Change session flow

The application is now expected to only receive authenticated request; the user_id is available in the X-Remote-User header. The @login_required decorator creates the session cookie from this header.
author: Thibaut Horel <thibaut@horel.org> 2018-12-26 12:05:54 -0500
committer: Thibaut Horel <thibaut@horel.org> 2018-12-26 12:05:54 -0500
commit: f4706933056cc791037a0209a19fcf4177cc2f69 (patch)
tree: 9b00f33b776e6e9987c1ce8a7ba20999cf98328a /famille.py
parent: 5e06cb0e1d4f4bcda2976a1daba6dbb4a3b011c7 (diff)
download: famille-flask-f4706933056cc791037a0209a19fcf4177cc2f69.tar.gz
1 files changed, 10 insertions, 31 deletions
diff --git a/famille.py b/famille.py
index f910a33..69e216c 100644
--- a/famille.py
+++ b/famille.py
@@ -107,7 +107,15 @@ def login_required(f):
     @wraps(f)
     def decorated_function(*args, **kwargs):
         if 'user_name' not in session:
-            return redirect(url_for('login', next=request.url))
+            user = query_db('select * from users where id = ?',
+                        (request.headers["X-Remote-User"],), True)
+            session['user_name'] = user['user_name']
+            session['user_id'] = user['id']
+            session['timezone'] = user['timezone'] or "UTC"
+            db = get_db()
+            db.execute("UPDATE users SET last_seen=? WHERE id=?",
+                       (datetime.utcnow(), session['user_id']))
+            db.commit()
         return f(*args, **kwargs)
     return decorated_function
 
@@ -283,41 +291,12 @@ def edit_user():
         return redirect(url_for('view_user', user_id=session['user_id']))
 
 
-@app.route('/login/', methods=['GET', 'POST'])
-def login():
-    if 'user_name' in session:
-        return redirect(url_for('list_news'))
-
-    if request.method == 'POST':
-        username = request.form['username']
-        password = hashlib.md5(request.form['password'].encode()).hexdigest()
-        user = query_db('select * from users where user_name = ?',
-                        (username,), True)
-        if user:
-            if user['password'] == password:
-                session['user_name'] = user['user_name']
-                session['user_id'] = user['id']
-                session['timezone'] = user['timezone'] or "UTC"
-                db = get_db()
-                db.execute("UPDATE users SET last_seen=? WHERE id=?",
-                           (datetime.utcnow(), session['user_id']))
-                db.commit()
-                return redirect(url_for('list_news'))
-            else:
-                flash('Mot de passe incorrect')
-                return redirect(url_for('login'))
-        else:
-            flash('Utilisateur non enregistré')
-            return redirect(url_for('login'))
-    return render_template('login.html')
-
-
 @app.route('/logout/')
 @login_required
 def logout():
     session.pop('user_name', None)
     session.pop('user_id', None)
-    return redirect(url_for('login'))
+    return redirect(url_for('list_news'))
 
 
 @app.route('/rss.xml')
author	Thibaut Horel <thibaut@horel.org>	2018-12-26 12:05:54 -0500
committer	Thibaut Horel <thibaut@horel.org>	2018-12-26 12:05:54 -0500
commit	f4706933056cc791037a0209a19fcf4177cc2f69 (patch)
tree	9b00f33b776e6e9987c1ce8a7ba20999cf98328a /famille.py
parent	5e06cb0e1d4f4bcda2976a1daba6dbb4a3b011c7 (diff)
download	famille-flask-f4706933056cc791037a0209a19fcf4177cc2f69.tar.gz