From ed7e5d03bf6488b1b5e946fdcb59e618a4726390 Mon Sep 17 00:00:00 2001
From: VVX7 <info@vvx7.io>
Date: Fri, 20 Dec 2019 15:16:17 -0500
Subject: [PATCH] chg: [auth] only send debug token when MISP is running in
 debug mode.

---
 server.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/server.py b/server.py
index fdb122d..f4ba7c3 100755
--- a/server.py
+++ b/server.py
@@ -113,7 +113,6 @@ class User(UserMixin):
             "data[_Token][key]": "",
             "data[_Token][fields]": "",
             "data[_Token][unlocked]": "",
-            # "data[_Token][debug]": "",
             "data[User][email]": self.id,
             "data[User][password]": self.password,
         }
@@ -140,7 +139,11 @@ class User(UserMixin):
 
         post_data["data[_Token][fields]"] = token_fields.group(1)
         post_data["data[_Token][key]"] = token_key.group(1)
-        # post_data["data[_Token][debug]"] = token_debug.group(1)
+
+        # debug_token should return None when MISP debug is off.
+        # Only send debug_token when MISP is running in debug mode.
+        if token_debug is not None:
+            post_data["data[_Token][debug]"] = token_debug.group(1)
 
         # POST request with user credentials + hidden form values.
         post_to_login_page = session.post(misp_login_page, data=post_data, allow_redirects=False)