diff options
author | Miguel Jacq <mig@mig5.net> | 2021-08-27 15:52:29 +1000 |
---|---|---|
committer | Miguel Jacq <mig@mig5.net> | 2021-08-27 15:52:29 +1000 |
commit | 0bf8f53d30ded17dde0b3ebf66d98ea7d8e5313d (patch) | |
tree | f90e773c3951188248ac3085de31db71f29451cf /cli/onionshare_cli/web/web.py | |
parent | f63e0c37d10dda759554321e7bf36a64477daaaa (diff) | |
download | onionshare-0bf8f53d30ded17dde0b3ebf66d98ea7d8e5313d.tar.gz onionshare-0bf8f53d30ded17dde0b3ebf66d98ea7d8e5313d.zip |
ClientAuthV3 fixes
* Remove Client Auth as an explicit option (it's on by default).
* Update wording about Public mode
* Fix tuple error when raising TorTooOldStealth exception in CLI
* Move Private Key button next to URL button in GUI
* Replace visual references of ClientAuth to Private Key
* Remove HTTPAuth Flask dependency and remove a lot of code to do with password generation,
401 auth triggers/invalid password rate limit detection etc
* Test updates
* Remove obsolete locale keys
Diffstat (limited to 'cli/onionshare_cli/web/web.py')
-rw-r--r-- | cli/onionshare_cli/web/web.py | 88 |
1 files changed, 3 insertions, 85 deletions
diff --git a/cli/onionshare_cli/web/web.py b/cli/onionshare_cli/web/web.py index 04919185..b33e0ee1 100644 --- a/cli/onionshare_cli/web/web.py +++ b/cli/onionshare_cli/web/web.py @@ -34,7 +34,6 @@ from flask import ( send_file, __version__ as flask_version, ) -from flask_httpauth import HTTPBasicAuth from flask_socketio import SocketIO from .share_mode import ShareModeWeb @@ -75,7 +74,6 @@ class Web: REQUEST_INDIVIDUAL_FILE_CANCELED = 12 REQUEST_ERROR_DATA_DIR_CANNOT_CREATE = 13 REQUEST_OTHER = 14 - REQUEST_INVALID_PASSWORD = 15 def __init__(self, common, is_gui, mode_settings, mode="share"): self.common = common @@ -92,8 +90,6 @@ class Web: ) self.app.secret_key = self.common.random_string(8) self.generate_static_url_path() - self.auth = HTTPBasicAuth() - self.auth.error_handler(self.error401) # Verbose mode? if self.common.verbose: @@ -132,9 +128,6 @@ class Web: ] self.q = queue.Queue() - self.password = None - - self.reset_invalid_passwords() self.done = False @@ -199,28 +192,6 @@ class Web: Common web app routes between all modes. """ - @self.auth.get_password - def get_pw(username): - if username == "onionshare": - return self.password - else: - return None - - @self.app.before_request - def conditional_auth_check(): - # Allow static files without basic authentication - if request.path.startswith(self.static_url_path + "/"): - return None - - # If public mode is disabled, require authentication - if not self.settings.get("general", "public"): - - @self.auth.login_required - def _check_login(): - return None - - return _check_login() - @self.app.errorhandler(404) def not_found(e): mode = self.get_mode() @@ -260,31 +231,6 @@ class Web: f"{self.common.get_resource_path('static')}/img/favicon.ico" ) - def error401(self): - auth = request.authorization - if auth: - if ( - auth["username"] == "onionshare" - and auth["password"] not in self.invalid_passwords - ): - print(f"Invalid password guess: {auth['password']}") - self.add_request(Web.REQUEST_INVALID_PASSWORD, data=auth["password"]) - - self.invalid_passwords.append(auth["password"]) - self.invalid_passwords_count += 1 - - if self.invalid_passwords_count == 20: - self.add_request(Web.REQUEST_RATE_LIMIT) - self.force_shutdown() - print( - "Someone has made too many wrong attempts to guess your password, so OnionShare has stopped the server. Start sharing again and send the recipient a new address to share." - ) - - r = make_response( - render_template("401.html", static_url_path=self.static_url_path), 401 - ) - return self.add_security_headers(r) - def error403(self): self.add_request(Web.REQUEST_OTHER, request.path) r = make_response( @@ -362,21 +308,6 @@ class Web: """ self.q.put({"type": request_type, "path": path, "data": data}) - def generate_password(self, saved_password=None): - self.common.log("Web", "generate_password", f"saved_password={saved_password}") - if saved_password is not None and saved_password != "": - self.password = saved_password - self.common.log( - "Web", - "generate_password", - f'saved_password sent, so password is: "{self.password}"', - ) - else: - self.password = self.common.build_password() - self.common.log( - "Web", "generate_password", f'built random password: "{self.password}"' - ) - def verbose_mode(self): """ Turn on verbose mode, which will log flask errors to a file. @@ -386,10 +317,6 @@ class Web: log_handler.setLevel(logging.WARNING) self.app.logger.addHandler(log_handler) - def reset_invalid_passwords(self): - self.invalid_passwords_count = 0 - self.invalid_passwords = [] - def force_shutdown(self): """ Stop the flask web server, from the context of the flask app. @@ -446,18 +373,9 @@ class Web: # To stop flask, load http://shutdown:[shutdown_password]@127.0.0.1/[shutdown_password]/shutdown # (We're putting the shutdown_password in the path as well to make routing simpler) if self.running: - if self.password: - requests.get( - f"http://127.0.0.1:{port}/{self.shutdown_password}/shutdown", - auth=requests.auth.HTTPBasicAuth("onionshare", self.password), - ) - else: - requests.get( - f"http://127.0.0.1:{port}/{self.shutdown_password}/shutdown" - ) - - # Reset any password that was in use - self.password = None + requests.get( + f"http://127.0.0.1:{port}/{self.shutdown_password}/shutdown" + ) def cleanup(self): """ |