mirror of
https://github.com/simple-login/app.git
synced 2024-09-20 15:05:59 +08:00
Fix: Use timed signers to avoid leaving permanent links (#1524)
Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
This commit is contained in:
parent
92de307c75
commit
0ab53ad49a
|
@ -2,7 +2,7 @@ import arrow
|
|||
from flask import render_template, request, redirect, url_for, flash
|
||||
from flask_login import login_required, current_user
|
||||
from flask_wtf import FlaskForm
|
||||
from itsdangerous import Signer
|
||||
from itsdangerous import TimestampSigner
|
||||
from wtforms import validators
|
||||
from wtforms.fields.html5 import EmailField
|
||||
|
||||
|
@ -165,7 +165,7 @@ SimpleLogin team.
|
|||
|
||||
|
||||
def send_verification_email(user, mailbox):
|
||||
s = Signer(MAILBOX_SECRET)
|
||||
s = TimestampSigner(MAILBOX_SECRET)
|
||||
mailbox_id_signed = s.sign(str(mailbox.id)).decode()
|
||||
verification_url = (
|
||||
URL + "/dashboard/mailbox_verify" + f"?mailbox_id={mailbox_id_signed}"
|
||||
|
@ -190,11 +190,11 @@ def send_verification_email(user, mailbox):
|
|||
|
||||
@dashboard_bp.route("/mailbox_verify")
|
||||
def mailbox_verify():
|
||||
s = Signer(MAILBOX_SECRET)
|
||||
s = TimestampSigner(MAILBOX_SECRET)
|
||||
mailbox_id = request.args.get("mailbox_id")
|
||||
|
||||
try:
|
||||
r_id = int(s.unsign(mailbox_id))
|
||||
r_id = int(s.unsign(mailbox_id, max_age=900))
|
||||
except Exception:
|
||||
flash("Invalid link. Please delete and re-add your mailbox", "error")
|
||||
return redirect(url_for("dashboard.mailbox_route"))
|
||||
|
|
|
@ -4,7 +4,7 @@ from email_validator import validate_email, EmailNotValidError
|
|||
from flask import render_template, request, redirect, url_for, flash
|
||||
from flask_login import login_required, current_user
|
||||
from flask_wtf import FlaskForm
|
||||
from itsdangerous import Signer
|
||||
from itsdangerous import TimestampSigner
|
||||
from wtforms import validators
|
||||
from wtforms.fields.html5 import EmailField
|
||||
|
||||
|
@ -210,7 +210,7 @@ def mailbox_detail_route(mailbox_id):
|
|||
|
||||
|
||||
def verify_mailbox_change(user, mailbox, new_email):
|
||||
s = Signer(MAILBOX_SECRET)
|
||||
s = TimestampSigner(MAILBOX_SECRET)
|
||||
mailbox_id_signed = s.sign(str(mailbox.id)).decode()
|
||||
verification_url = (
|
||||
f"{URL}/dashboard/mailbox/confirm_change?mailbox_id={mailbox_id_signed}"
|
||||
|
@ -262,11 +262,11 @@ def cancel_mailbox_change_route(mailbox_id):
|
|||
|
||||
@dashboard_bp.route("/mailbox/confirm_change")
|
||||
def mailbox_confirm_change_route():
|
||||
s = Signer(MAILBOX_SECRET)
|
||||
s = TimestampSigner(MAILBOX_SECRET)
|
||||
signed_mailbox_id = request.args.get("mailbox_id")
|
||||
|
||||
try:
|
||||
mailbox_id = int(s.unsign(signed_mailbox_id))
|
||||
mailbox_id = int(s.unsign(signed_mailbox_id, max_age=900))
|
||||
except Exception:
|
||||
flash("Invalid link", "error")
|
||||
return redirect(url_for("dashboard.index"))
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
{{ render_text("You recently requested to change mailbox <b>"+ mailbox_email +"</b> to <b>" + mailbox_new_email + "</b>.") }}
|
||||
{{ render_text("To confirm, please click on the button below.") }}
|
||||
{{ render_button("Confirm mailbox change", link) }}
|
||||
{{ render_text("This email will only be valid for the next 15 minutes.") }}
|
||||
{{ render_text('Thanks,
|
||||
<br />
|
||||
SimpleLogin Team.') }}
|
||||
|
|
|
@ -8,4 +8,6 @@ You recently requested to change mailbox {{mailbox_email}} to {{mailbox_new_emai
|
|||
To confirm, please click on this link:
|
||||
|
||||
{{link}}
|
||||
|
||||
This link will only be valid during the next 15 minutes.
|
||||
{% endblock %}
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
{{ render_text("You have added <b>"+ mailbox_email +"</b> as an additional mailbox.") }}
|
||||
{{ render_text("To confirm, please click on the button below.") }}
|
||||
{{ render_button("Confirm mailbox", link) }}
|
||||
{{ render_text("This email will only be valid for the next 15 minutes.") }}
|
||||
{{ render_text('Thanks,
|
||||
<br />
|
||||
SimpleLogin Team.') }}
|
||||
|
|
|
@ -8,4 +8,6 @@ You have added {{mailbox_email}} as an additional mailbox.
|
|||
To confirm, please click on this link:
|
||||
|
||||
{{link}}
|
||||
|
||||
This link will only be valid during the next 15 minutes.
|
||||
{% endblock %}
|
||||
|
|
Loading…
Reference in a new issue