Remove obsolete "qrl" schema, enforce SSL connections

This commit is contained in:
= 2019-09-14 07:33:09 -05:00
parent 9268fce1af
commit 6203bb2fab
Signed by: kiichan
GPG key ID: 619DFD67F0976616
8 changed files with 49 additions and 10 deletions

View file

@ -1,3 +1,17 @@
Sat, 14 Sep 2019 07:33:09 -0500
Keaton <kii-chan@tutanota.com>
Remove obsolete "qrl" schema, enforce SSL connections
- As suspected, "qrl" URLs were a remnant of early versions of the protocol.
Removed that functionality.
- In its place, `sqrl_url` now spits out `None` if the connection is not SSL.
The default templates have been updated to display a message urging the user
to not log in until they have secured their connection, as well as remove the
QR code.
- Made the JS polling async, because Firefox was scolding me.
--------------------
Sat, 14 Sep 2019 06:03:32 -0500
Keaton <kii-chan@tutanota.com>
Remove old RST's, update README

View file

@ -164,13 +164,22 @@ following essential tags:
{% load static %}
{% load sqrl %}
{% sqrl as sqrl_session %}
{% if session_sqrl.sqrl_url %}
<a href="{{ sqrl_session.sqrl_url }}">
<div id="sqrl-qr" data-sqrl="{{ sqrl_session.sqrl_url }}"></div>
</a>
<script>SQRL_NEXT="{{ your desired redirect }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
<script>SQRL_NEXT="{{ your desired redirect (not namespace) }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
<script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
{% else $}
<p>You are not connected via HTTPS, therefore you may not log in using SQRL.</p>
{% endif %}
```
Note that the `session_sqrl.sqrl_url` function will return `None` if the user
connects over an insecure HTTP connection. If you make your own template, please
be sure to account for this situation as in the above example.
## Management Command
SQRL uses server state to keep track of open SQRL transactions in order to

View file

@ -137,9 +137,6 @@ class SQRLInitialization(object):
"""
Property for getting full SQRL auth view URL including SQRL scheme and full domain with port.
"""
return (
'{scheme}://{host}{url}'
''.format(scheme='sqrl' if self.request.is_secure() else 'qrl',
host=self.request.get_host(),
url=self.url)
)
if self.request.is_secure():
return 'sqrl://{host}{url}'.format(host=self.request.get_host(),url=self.url)
return None

View file

@ -32,7 +32,7 @@
url = url + encodeURIComponent(current_url);
}
request.open('POST', url, false);
request.open('POST', url, async=true);
request.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
request.onreadystatechange = handleStateChange;

View file

@ -61,7 +61,7 @@
{% endif %}
{% sqrl as sqrl_session %}
{% if sqrl_session.sqrl_url %}
<fieldset class="module aligned">
<div class="sqrl-wrap">
SQRL Login
@ -80,6 +80,9 @@
<input type="submit" value="Manage SQRL" class="default" style="float: left;">
</div>
</form>
{% else %}
<p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
{% endif %}
</div>
{% endblock %}

View file

@ -6,6 +6,7 @@
{{ block.super }}
<link rel="stylesheet" type="text/css" href="{% static 'admin/css/login.css' %}"/>
<link rel="stylesheet" type="text/css" href="{% static 'admin/sqrl.css' %}"/>
<link rel="stylesheet" type="text/css" href="{% static 'sqrl/dropin.css' %}"/>
{% endblock %}
{% block bodyclass %}{{ block.super }} login{% endblock %}
@ -58,13 +59,14 @@
</form>
{% sqrl as sqrl_session %}
{% if sqrl_session.sqrl_url %}
<form method="get" action="{{ sqrl_session.sqrl_url }}" class="sqrl">
<p class="align-center or">
<span class="line-center">or</span>
</p>
<div>
<div class="sqrl-parent">
<h3>Login using SQRL</h3>
<div class="sqrl-wrap">
@ -87,5 +89,10 @@
document.getElementById('id_username').focus()
</script>
<script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
{% else %}
<div class="sqrl-parent">
<p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
</div>
{% endif %}
</div>
{% endblock %}

View file

@ -1,6 +1,8 @@
{% load static %}
{% load sqrl %}
<link type="text/css" rel="stylesheet" href="{% static 'sqrl/dropin.css' %}"/>
{% if sqrl_session.sqrl_url %}
<div class="sqrl-parent">
<form class="sqrl-form" method="get" action="{{ sqrl_session.sqrl_url }}">
<div class="sqrl-wrap">
@ -16,5 +18,10 @@
<input type="submit" value="Authenticate using SQRL">
</form>
</div>
{% else %}
<div class="sqrl-parent">
<p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
</div>
{% endif %}
<script>SQRL_NEXT="{{ redir }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
<script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>

View file

@ -7,6 +7,8 @@ import django
DEBUG = True
#DEBUG = False
ALLOWED_HOSTS = ["localhost"]
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
DATABASES = {