Unverified Commit 82d7fcd3 authored by bors[bot]'s avatar bors[bot] Committed by GitHub
Browse files

Merge #2307 #2309

2307: admin: graceful fail on user fetch in basic auth (backport #2299) r=mergify[bot] a=mergify[bot]

This is an automatic backport of pull request #2299 done by [Mergify](https://mergify.com).


---


<details>
<summary>Mergify commands and options</summary>

<br />

More conditions and actions can be found in the [documentation](https://docs.mergify.com/).

You can also trigger Mergify actions by commenting on this pull request:

- ``@Mergifyio` refresh` will re-evaluate the rules
- ``@Mergifyio` rebase` will rebase this PR on its base branch
- ``@Mergifyio` update` will merge the base branch into this PR
- ``@Mergifyio` backport <destination>` will backport this PR on `<destination>` branch

Additionally, on Mergify [dashboard](https://dashboard.mergify.com/) you can:

- look at your merge queues
- generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com
</details>


2309: Adding missing semicolon after remote_addr (backport #2305) r=mergify[bot] a=mergify[bot]

This is an automatic backport of pull request #2305 done by [Mergify](https://mergify.com).


---


<details>
<summary>Mergify commands and options</summary>

<br />

More conditions and actions can be found in the [documentation](https://docs.mergify.com/).

You can also trigger Mergify actions by commenting on this pull request:

- ``@Mergifyio` refresh` will re-evaluate the rules
- ``@Mergifyio` rebase` will rebase this PR on its base branch
- ``@Mergifyio` update` will merge the base branch into this PR
- ``@Mergifyio` backport <destination>` will backport this PR on `<destination>` branch

Additionally, on Mergify [dashboard](https://dashboard.mergify.com/) you can:

- look at your merge queues
- generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com


</details>


Co-authored-by: default avatarhitech95 <nicveronese@gmail.com>
Co-authored-by: default avatarspomata <49432438+spomata@users.noreply.github.com>
......@@ -5,6 +5,7 @@ from flask import current_app as app
import flask
import flask_login
import base64
import sqlalchemy.exc
@internal.route("/auth/email")
def nginx_authentication():
......@@ -96,13 +97,19 @@ def basic_authentication():
response.headers["WWW-Authenticate"] = 'Basic realm="Authentication rate limit for this username exceeded"'
response.headers['Retry-After'] = '60'
return response
user = models.User.query.get(user_email)
if user and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
response = flask.Response()
response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
utils.limiter.exempt_ip_from_ratelimits(client_ip)
return response
utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
try:
user = models.User.query.get(user_email) if '@' in user_email else None
except sqlalchemy.exc.StatementError as exc:
exc = str(exc).split('\n', 1)[0]
app.logger.warn(f'Invalid user {user_email!r}: {exc}')
else:
if user is not None and nginx.check_credentials(user, password.decode('utf-8'), client_ip, "web"):
response = flask.Response()
response.headers["X-User"] = models.IdnaEmail.process_bind_param(flask_login, user.email, "")
utils.limiter.exempt_ip_from_ratelimits(client_ip)
return response
# We failed check_credentials
utils.limiter.rate_limit_user(user_email, client_ip) if user else utils.limiter.rate_limit_ip(client_ip)
response = flask.Response(status=401)
response.headers["WWW-Authenticate"] = 'Basic realm="Login Required"'
return response
......@@ -47,7 +47,7 @@ Then on your own frontend, point to these local ports. In practice, you only nee
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://localhost:8443;
}
}
......@@ -68,7 +68,7 @@ Because the admin interface is served as ``/admin``, the Webmail as ``/webmail``
location ~ ^/(admin|sso|static|webdav|webmail)/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://localhost:8443;
}
......@@ -109,7 +109,7 @@ Here is an example configuration :
location /webmail {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://localhost:8443/webmail;
}
}
......@@ -121,7 +121,7 @@ Here is an example configuration :
location /admin {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://localhost:8443/admin;
proxy_set_header Host $http_host;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment