added setting to turn off login/edits - LOGIN_AND_EDITS
This commit is contained in:
@@ -13,6 +13,18 @@ import (
|
||||
|
||||
const csrfSessionKey = "csrf_token"
|
||||
|
||||
// RequireLoginAndEdits blocks access if LoginAndEdits setting is false.
|
||||
func (s *Server) RequireLoginAndEdits() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
if !s.config.LoginAndEdits {
|
||||
c.Redirect(http.StatusFound, s.config.URLPrefix+"/?error=not_found")
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) randomToken(n int) (string, error) {
|
||||
b := make([]byte, n)
|
||||
if _, err := rand.Read(b); err != nil {
|
||||
|
||||
@@ -105,15 +105,15 @@ func (s *Server) setupRoutes() {
|
||||
r.GET("/view_text/*path", h.ViewTextHandler)
|
||||
|
||||
// Auth routes
|
||||
r.GET("/editor/login", h.LoginPage)
|
||||
r.POST("/editor/login", s.CSRFRequire(), h.LoginPost)
|
||||
r.GET("/editor/login", s.RequireLoginAndEdits(), h.LoginPage)
|
||||
r.POST("/editor/login", s.RequireLoginAndEdits(), s.CSRFRequire(), h.LoginPost)
|
||||
r.POST("/editor/logout", s.RequireAuth(), s.CSRFRequire(), h.LogoutPost)
|
||||
// MFA challenge routes (no auth yet, but CSRF)
|
||||
r.GET("/editor/mfa", s.CSRFRequire(), h.MFALoginPage)
|
||||
r.POST("/editor/mfa", s.CSRFRequire(), h.MFALoginVerify)
|
||||
r.GET("/editor/mfa", s.RequireLoginAndEdits(), s.CSRFRequire(), h.MFALoginPage)
|
||||
r.POST("/editor/mfa", s.RequireLoginAndEdits(), s.CSRFRequire(), h.MFALoginVerify)
|
||||
|
||||
// New /editor group protected by auth + CSRF
|
||||
editor := r.Group("/editor", s.RequireAuth(), s.CSRFRequire())
|
||||
// New /editor group protected by auth + CSRF + LoginAndEdits
|
||||
editor := r.Group("/editor", s.RequireLoginAndEdits(), s.RequireAuth(), s.CSRFRequire())
|
||||
{
|
||||
editor.GET("/create", h.CreateNotePageHandler)
|
||||
editor.POST("/create", h.CreateNoteHandler)
|
||||
|
||||
Reference in New Issue
Block a user