mirror of https://github.com/gophish/gophish
Change failed login status code to 401. Fixes #833
Jordan Wright
parent
76ece15b71
commit
227da5c7b9
|
|
@ -108,10 +108,7 @@ func Register(w http.ResponseWriter, r *http.Request) {
|
||||||
succ, err := auth.Register(r)
|
succ, err := auth.Register(r)
|
||||||
//If we've registered, redirect to the login page
|
//If we've registered, redirect to the login page
|
||||||
if succ {
|
if succ {
|
||||||
session.AddFlash(models.Flash{
|
Flash(w, r, "success", "Registration successful!")
|
||||||
Type: "success",
|
|
||||||
Message: "Registration successful!.",
|
|
||||||
})
|
|
||||||
session.Save(r, w)
|
session.Save(r, w)
|
||||||
http.Redirect(w, r, "/login", 302)
|
http.Redirect(w, r, "/login", 302)
|
||||||
return
|
return
|
||||||
|
|
@ -119,10 +116,7 @@ func Register(w http.ResponseWriter, r *http.Request) {
|
||||||
// Check the error
|
// Check the error
|
||||||
m := err.Error()
|
m := err.Error()
|
||||||
Logger.Println(err)
|
Logger.Println(err)
|
||||||
session.AddFlash(models.Flash{
|
Flash(w, r, "danger", m)
|
||||||
Type: "danger",
|
|
||||||
Message: m,
|
|
||||||
})
|
|
||||||
session.Save(r, w)
|
session.Save(r, w)
|
||||||
http.Redirect(w, r, "/register", 302)
|
http.Redirect(w, r, "/register", 302)
|
||||||
return
|
return
|
||||||
|
|
@ -276,18 +270,26 @@ func Login(w http.ResponseWriter, r *http.Request) {
|
||||||
http.Redirect(w, r, "/", 302)
|
http.Redirect(w, r, "/", 302)
|
||||||
} else {
|
} else {
|
||||||
Flash(w, r, "danger", "Invalid Username/Password")
|
Flash(w, r, "danger", "Invalid Username/Password")
|
||||||
http.Redirect(w, r, "/login", 302)
|
params.Flashes = session.Flashes()
|
||||||
|
session.Save(r, w)
|
||||||
|
templates := template.New("template")
|
||||||
|
_, err := templates.ParseFiles("templates/login.html", "templates/flashes.html")
|
||||||
|
if err != nil {
|
||||||
|
Logger.Println(err)
|
||||||
|
}
|
||||||
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
||||||
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
|
template.Must(templates, err).ExecuteTemplate(w, "base", params)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Logout destroys the current user session
|
// Logout destroys the current user session
|
||||||
func Logout(w http.ResponseWriter, r *http.Request) {
|
func Logout(w http.ResponseWriter, r *http.Request) {
|
||||||
// If it is a post request, attempt to register the account
|
|
||||||
// Now that we are all registered, we can log the user in
|
|
||||||
session := ctx.Get(r, "session").(*sessions.Session)
|
session := ctx.Get(r, "session").(*sessions.Session)
|
||||||
delete(session.Values, "id")
|
delete(session.Values, "id")
|
||||||
Flash(w, r, "success", "You have successfully logged out")
|
Flash(w, r, "success", "You have successfully logged out")
|
||||||
|
session.Save(r, w)
|
||||||
http.Redirect(w, r, "/login", 302)
|
http.Redirect(w, r, "/login", 302)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -329,5 +331,4 @@ func Flash(w http.ResponseWriter, r *http.Request, t string, m string) {
|
||||||
Type: t,
|
Type: t,
|
||||||
Message: m,
|
Message: m,
|
||||||
})
|
})
|
||||||
session.Save(r, w)
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,9 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/PuerkitoBio/goquery"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (s *ControllersSuite) TestLoginCSRF() {
|
func (s *ControllersSuite) TestLoginCSRF() {
|
||||||
|
|
@ -13,6 +16,60 @@ func (s *ControllersSuite) TestLoginCSRF() {
|
||||||
"password": {"gophish"},
|
"password": {"gophish"},
|
||||||
})
|
})
|
||||||
|
|
||||||
s.Equal(resp.StatusCode, 403)
|
s.Equal(resp.StatusCode, http.StatusForbidden)
|
||||||
fmt.Println(err)
|
fmt.Println(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *ControllersSuite) TestInvalidCredentials() {
|
||||||
|
resp, err := http.Get(fmt.Sprintf("%s/login", as.URL))
|
||||||
|
s.Equal(err, nil)
|
||||||
|
s.Equal(resp.StatusCode, http.StatusOK)
|
||||||
|
|
||||||
|
doc, err := goquery.NewDocumentFromResponse(resp)
|
||||||
|
s.Equal(err, nil)
|
||||||
|
elem := doc.Find("input[name='csrf_token']").First()
|
||||||
|
token, ok := elem.Attr("value")
|
||||||
|
s.Equal(ok, true)
|
||||||
|
|
||||||
|
client := &http.Client{}
|
||||||
|
req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", as.URL), strings.NewReader(url.Values{
|
||||||
|
"username": {"admin"},
|
||||||
|
"password": {"invalid"},
|
||||||
|
"csrf_token": {token},
|
||||||
|
}.Encode()))
|
||||||
|
s.Equal(err, nil)
|
||||||
|
|
||||||
|
req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
|
||||||
|
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
|
||||||
|
resp, err = client.Do(req)
|
||||||
|
s.Equal(err, nil)
|
||||||
|
s.Equal(resp.StatusCode, http.StatusUnauthorized)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *ControllersSuite) TestSuccessfulLogin() {
|
||||||
|
resp, err := http.Get(fmt.Sprintf("%s/login", as.URL))
|
||||||
|
s.Equal(err, nil)
|
||||||
|
s.Equal(resp.StatusCode, http.StatusOK)
|
||||||
|
|
||||||
|
doc, err := goquery.NewDocumentFromResponse(resp)
|
||||||
|
s.Equal(err, nil)
|
||||||
|
elem := doc.Find("input[name='csrf_token']").First()
|
||||||
|
token, ok := elem.Attr("value")
|
||||||
|
s.Equal(ok, true)
|
||||||
|
|
||||||
|
client := &http.Client{}
|
||||||
|
req, err := http.NewRequest("POST", fmt.Sprintf("%s/login", as.URL), strings.NewReader(url.Values{
|
||||||
|
"username": {"admin"},
|
||||||
|
"password": {"gophish"},
|
||||||
|
"csrf_token": {token},
|
||||||
|
}.Encode()))
|
||||||
|
s.Equal(err, nil)
|
||||||
|
|
||||||
|
req.Header.Set("Cookie", resp.Header.Get("Set-Cookie"))
|
||||||
|
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
||||||
|
|
||||||
|
resp, err = client.Do(req)
|
||||||
|
s.Equal(err, nil)
|
||||||
|
s.Equal(resp.StatusCode, http.StatusOK)
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue