From 588511036084267376d413f64b8a04fd4113059e Mon Sep 17 00:00:00 2001 From: Katie Smith Date: Tue, 5 Oct 2021 09:11:02 +0100 Subject: [PATCH] Ensure only logged in users can see /webauthn/register There are no links to the `webauthn_begin_register` route - you are only taken there if you are logged in and have clicked to register a key. However, we have seen this route being crawled by bots making a GET request which gives a `500` status code error because there isn't a logged in current_user. For consistency, this also adds teh decorator to the POST route. --- app/main/views/webauthn_credentials.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/main/views/webauthn_credentials.py b/app/main/views/webauthn_credentials.py index 47a4b2e3e..38895ac08 100644 --- a/app/main/views/webauthn_credentials.py +++ b/app/main/views/webauthn_credentials.py @@ -13,9 +13,11 @@ from app.utils.login import ( log_in_user, redirect_to_sign_in, ) +from app.utils.user import user_is_logged_in @main.route('/webauthn/register') +@user_is_logged_in def webauthn_begin_register(): if not current_user.can_use_webauthn: abort(403) @@ -38,6 +40,7 @@ def webauthn_begin_register(): @main.route('/webauthn/register', methods=['POST']) +@user_is_logged_in def webauthn_complete_register(): if 'webauthn_registration_state' not in session: return cbor.encode("No registration in progress"), 400