chg: [auth] Takes into account MISP baseurl for redirections

2019-10-11 08:37:46 +02:00 · 2019-10-11 08:37:46 +02:00 · 21dedd37ed
parent 4d5ee49357
commit 21dedd37ed
1 changed files with 9 additions and 7 deletions
--- a/server.py
+++ b/server.py
@ -127,12 +127,12 @@ class User(UserMixin):
        post_data["data[_Token][key]"] = token_key.group(1)

        # POST request with user credentials + hidden form values.
-        post_to_login_page = session.post(misp_login_page, data=post_data)
-
+        post_to_login_page = session.post(misp_login_page, data=post_data, allow_redirects=False)
+        # Consider setup with MISP baseurl set
+        redirect_location = post_to_login_page.headers.get('Location', '')
        # Authentication is successful if MISP returns a redirect to '/users/routeafterlogin'.
-        for resp in post_to_login_page.history:
-            if resp.url == auth_host + '/users/routeafterlogin':
-                return True
+        if '/users/routeafterlogin' in redirect_location:
+            return True
        return None


@ -191,8 +191,10 @@ def login():
            login_user(user)
            return redirect(url_for('index'))

-        return redirect(url_for('login'))
-    return render_template('login.html', title='Login', form=form)
+        return redirect(url_for('login', auth_error=True))
+    else:
+        auth_error = request.args.get('auth_error', False)
+        return render_template('login.html', title='Login', form=form, authError=auth_error)