Missing @login_required decorator · Issue #31 · mkalioby/django-passkeys

The views reg_begin and reg_complete both reference request.user without having the @login_required decorator. Opening these URLs leads to unwanted Internal Server Errors, if the user is not logged in.

django-passkeys/passkeys/FIDO2.py

Lines 60 to 99 in 310b4f4

    
           def reg_begin(request): 
        
               """Starts registering a new FIDO Device, called from API""" 
        
               enable_json_mapping() 
        
               server = getServer(request) 
        
               auth_attachment = getattr(settings,'KEY_ATTACHMENT', None) 
        
               registration_data, state = server.register_begin({ 
        
                   u'id':  urlsafe_b64encode(request.user.username.encode("utf8")), 
        
                   u'name': request.user.get_username(), 
        
                   u'displayName': request.user.get_full_name() 
        
               }, getUserCredentials(request.user), authenticator_attachment = auth_attachment, resident_key_requirement=fido2.webauthn.ResidentKeyRequirement.PREFERRED) 
        
               request.session['fido2_state'] = state 
        
               return JsonResponse(dict(registration_data)) 
        
               #return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream') 
        
           @csrf_exempt 
        
           def reg_complete(request): 
        
               """Completes the registeration, called by API""" 
        
               try: 
        
                   if not "fido2_state" in request.session: 
        
                       return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"}) 
        
                   enable_json_mapping() 
        
                   data = json.loads(request.body) 
        
                   name = data.pop("key_name",'') 
        
                   server = getServer(request) 
        
                   auth_data = server.register_complete(request.session.pop("fido2_state"), response = data) 
        
                   encoded = websafe_encode(auth_data.credential_data) 
        
                   platform = get_current_platform(request) 
        
                   if name == "": 
        
                       name = platform 
        
                   uk = UserPasskey(user=request.user, token=encoded, name = name,platform=platform) 
        
                   if data.get("id"): 
        
                       uk.credential_id = data.get('id') 
        
                   uk.save() 
        
                   return JsonResponse({'status': 'OK'}) 
        
               except Exception as exp: # pragma: no cover 
        
                   print(traceback.format_exc()) # pragma: no cover 
        
                   return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"}) # pragma: no cover

(Technically, it wouldn't be needed on reg_complete, but I think for the sake of completeness, it should be added nonetheless.)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Missing @login_required decorator #31

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development


	def reg_begin(request):
	"""Starts registering a new FIDO Device, called from API"""
	enable_json_mapping()
	server = getServer(request)
	auth_attachment = getattr(settings,'KEY_ATTACHMENT', None)
	registration_data, state = server.register_begin({
	u'id': urlsafe_b64encode(request.user.username.encode("utf8")),
	u'name': request.user.get_username(),
	u'displayName': request.user.get_full_name()
	}, getUserCredentials(request.user), authenticator_attachment = auth_attachment, resident_key_requirement=fido2.webauthn.ResidentKeyRequirement.PREFERRED)
	request.session['fido2_state'] = state
	return JsonResponse(dict(registration_data))
	#return HttpResponse(cbor.encode(registration_data), content_type = 'application/octet-stream')


	@csrf_exempt
	def reg_complete(request):
	"""Completes the registeration, called by API"""
	try:
	if not "fido2_state" in request.session:
	return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
	enable_json_mapping()
	data = json.loads(request.body)
	name = data.pop("key_name",'')
	server = getServer(request)
	auth_data = server.register_complete(request.session.pop("fido2_state"), response = data)
	encoded = websafe_encode(auth_data.credential_data)
	platform = get_current_platform(request)
	if name == "":
	name = platform
	uk = UserPasskey(user=request.user, token=encoded, name = name,platform=platform)
	if data.get("id"):
	uk.credential_id = data.get('id')

	uk.save()
	return JsonResponse({'status': 'OK'})
	except Exception as exp: # pragma: no cover
	print(traceback.format_exc()) # pragma: no cover
	return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"}) # pragma: no cover

Missing @login_required decorator #31

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions