Fixes: #2170.
Starting with Django 2.2.25, re_path behavior has changed. When the regular
expression ends with a '$', a full match is performed with the regular
expression. This breaks the behavior of how we are currently matching the locked
URLs for CAPTCHA based login forms.
Tests:
- All tests are done on Debian stable with Django 2.2.25 and on Debian unstable
with Django 3.2.10.
- Go to home page, click on login link. Enter wrong password three times.
CAPTCHA page is show with URL ending with /locked. Type the correct password and
login will be successful.
- Install tt-rss. Logout. Go to /tt-rss/, redirection will happen to login page.
Enter wrong password three times. CAPTCHA page is show with URL ending with
/locked. Type the correct password and login will be successful.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Install tt-rss. Logout. Visit the /tt-rss link. We will be redirected to the
login page. Login with wrong password 3 times. CAPTCHA is shown. Login with
correct password. Login will be successful.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- In Django 2.2 django.conf.urls.url() is an alias to django.urls.re_path().
- In Django 4.0, url() function will be removed. On Django 3.2, it throws a
warning that this function will be removed in future.
Tests:
- Run unit tests with Django 3.2 and Django 2.2.
- With Django 3.2 there are no warnings when running unit tests and when running
FreedomBox Service.
- Visit a few affected apps with both Django versions.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Done automatically by running isort . in top level directory.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
django-simple-captcha's /refresh url's regex was matching anything that ends
with the word "refresh". This was clashing with sso/refresh. Changed the regex
for captcha's url to captcha/refresh.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Change sso refresh url to refresh-pubtkt since refresh was conflicting with
captcha's image refresh url.
- Fix datetime.timedelta calculation for refresh interval. Now validity of
ticket is 30 seconds as it was intended to be. It was wrongly set to 30 days
earlier.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
User will be shown captcha in the second attempt to login if login
fails in the first attempt.
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Removed key generation for mod_auth_pubtkt from first boot.
- Running setup every time plinth starts so that new essential modules
can be setup properly.
Partially fixes#875
- Install mod_auth_pubtkt and generate public/private key-pair.
- Redirect user to login page if no cookie is presented.
- Add check for authenticated user for login page.
- Temporarily switched to DSA because of a bug in mod_auth_pubtkt
which causes it to accept only DSA and not RSA. Also had to use SHA1
instead of SHA256.
- Enabled SSO for Syncthing, Repro and TT-RSS.
- Using tokens to authorize by user groups.
- Generate keys during first boot.
