diff options
author | Gina Häußge <gina@octoprint.org> | 2022-09-22 19:52:06 +0300 |
---|---|---|
committer | Gina Häußge <gina@octoprint.org> | 2022-09-22 19:52:06 +0300 |
commit | 147d982c875ff581eb3e9823d0e745e2b2dce4e6 (patch) | |
tree | def3f69e88d09b76b7a9b1e59818f7228dfd07fd | |
parent | b87b965fc533120a9bf03825760f3b709309c0ea (diff) |
🐛 Fix invalid API key and guest behaviour vs CSRF
Closes second issue discovered in #4648
-rw-r--r-- | src/octoprint/server/util/__init__.py | 6 | ||||
-rw-r--r-- | src/octoprint/server/util/csrf.py | 5 |
2 files changed, 6 insertions, 5 deletions
diff --git a/src/octoprint/server/util/__init__.py b/src/octoprint/server/util/__init__.py index 79bf9e05e..5a477b0ab 100644 --- a/src/octoprint/server/util/__init__.py +++ b/src/octoprint/server/util/__init__.py @@ -43,7 +43,7 @@ def loginFromApiKeyRequestHandler(): if loginUserFromApiKey(): _flask.g.login_via_apikey = True except InvalidApiKeyException: - _flask.abort(403) + _flask.abort(403, "Invalid API key") def loginFromAuthorizationHeaderRequestHandler(): @@ -54,7 +54,7 @@ def loginFromAuthorizationHeaderRequestHandler(): if loginUserFromAuthorizationHeader(): _flask.g.login_via_header = True except InvalidApiKeyException: - _flask.abort(403) + _flask.abort(403, "Invalid credentials in Basic Authorization header") class InvalidApiKeyException(Exception): @@ -69,7 +69,7 @@ def loginUserFromApiKey(): user = get_user_for_apikey(apikey) if user is None: # invalid API key = no API key - return False + raise InvalidApiKeyException("Invalid API key") return loginUser(user, login_mechanism="apikey") diff --git a/src/octoprint/server/util/csrf.py b/src/octoprint/server/util/csrf.py index 74821440a..aaa7b133b 100644 --- a/src/octoprint/server/util/csrf.py +++ b/src/octoprint/server/util/csrf.py @@ -77,8 +77,9 @@ def validate_csrf_request(request): # Irrelevant method for CSRF, bypass return - if getattr(flask.g, "login_via_apikey", False): - # API key authorization, bypass + session = getattr(flask, "session", {}) + if len(session) == 0 or session.get("login_mechanism") == "apikey": + # empty session, not a browser context return if is_exempt(request.endpoint): |