Protect the auth view with a shared secret

This commit is contained in:
Valentin Samir 2015-06-03 18:32:15 +02:00
parent cb84936b6c
commit 603b4a8063
2 changed files with 7 additions and 1 deletions

View File

@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600)
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True) setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False) setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
setting_default('CAS_AUTH_SHARED_SECRET', '')
setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST') setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
setting_default('CAS_PROXY_TICKET_PREFIX', 'PT') setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT') setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')

View File

@ -294,9 +294,13 @@ class Auth(View):
username = request.POST.get('username') username = request.POST.get('username')
password = request.POST.get('password') password = request.POST.get('password')
service = request.POST.get('service') service = request.POST.get('service')
secret = request.POST.get('secret')
if not settings.CAS_AUTH_SHARED_SECRET:
return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain")
if secret != settings.CAS_AUTH_SHARED_SECRET:
return HttpResponse("no\n", content_type="text/plain")
if not username or not password or not service: if not username or not password or not service:
print "not username or service or password"
return HttpResponse("no\n", content_type="text/plain") return HttpResponse("no\n", content_type="text/plain")
form = forms.UserCredential( form = forms.UserCredential(
request.POST, request.POST,