search

mozilla / network-pulse-api

API for the Network-Pulse project
Mozilla Public License 2.0
12 stars 22 forks source link

Lock down the accounts/login route #767

Closed Pomax closed 2 years ago

Pomax commented 2 years ago

This puts a session-based lock in front of the django-allauth accounts/login route, so that if recaptcha is enabled, users have to first hit /login before they're redirected to accounts/login, yielding a 403 if they try to directly access the allauth login route.

This is primarily a PR in need of code review. The testing STR are basically the same as before: the regular login flow (where the client calls /login on the API server) should work the same as before, but directly pointing a browser at accounts/login, or trying to hit /login without a token argument should be a 403 with recaptcha enabled (but work just fine if USE_RECAPTCHA is set to false).

tbrlpld commented 2 years ago

@Pomax One small suggestion. Looks good otherwise 👍