Commit 603b4a80 authored by Valentin Samir's avatar Valentin Samir

Protect the auth view with a shared secret

parent cb84936b
......@@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600)
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
setting_default('CAS_AUTH_SHARED_SECRET', '')
setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST')
setting_default('CAS_PROXY_TICKET_PREFIX', 'PT')
setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT')
......
......@@ -294,9 +294,13 @@ class Auth(View):
username = request.POST.get('username')
password = request.POST.get('password')
service = request.POST.get('service')
secret = request.POST.get('secret')
if not settings.CAS_AUTH_SHARED_SECRET:
return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain")
if secret != settings.CAS_AUTH_SHARED_SECRET:
return HttpResponse("no\n", content_type="text/plain")
if not username or not password or not service:
print "not username or service or password"
return HttpResponse("no\n", content_type="text/plain")
form = forms.UserCredential(
request.POST,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment