commit 636f16dc666ce100cbe55cb7b9fc745878f8f0da
parent 9e5b049dca6438cf289619c325406d420ef97c78
Author: BlackDex <black.dex@gmail.com>
Date: Thu, 25 May 2023 23:12:24 +0200
Prevent 401 on main admin page
When you are not loggedin, and have no cookie etc.. we always returned a 401.
This was mainly to allow the login page on all the sub pages, and after
login being redirected to the requested page, for these pages a 401 is a
valid response, since, you do not have access.
But for the main `/admin` page, it should just respond with a `200` and
show the login page.
This PR fixes this flow and response. It should prevent people using
Fail2ban, or other tools being triggered by only accessing the login page.
Resolves #3540
Diffstat:
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/api/admin.rs b/src/api/admin.rs
@@ -36,6 +36,7 @@ pub fn routes() -> Vec<Route> {
get_user_by_mail_json,
post_admin_login,
admin_page,
+ admin_page_login,
invite_user,
logout,
delete_user,
@@ -256,6 +257,11 @@ fn admin_page(_token: AdminToken) -> ApiResult<Html<String>> {
render_admin_page()
}
+#[get("/", rank = 2)]
+fn admin_page_login() -> ApiResult<Html<String>> {
+ render_admin_login(None, None)
+}
+
#[derive(Deserialize, Debug)]
#[allow(non_snake_case)]
struct InviteData {
@@ -761,7 +767,17 @@ impl<'r> FromRequest<'r> for AdminToken {
let access_token = match cookies.get(COOKIE_NAME) {
Some(cookie) => cookie.value(),
- None => return Outcome::Failure((Status::Unauthorized, "Unauthorized")),
+ None => {
+ let requested_page =
+ request.segments::<std::path::PathBuf>(0..).unwrap_or_default().display().to_string();
+ // When the requested page is empty, it is `/admin`, in that case, Forward, so it will render the login page
+ // Else, return a 401 failure, which will be caught
+ if requested_page.is_empty() {
+ return Outcome::Forward(Status::Unauthorized);
+ } else {
+ return Outcome::Failure((Status::Unauthorized, "Unauthorized"));
+ }
+ }
};
if decode_admin(access_token).is_err() {
