Remove obsolete "qrl" schema, enforce SSL connections

CHANGELOG

@@ -1,3 +1,17 @@
+Sat, 14 Sep 2019 07:33:09 -0500
+Keaton <kii-chan@tutanota.com>
+Remove obsolete "qrl" schema, enforce SSL connections
+
+- As suspected, "qrl" URLs were a remnant of early versions of the protocol. 
+  Removed that functionality.
+- In its place, `sqrl_url` now spits out `None` if the connection is not SSL.
+  The default templates have been updated to display a message urging the user
+  to not log in until they have secured their connection, as well as remove the
+  QR code.
+- Made the JS polling async, because Firefox was scolding me.
+
+--------------------
+
 Sat, 14 Sep 2019 06:03:32 -0500
 Keaton <kii-chan@tutanota.com>
 Remove old RST's, update README

README.md

@@ -164,13 +164,22 @@ following essential tags:
 {% load static %}
 {% load sqrl %}
 {% sqrl as sqrl_session %}
+
+{% if session_sqrl.sqrl_url %}
 <a href="{{ sqrl_session.sqrl_url }}">
     <div id="sqrl-qr" data-sqrl="{{ sqrl_session.sqrl_url }}"></div>
 </a>
-<script>SQRL_NEXT="{{ your desired redirect }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
+<script>SQRL_NEXT="{{ your desired redirect (not namespace) }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
 <script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
+{% else $}
+<p>You are not connected via HTTPS, therefore you may not log in using SQRL.</p>
+{% endif %}
 ```
 
+Note that the `session_sqrl.sqrl_url` function will return `None` if the user
+connects over an insecure HTTP connection. If you make your own template, please
+be sure to account for this situation as in the above example.
+
 ## Management Command
 
 SQRL uses server state to keep track of open SQRL transactions in order to

sqrl/sqrl.py

@@ -137,9 +137,6 @@ class SQRLInitialization(object):
         """
         Property for getting full SQRL auth view URL including SQRL scheme and full domain with port.
         """
-        return (
+        if self.request.is_secure():
-            '{scheme}://{host}{url}'
+            return 'sqrl://{host}{url}'.format(host=self.request.get_host(),url=self.url)
-            ''.format(scheme='sqrl' if self.request.is_secure() else 'qrl',
+        return None
-                      host=self.request.get_host(),
-                      url=self.url)
-        )

sqrl/static/sqrl/sqrl.js

@@ -32,7 +32,7 @@
           url = url + encodeURIComponent(current_url);
         }
 
-        request.open('POST', url, false);
+        request.open('POST', url, async=true);
         request.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
         request.onreadystatechange = handleStateChange;
 

sqrl/templates/admin/auth/user/sqrl_manage.html

@@ -61,7 +61,7 @@
         {% endif %}
 
         {% sqrl as sqrl_session %}
-
+        {% if sqrl_session.sqrl_url %}
         <fieldset class="module aligned">
             <div class="sqrl-wrap">
                 SQRL Login
@@ -80,6 +80,9 @@
                 <input type="submit" value="Manage SQRL" class="default" style="float: left;">
             </div>
         </form>
+        {% else %}
+        <p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
+        {% endif %}
 
     </div>
 {% endblock %}

sqrl/templates/admin/login.html

@@ -6,6 +6,7 @@
     {{ block.super }}
     <link rel="stylesheet" type="text/css" href="{% static 'admin/css/login.css' %}"/>
     <link rel="stylesheet" type="text/css" href="{% static 'admin/sqrl.css' %}"/>
+    <link rel="stylesheet" type="text/css" href="{% static 'sqrl/dropin.css' %}"/>
 {% endblock %}
 
 {% block bodyclass %}{{ block.super }} login{% endblock %}
@@ -58,13 +59,14 @@
         </form>
 
         {% sqrl as sqrl_session %}
+        {% if sqrl_session.sqrl_url %}
 
         <form method="get" action="{{ sqrl_session.sqrl_url }}" class="sqrl">
             <p class="align-center or">
                 <span class="line-center">or</span>
             </p>
 
-            <div>
+            <div class="sqrl-parent">
                 <h3>Login using SQRL</h3>
 
                 <div class="sqrl-wrap">
@@ -87,5 +89,10 @@
             document.getElementById('id_username').focus()
         </script>
         <script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
+        {% else %}
+        <div class="sqrl-parent">
+            <p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
+        </div>
+        {% endif %}
     </div>
 {% endblock %}

sqrl/templates/sqrl/sqrl-dropin.html

@@ -1,6 +1,8 @@
 {% load static %}
 {% load sqrl %}
+
 <link type="text/css" rel="stylesheet" href="{% static 'sqrl/dropin.css' %}"/>
+{% if sqrl_session.sqrl_url %}
 <div class="sqrl-parent">
     <form class="sqrl-form" method="get" action="{{ sqrl_session.sqrl_url }}">
         <div class="sqrl-wrap">
@@ -16,5 +18,10 @@
         <input type="submit" value="Authenticate using SQRL">
     </form>
 </div>
+{% else %}
+<div class="sqrl-parent">
+    <p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
+</div>
+{% endif %}
 <script>SQRL_NEXT="{{ redir }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
 <script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>

tests/settings.py

@@ -7,6 +7,8 @@ import django
 
 
 DEBUG = True
+#DEBUG = False
+ALLOWED_HOSTS = ["localhost"]
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 DATABASES = {