.0", "ol": "^5.0.0", - "qs": "^6.5.2", "vue": "^2.5.16", "vue-router": "^3.0.1", "vuex": "^3.0.1"
--- a/client/src/stores/user.js Fri Aug 24 10:50:58 2018 +0200 +++ b/client/src/stores/user.js Fri Aug 24 11:36:11 2018 +0200 @@ -1,5 +1,4 @@ import { HTTP } from "../lib/http"; -import qs from "qs"; const User = { namespaced: true, @@ -66,7 +65,7 @@ // using POST is a bit more secure than GET return new Promise((resolve, reject) => { // axios will add the application/x-www-form-urlencoded header this way - HTTP.post("/login", qs.stringify(user)) + HTTP.post("/login", user) .then(response => { commit("auth_success", response.data); resolve(response);
--- a/client/yarn.lock Fri Aug 24 10:50:58 2018 +0200 +++ b/client/yarn.lock Fri Aug 24 11:36:11 2018 +0200 @@ -7261,7 +7261,7 @@ version "6.5.1" resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.1.tgz#349cdf6eef89ec45c12d7d5eb3fc0c870343a6d8" -qs@^6.5.2, qs@~6.5.1, qs@~6.5.2: +qs@~6.5.1, qs@~6.5.2: version "6.5.2" resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36"
--- a/pkg/controllers/routes.go Fri Aug 24 10:50:58 2018 +0200 +++ b/pkg/controllers/routes.go Fri Aug 24 11:36:11 2018 +0200 @@ -96,7 +96,7 @@ // Token handling: Login/Logout. api.HandleFunc("/login", login). - Methods(http.MethodGet, http.MethodPost) + Methods(http.MethodPost) api.Handle("/logout", auth.SessionMiddleware(http.HandlerFunc(logout))). Methods(http.MethodGet, http.MethodPost) api.Handle("/renew", auth.SessionMiddleware(http.HandlerFunc(renew))).
--- a/pkg/controllers/token.go Fri Aug 24 10:50:58 2018 +0200 +++ b/pkg/controllers/token.go Fri Aug 24 11:36:11 2018 +0200 @@ -47,9 +47,8 @@ } func logout(rw http.ResponseWriter, req *http.Request) { - token, _ := auth.GetToken(req) - deleted := auth.ConnPool.Delete(token) - if !deleted { + token, ok := auth.GetToken(req) + if !ok || !auth.ConnPool.Delete(token) { http.NotFound(rw, req) return } @@ -59,19 +58,27 @@ func login(rw http.ResponseWriter, req *http.Request) { - var ( - user = req.FormValue("user") - password = req.FormValue("password") - ) + var input struct { + User models.UserName `json:"user"` + Password string `json:"password"` + } + defer req.Body.Close() + if err := json.NewDecoder(req.Body).Decode(&input); err != nil { + log.Printf("%v\n", err) + http.Error(rw, "error: "+err.Error(), http.StatusBadRequest) + return + } - if !models.UserName(user).IsValid() || password == "" { + if input.Password == "" { http.Error(rw, "Invalid credentials", http.StatusBadRequest) return } - token, session, err := auth.GenerateSession(user, password) + token, session, err := auth.GenerateSession( + string(input.User), + input.Password) if err != nil { - http.Error(rw, fmt.Sprintf("error: %v", err), http.StatusUnauthorized) + http.Error(rw, "error: "+err.Error(), http.StatusUnauthorized) return }
--- a/pkg/models/types.go Fri Aug 24 10:50:58 2018 +0200 +++ b/pkg/models/types.go Fri Aug 24 11:36:11 2018 +0200 @@ -88,15 +88,11 @@ if err := json.Unmarshal(data, &s); err != nil { return err } - if !emailRe.MatchString(s) { - return errNoEmailAddress + if user := UserName(s); user.IsValid() { + *u = user + return nil } - user := UserName(s) - if !user.IsValid() { - return errNoValidUser - } - *u = user - return nil + return errNoValidUser } func (u *UserName) Scan(src interface{}) (err error) {