Make the login page guess where to redirect

main
Florent Daigniere 2 years ago
parent 1b045b4a94
commit dd912169fb

@ -8,15 +8,21 @@ import flask
import flask_login
import secrets
import ipaddress
from urllib.parse import urlparse, urljoin
from werkzeug.urls import url_unquote
@sso.route('/login', methods=['GET', 'POST'])
def login():
client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
form = forms.LoginForm()
form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
form.submitWebmail.label.text = form.submitWebmail.label.text + ' Webmail'
fields = []
if flask.request.args.get('url'):
fields.append(form.submitAdmin)
else:
form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
form.submitWebmail.label.text = form.submitWebmail.label.text + ' Webmail'
if str(app.config["WEBMAIL"]).upper() != "NONE":
fields.append(form.submitWebmail)
if str(app.config["ADMIN"]).upper() != "FALSE":
@ -28,6 +34,11 @@ def login():
destination = app.config['WEB_ADMIN']
elif form.submitWebmail.data:
destination = app.config['WEB_WEBMAIL']
if url := flask.request.args.get('url'):
url = url_unquote(url)
target = urlparse(urljoin(flask.request.url, url))
if target.netloc == urlparse(flask.request.url).netloc:
destination = target.geturl()
device_cookie, device_cookie_username = utils.limiter.parse_device_cookie(flask.request.cookies.get('rate_limit'))
username = form.email.data
if username != device_cookie_username and utils.limiter.should_rate_limit_ip(client_ip):
@ -57,7 +68,7 @@ def login():
def logout():
flask_login.logout_user()
flask.session.destroy()
response = flask.redirect(app.config('PROXY_AUTH_LOGOUT_URL') or flask.url_for('.login'))
response = flask.redirect(app.config['PROXY_AUTH_LOGOUT_URL'] or flask.url_for('.login'))
for cookie in ['roundcube_sessauth', 'roundcube_sessid', 'smsession']:
response.set_cookie(cookie, 'empty', expires=0)
return response

@ -33,6 +33,7 @@ from flask.sessions import SessionMixin, SessionInterface
from itsdangerous.encoding import want_bytes
from werkzeug.datastructures import CallbackDict
from werkzeug.middleware.proxy_fix import ProxyFix
from werkzeug.urls import url_quote
# Login configuration
login = flask_login.LoginManager()
@ -42,7 +43,7 @@ login.login_view = "sso.login"
def handle_needs_login():
""" redirect unauthorized requests to login page """
return flask.redirect(
flask.url_for('sso.login')
flask.url_for('sso.login')+f'?url={url_quote(flask.request.url)}'
)
# DNS stub configured to do DNSSEC enabled queries

@ -216,7 +216,7 @@ http {
}
location @webmail_login {
return 302 /sso/login;
return 302 /sso/login?url=$request_uri;
}
{% endif %}
{% if ADMIN %}

@ -1,2 +1,2 @@
Make the login page "guess" where the user wants to land using the Referer header
Make the login page "guess" where the user wants to land
Introduce AUTH_PROXY_LOGOUT_URL to redirect users to a specific URL after they have been logged-out

Loading…
Cancel
Save