basic login and csrf working

8 years ago · bba7d358e4
8 changed files with 75 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,4 @@ node_modules
 deploy.sh
 tags
 build
+.sass_cache
--- a/src/admin.py
+++ b/src/admin.py
@ -0,0 +1,17 @@
+#! /usr/bin/python3
+
+class Admin:
+    def __init__(self):
+        return
+
+    def is_authenticated(self):
+        return True
+
+    def is_active(self):
+        return True
+
+    def is_anonymous(self):
+        return False
+
+    def get_id(self):
+        return "admin"
--- a/src/scripts/editor.js
+++ b/src/scripts/editor.js
@ -1,4 +1,4 @@
 import riot from 'riot';
 import './editor.tag';
-
+axios.defaults.withCredentials = true
 riot.mount("editor");
--- a/src/scripts/editor.tag
+++ b/src/scripts/editor.tag
@ -2,8 +2,8 @@
  <div class="centered container">
    <div class="columns">
      <div class="column col-6">
-        <input ref="title"></input>
-        <input ref="author"></input>
+        <span>title</span><input ref="title">
+        <span>author</span><input ref="author"></input>
        <textarea onfocus={clearplaceholder}
                  onblur={checkplaceholder}
                  oninput={echo}
@ -75,12 +75,14 @@ submit() {
  var post = self.querystring.stringify({
      "title" : this.refs.title.value,
      "author" : this.refs.author.value,
-      "content" : this.refs.textarea.value
+      "content" : this.refs.textarea.value,
+      "csrf_token" : this.opts.csrf_token
  });

  var headers = {
    "headers" : {
-      "Content-Type" : "application/x-www-form-urlencoded"
+      "Content-Type" : "application/x-www-form-urlencoded",
+      "X-CSRFToken" : this.opts.csrf_token
    }
  };

--- a/src/scripts/post.tag
+++ b/src/scripts/post.tag
@ -108,9 +108,9 @@ setPost(pid, transition) {
            return;
          }
          self.opts.state.pid = pid;
-          self.author = postcontent[0].doc.author[0];
-          self.content = postcontent[0].doc.content[0];
-          self.title = postcontent[0].doc.title[0];
+          self.author = postcontent[0].doc.author;
+          self.content = postcontent[0].doc.content;
+          self.title = postcontent[0].doc.title;
          self.transition = transition;
          self.swipe = !self.swipe;
          self.nomore = false;
--- a/src/templates/login.html
+++ b/src/templates/login.html
@ -0,0 +1,19 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<head>
+  <link rel="stylesheet" href="/styles/primop.me.min.css">
+  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+</head>
+<html>
+  <body>
+    <section class="text-center nav navbar centered page-top navbar-section">
+      <h1 class="blog-title">logged in status: {{ success }}</h1>
+    </section>
+    <footer class="footer">
+    </footer>
+
+  <script src="https://unpkg.com/axios/dist/axios.min.js"></script>
+  <script type="text/javascript" src="/scripts/riotblog.min.js"></script>
+  </body>
+</html>
--- a/src/templates/write.html
+++ b/src/templates/write.html
@ -11,8 +11,7 @@
  <body>
    {% block content %}

-    <editor>
-    </editor>
+    <editor csrf_token="{{ csrf_token() }}"></editor>

    {% endblock %}

--- a/src/website.py
+++ b/src/website.py
@ -4,13 +4,15 @@ from functools import partial
 from flask import abort, Flask, render_template, flash, request, send_from_directory, jsonify
 from werkzeug.local import Local, LocalProxy, LocalManager
 from flask_appconfig import AppConfig
-from flask_login import LoginManager, login_required
+from flask_login import LoginManager, login_required, login_user
 from flask_wtf.csrf import CSRFProtect

 from urllib.parse import unquote
 from urllib.parse import quote, unquote
 from json import dumps, loads

+from admin import Admin
+
 from werkzeug.contrib.cache import MemcachedCache
 cache = MemcachedCache(['127.0.0.1:11211'])

@ -45,6 +47,22 @@ def NeverWhere(configfile=None):
        #return send_from_directory("/srv/http/goal/favicon.ico",
                                   #'favicon.ico', mimetype='image/vnd.microsoft.icon')

+    @login_manager.user_loader
+    def load_user(user_id):
+        return Admin
+
+    @app.route("/blog/admin_login", methods=("GET", "POST"))
+    def admin_login():
+        password = request.args.get("password")
+        success = False
+        if password == app.config["ADMIN_PASSWORD"]:
+            print("logged in successfully")
+            success = True
+            login_user(Admin())
+        else:
+            print("did not log in successfully")
+        return render_template("login.html", success=success)
+
    @app.route("/blog/projects", methods=("GET",))
    def projects():
        return jsonify(cacheit("projects", getProjects))
@ -91,7 +109,14 @@ def NeverWhere(configfile=None):
        """
        Insert a post, requires auth
        """
-        return posts.savepost(**request.form)
+
+        author = request.form.get("author", "no author")
+        title = request.form.get("title", "no title")
+        content = request.form.get("content", "no content")
+
+        post = {"author" : author, "title" : title, "content" : content}
+
+        return posts.savepost(**post)

    # default, not found error