Protect the auth view with a shared secret

603b4a80 · Valentin Samir · cb84936b · 603b4a80 · 603b4a80
Commit 603b4a80 authored Jun 03, 2015 by Valentin Samir
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

cas_server/default_settings.py cas_server/default_settings.py +2 -0

cas_server/views.py cas_server/views.py +5 -1

No files found.
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600)
 setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
 setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)

+setting_default('CAS_AUTH_SHARED_SECRET', '')
+
 setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
 setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
 setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')

--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -294,9 +294,13 @@ class Auth(View):
        username = request.POST.get('username')
        password = request.POST.get('password')
        service = request.POST.get('service')
+        secret = request.POST.get('secret')

+        if not settings.CAS_AUTH_SHARED_SECRET:
+            return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain")
+        if secret != settings.CAS_AUTH_SHARED_SECRET:
+            return HttpResponse("no\n", content_type="text/plain")
        if not username or not password or not service:
-            print "not username or service or password"
            return HttpResponse("no\n", content_type="text/plain")
        form = forms.UserCredential(
            request.POST,