Prevent 401 on main admin page

When you are not loggedin, and have no cookie etc.. we always returned a 401.
This was mainly to allow the login page on all the sub pages, and after
login being redirected to the requested page, for these pages a 401 is a
valid response, since, you do not have access.

But for the main `/admin` page, it should just respond with a `200` and
show the login page.

This PR fixes this flow and response. It should prevent people using
Fail2ban, or other tools being triggered by only accessing the login page.

Resolves 
This commit is contained in:
BlackDex 2023-05-25 23:12:24 +02:00
parent 9e5b049dca
commit 636f16dc66
No known key found for this signature in database
GPG key ID: 58C80A2AA6C765E1

View file

@ -36,6 +36,7 @@ pub fn routes() -> Vec<Route> {
get_user_by_mail_json,
post_admin_login,
admin_page,
admin_page_login,
invite_user,
logout,
delete_user,
@ -256,6 +257,11 @@ fn admin_page(_token: AdminToken) -> ApiResult<Html<String>> {
render_admin_page()
}
#[get("/", rank = 2)]
fn admin_page_login() -> ApiResult<Html<String>> {
render_admin_login(None, None)
}
#[derive(Deserialize, Debug)]
#[allow(non_snake_case)]
struct InviteData {
@ -761,7 +767,17 @@ impl<'r> FromRequest<'r> for AdminToken {
let access_token = match cookies.get(COOKIE_NAME) {
Some(cookie) => cookie.value(),
None => return Outcome::Failure((Status::Unauthorized, "Unauthorized")),
None => {
let requested_page =
request.segments::<std::path::PathBuf>(0..).unwrap_or_default().display().to_string();
// When the requested page is empty, it is `/admin`, in that case, Forward, so it will render the login page
// Else, return a 401 failure, which will be caught
if requested_page.is_empty() {
return Outcome::Forward(Status::Unauthorized);
} else {
return Outcome::Failure((Status::Unauthorized, "Unauthorized"));
}
}
};
if decode_admin(access_token).is_err() {