mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-27 05:41:00 -05:00
Merge pull request #4035 from alphagov/no-webauthn-🤖s
Ensure only logged in users can see /webauthn/register
This commit is contained in:
@@ -13,9 +13,11 @@ from app.utils.login import (
|
||||
log_in_user,
|
||||
redirect_to_sign_in,
|
||||
)
|
||||
from app.utils.user import user_is_logged_in
|
||||
|
||||
|
||||
@main.route('/webauthn/register')
|
||||
@user_is_logged_in
|
||||
def webauthn_begin_register():
|
||||
if not current_user.can_use_webauthn:
|
||||
abort(403)
|
||||
@@ -38,6 +40,7 @@ def webauthn_begin_register():
|
||||
|
||||
|
||||
@main.route('/webauthn/register', methods=['POST'])
|
||||
@user_is_logged_in
|
||||
def webauthn_complete_register():
|
||||
if 'webauthn_registration_state' not in session:
|
||||
return cbor.encode("No registration in progress"), 400
|
||||
|
||||
Reference in New Issue
Block a user