Remove obsolete "qrl" schema, enforce SSL connections
This commit is contained in:
parent
9268fce1af
commit
6203bb2fab
8 changed files with 49 additions and 10 deletions
14
CHANGELOG
14
CHANGELOG
|
@ -1,3 +1,17 @@
|
|||
Sat, 14 Sep 2019 07:33:09 -0500
|
||||
Keaton <kii-chan@tutanota.com>
|
||||
Remove obsolete "qrl" schema, enforce SSL connections
|
||||
|
||||
- As suspected, "qrl" URLs were a remnant of early versions of the protocol.
|
||||
Removed that functionality.
|
||||
- In its place, `sqrl_url` now spits out `None` if the connection is not SSL.
|
||||
The default templates have been updated to display a message urging the user
|
||||
to not log in until they have secured their connection, as well as remove the
|
||||
QR code.
|
||||
- Made the JS polling async, because Firefox was scolding me.
|
||||
|
||||
--------------------
|
||||
|
||||
Sat, 14 Sep 2019 06:03:32 -0500
|
||||
Keaton <kii-chan@tutanota.com>
|
||||
Remove old RST's, update README
|
||||
|
|
11
README.md
11
README.md
|
@ -164,13 +164,22 @@ following essential tags:
|
|||
{% load static %}
|
||||
{% load sqrl %}
|
||||
{% sqrl as sqrl_session %}
|
||||
|
||||
{% if session_sqrl.sqrl_url %}
|
||||
<a href="{{ sqrl_session.sqrl_url }}">
|
||||
<div id="sqrl-qr" data-sqrl="{{ sqrl_session.sqrl_url }}"></div>
|
||||
</a>
|
||||
<script>SQRL_NEXT="{{ your desired redirect }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
|
||||
<script>SQRL_NEXT="{{ your desired redirect (not namespace) }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
|
||||
<script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
|
||||
{% else $}
|
||||
<p>You are not connected via HTTPS, therefore you may not log in using SQRL.</p>
|
||||
{% endif %}
|
||||
```
|
||||
|
||||
Note that the `session_sqrl.sqrl_url` function will return `None` if the user
|
||||
connects over an insecure HTTP connection. If you make your own template, please
|
||||
be sure to account for this situation as in the above example.
|
||||
|
||||
## Management Command
|
||||
|
||||
SQRL uses server state to keep track of open SQRL transactions in order to
|
||||
|
|
|
@ -137,9 +137,6 @@ class SQRLInitialization(object):
|
|||
"""
|
||||
Property for getting full SQRL auth view URL including SQRL scheme and full domain with port.
|
||||
"""
|
||||
return (
|
||||
'{scheme}://{host}{url}'
|
||||
''.format(scheme='sqrl' if self.request.is_secure() else 'qrl',
|
||||
host=self.request.get_host(),
|
||||
url=self.url)
|
||||
)
|
||||
if self.request.is_secure():
|
||||
return 'sqrl://{host}{url}'.format(host=self.request.get_host(),url=self.url)
|
||||
return None
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
url = url + encodeURIComponent(current_url);
|
||||
}
|
||||
|
||||
request.open('POST', url, false);
|
||||
request.open('POST', url, async=true);
|
||||
request.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
|
||||
request.onreadystatechange = handleStateChange;
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@
|
|||
{% endif %}
|
||||
|
||||
{% sqrl as sqrl_session %}
|
||||
|
||||
{% if sqrl_session.sqrl_url %}
|
||||
<fieldset class="module aligned">
|
||||
<div class="sqrl-wrap">
|
||||
SQRL Login
|
||||
|
@ -80,6 +80,9 @@
|
|||
<input type="submit" value="Manage SQRL" class="default" style="float: left;">
|
||||
</div>
|
||||
</form>
|
||||
{% else %}
|
||||
<p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
|
||||
{% endif %}
|
||||
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
{{ block.super }}
|
||||
<link rel="stylesheet" type="text/css" href="{% static 'admin/css/login.css' %}"/>
|
||||
<link rel="stylesheet" type="text/css" href="{% static 'admin/sqrl.css' %}"/>
|
||||
<link rel="stylesheet" type="text/css" href="{% static 'sqrl/dropin.css' %}"/>
|
||||
{% endblock %}
|
||||
|
||||
{% block bodyclass %}{{ block.super }} login{% endblock %}
|
||||
|
@ -58,13 +59,14 @@
|
|||
</form>
|
||||
|
||||
{% sqrl as sqrl_session %}
|
||||
{% if sqrl_session.sqrl_url %}
|
||||
|
||||
<form method="get" action="{{ sqrl_session.sqrl_url }}" class="sqrl">
|
||||
<p class="align-center or">
|
||||
<span class="line-center">or</span>
|
||||
</p>
|
||||
|
||||
<div>
|
||||
<div class="sqrl-parent">
|
||||
<h3>Login using SQRL</h3>
|
||||
|
||||
<div class="sqrl-wrap">
|
||||
|
@ -87,5 +89,10 @@
|
|||
document.getElementById('id_username').focus()
|
||||
</script>
|
||||
<script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
|
||||
{% else %}
|
||||
<div class="sqrl-parent">
|
||||
<p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
|
||||
</div>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{% load static %}
|
||||
{% load sqrl %}
|
||||
|
||||
<link type="text/css" rel="stylesheet" href="{% static 'sqrl/dropin.css' %}"/>
|
||||
{% if sqrl_session.sqrl_url %}
|
||||
<div class="sqrl-parent">
|
||||
<form class="sqrl-form" method="get" action="{{ sqrl_session.sqrl_url }}">
|
||||
<div class="sqrl-wrap">
|
||||
|
@ -16,5 +18,10 @@
|
|||
<input type="submit" value="Authenticate using SQRL">
|
||||
</form>
|
||||
</div>
|
||||
{% else %}
|
||||
<div class="sqrl-parent">
|
||||
<p><strong>You are not connected on a secure connection. For your safety, SQRL login is disabled. It is advised that you do not log into this website at all until you are connected via a HTTPS connection.</strong></p>
|
||||
</div>
|
||||
{% endif %}
|
||||
<script>SQRL_NEXT="{{ redir }}"; SQRL_CHECK_URL="{% sqrl_status_url_script_tag sqrl_session %}"</script>
|
||||
<script type="application/javascript" src="{% static 'sqrl/sqrl.js' %}"></script>
|
||||
|
|
|
@ -7,6 +7,8 @@ import django
|
|||
|
||||
|
||||
DEBUG = True
|
||||
#DEBUG = False
|
||||
ALLOWED_HOSTS = ["localhost"]
|
||||
|
||||
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
|
||||
DATABASES = {
|
||||
|
|
Loading…
Reference in a new issue