Florent Daigniere
a4ed464170
doh
2022-03-09 19:29:39 +01:00
Florent Daigniere
7bd1fd3489
fix 2145
2022-01-07 09:07:32 +01:00
Florent Daigniere
7f89a29790
Fix 2125
...
Make the caller responsible to know whether the rate-limit code should
be called or not
2022-01-03 13:38:21 +01:00
Florent Daigniere
fe18cf9743
Fix 2080
...
Ensure that webmail tokens are in sync with sessions
2021-12-19 23:24:44 +01:00
Florent Daigniere
f3c93212c6
The Rate-limiter should run after the deny
2021-10-31 19:41:12 +01:00
Dimitri Huisman
44d2448412
Updated SSO logic for webmails. Fixed small bug rate limiting.
2021-10-25 19:21:38 +00:00
Florent Daigniere
98742268e6
Make it more readable
2021-10-16 15:12:20 +02:00
Florent Daigniere
94bbed9746
Ensure we have the right IP
2021-10-16 10:39:43 +02:00
Florent Daigniere
3bda8368e4
simplify the Auth-Status check
2021-10-16 09:39:34 +02:00
Florent Daigniere
2dd9ea1506
simplify
2021-10-16 09:36:49 +02:00
Florent Daigniere
89ea51d570
Implement rate-limits
2021-09-23 18:40:49 +02:00
Dimitri Huisman
169a540692
Use punycode for HTTP header for radicale and create changelog
2021-08-27 08:20:52 +00:00
Dimitri Huisman
4f5cb0974e
Make sure HTTP header only contains ASCII
2021-08-26 15:11:35 +00:00
Florent Daigniere
a0dcd46483
fix #1861 : Handle colons in passwords
2021-07-14 09:27:00 +02:00
Florent Daigniere
dd3d03f06d
Merge remote-tracking branch 'upstream/master' into webmail-sso
2021-03-10 14:41:12 +01:00
Florent Daigniere
df230cb482
Refactor auth under nginx.check_credentials()
2021-03-09 12:05:46 +01:00
Florent Daigniere
eb7895bd1c
Don't do more work than necessary (/webdav)
...
This is also fixing tokens on /webdav/
2021-03-09 12:04:42 +01:00
Florent Daigniere
906a051925
Make rainloop use internal auth
2021-02-07 17:50:17 +01:00
kaiyou
8e88f1b8c3
Refactor the rate limiting code
...
Rate limiting was already redesigned to use Python limits. This
introduced some unexpected behavior, including the fact that only
one criteria is supported per limiter. Docs and setup utility are
updated with this in mind.
Also, the code was made more generic, so limiters can be delivered
for something else than authentication. Authentication-specific
code was moved directly to the authentication routine.
2020-02-09 17:38:18 +01:00
Michael Wyraz
bee80b5c64
Remove rate limit reset
2019-12-06 11:02:21 +01:00
Michael Wyraz
889386b4a6
Limiter implementation
2019-12-06 09:35:21 +01:00
kaiyou
087841d5b7
Fix the way we handle the application context
...
The init script was pushing an application context, which maked
flask.g global and persisted across requests. This was evaluated
to have a minimal security impact.
This explains/fixes #738 : flask_wtf caches the csrf token in the
application context to have a single token per request, and only
sets the session attribute after the first generation.
2018-12-13 14:23:17 +01:00
kaiyou
fc24426291
First batch of refactoring, using the app factory pattern
2018-10-18 15:57:43 +02:00
kaiyou
42c6bdb4df
Split the internal blueprint into multiple view files
2018-09-27 16:09:38 +02:00