Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: Add CSRF token error logging and IP/User-Agent validation logging in web UI

Browse source
This commit is contained in:
Théophile Diot 2024-08-09 17:30:17 +01:00
parent bea9a7b87d
commit 0f19335e47
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/ui/main.py
View file

@ -518,6 +518,7 @@ def handle_csrf_error(_):
:param e: The exception object
:return: A template with the error message and a 401 status code.
"""
app.logger.error(f"CSRF token is missing or invalid for {request.path} by {current_user.get_id()}")
logout()
flash("Wrong CSRF token !", "error")
if not current_user:
@ -587,8 +588,10 @@ def before_request():
return redirect(url_for("totp", next=request.form.get("next")))
passed = False
elif current_user.last_login_ip != request.remote_addr:
app.logger.warning(f"User {current_user.get_id()} tried to access his session with a different IP address.")
passed = False
elif session.get("user_agent") != request.headers.get("User-Agent"):
app.logger.warning(f"User {current_user.get_id()} tried to access his session with a different User-Agent.")
passed = False
if not passed: