summaryrefslogtreecommitdiffstats
path: root/aurweb
diff options
context:
space:
mode:
authorFrédéric Mangano-Tarumi <fmang@mg0.fr>2020-07-20 16:25:11 +0200
committerLukas Fleischer <lfleischer@archlinux.org>2021-02-20 17:24:30 +0100
commit0e08b151e5c3606e573b1f7113466b5dd6efdcef (patch)
treec1e5112c6b4b8e585b751b5fd5dd8c8a122aa150 /aurweb
parent357dba87b3ee784a4201a7bb56befb105b81bbf5 (diff)
downloadaur-0e08b151e5c3606e573b1f7113466b5dd6efdcef.tar.gz
aur-0e08b151e5c3606e573b1f7113466b5dd6efdcef.tar.xz
SSO: Port IP ban checking
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'aurweb')
-rw-r--r--aurweb/routers/sso.py19
1 files changed, 17 insertions, 2 deletions
diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 04ecdca6..efd4462c 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -14,7 +14,7 @@ from starlette.requests import Request
import aurweb.config
import aurweb.db
-from aurweb.schema import Sessions, Users
+from aurweb.schema import Bans, Sessions, Users
router = fastapi.APIRouter()
@@ -57,13 +57,28 @@ def open_session(conn, user_id):
return sid
+def is_ip_banned(conn, ip):
+ """
+ Check if an IP is banned. `ip` is a string and may be an IPv4 as well as an
+ IPv6, depending on the server’s configuration.
+ """
+ result = conn.execute(Bans.select().where(Bans.c.IPAddress == ip))
+ return result.fetchone() is not None
+
+
@router.get("/sso/authenticate")
async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
"""
Receive an OpenID Connect ID token, validate it, then process it to create
an new AUR session.
"""
- # TODO check for banned IPs
+ # TODO Handle translations
+ if is_ip_banned(conn, request.client.host):
+ raise HTTPException(
+ status_code=403,
+ detail='The login form is currently disabled for your IP address, '
+ 'probably due to sustained spam attacks. Sorry for the '
+ 'inconvenience.')
token = await oauth.sso.authorize_access_token(request)
user = await oauth.sso.parse_id_token(request, token)
sub = user.get("sub") # this is the SSO account ID in JWT terminology