From 636f16dc666ce100cbe55cb7b9fc745878f8f0da Mon Sep 17 00:00:00 2001 From: BlackDex Date: Thu, 25 May 2023 23:12:24 +0200 Subject: [PATCH] Prevent 401 on main admin page When you are not loggedin, and have no cookie etc.. we always returned a 401. This was mainly to allow the login page on all the sub pages, and after login being redirected to the requested page, for these pages a 401 is a valid response, since, you do not have access. But for the main `/admin` page, it should just respond with a `200` and show the login page. This PR fixes this flow and response. It should prevent people using Fail2ban, or other tools being triggered by only accessing the login page. Resolves #3540 --- src/api/admin.rs | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/api/admin.rs b/src/api/admin.rs index 6ec71ee3..29cb42ec 100644 --- a/src/api/admin.rs +++ b/src/api/admin.rs @@ -36,6 +36,7 @@ pub fn routes() -> Vec { get_user_by_mail_json, post_admin_login, admin_page, + admin_page_login, invite_user, logout, delete_user, @@ -256,6 +257,11 @@ fn admin_page(_token: AdminToken) -> ApiResult> { render_admin_page() } +#[get("/", rank = 2)] +fn admin_page_login() -> ApiResult> { + render_admin_login(None, None) +} + #[derive(Deserialize, Debug)] #[allow(non_snake_case)] struct InviteData { @@ -761,7 +767,17 @@ impl<'r> FromRequest<'r> for AdminToken { let access_token = match cookies.get(COOKIE_NAME) { Some(cookie) => cookie.value(), - None => return Outcome::Failure((Status::Unauthorized, "Unauthorized")), + None => { + let requested_page = + request.segments::(0..).unwrap_or_default().display().to_string(); + // When the requested page is empty, it is `/admin`, in that case, Forward, so it will render the login page + // Else, return a 401 failure, which will be caught + if requested_page.is_empty() { + return Outcome::Forward(Status::Unauthorized); + } else { + return Outcome::Failure((Status::Unauthorized, "Unauthorized")); + } + } }; if decode_admin(access_token).is_err() {