Protect the auth view with a shared secret

cas_server/default_settings.py

@@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600)
 setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
 setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
 
+setting_default('CAS_AUTH_SHARED_SECRET', '')
+
 setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
 setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
 setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')

cas_server/views.py

@@ -294,9 +294,13 @@ class Auth(View):
         username = request.POST.get('username')
         password = request.POST.get('password')
         service = request.POST.get('service')
+        secret = request.POST.get('secret')
 
+        if not settings.CAS_AUTH_SHARED_SECRET:
+            return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain")
+        if secret != settings.CAS_AUTH_SHARED_SECRET:
+            return HttpResponse("no\n", content_type="text/plain")
         if not username or not password or not service:
-            print "not username or service or password"
             return HttpResponse("no\n", content_type="text/plain")
         form = forms.UserCredential(
             request.POST,