From 603b4a8063c9086d83152a511d09f71cc64ae3ff Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Wed, 3 Jun 2015 18:32:15 +0200
Subject: [PATCH] Protect the auth view with a shared secret

---
 cas_server/default_settings.py | 2 ++
 cas_server/views.py            | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py
index a476214..4add92d 100644
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600)
 setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
 setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
 
+setting_default('CAS_AUTH_SHARED_SECRET', '')
+
 setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
 setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
 setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')
diff --git a/cas_server/views.py b/cas_server/views.py
index b154e11..7819992 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -294,9 +294,13 @@ class Auth(View):
         username = request.POST.get('username')
         password = request.POST.get('password')
         service = request.POST.get('service')
+        secret = request.POST.get('secret')
 
+        if not settings.CAS_AUTH_SHARED_SECRET:
+            return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain")
+        if secret != settings.CAS_AUTH_SHARED_SECRET:
+            return HttpResponse("no\n", content_type="text/plain")
         if not username or not password or not service:
-            print "not username or service or password"
             return HttpResponse("no\n", content_type="text/plain")
         form = forms.UserCredential(
             request.POST,