From ec65d1d379cbc166b36adbc905bbe3cb8dee0531 Mon Sep 17 00:00:00 2001 From: Almar Klein Date: Mon, 16 Dec 2024 10:01:19 +0100 Subject: [PATCH] Add check for localhost login --- timetagger/__main__.py | 3 ++- timetagger/_config.py | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/timetagger/__main__.py b/timetagger/__main__.py index 63d6715c..bd5db367 100644 --- a/timetagger/__main__.py +++ b/timetagger/__main__.py @@ -202,7 +202,8 @@ async def get_webtoken_localhost(request, auth_info): """An authentication handler that provides a webtoken when the hostname is localhost. See `get_webtoken_unsafe()` for details. """ - + if not config.bind.startswith("127.0.0.1"): + return 403, {}, "Can only login via localhost if the server address (config.bind) is '127.0.0.1'" # Don't allow localhost validation when proxy auth is enabled if config.proxy_auth_enabled: return 403, {}, "forbidden: disabled when proxy auth is available" diff --git a/timetagger/_config.py b/timetagger/_config.py index 69a9cad0..3df108cc 100644 --- a/timetagger/_config.py +++ b/timetagger/_config.py @@ -13,7 +13,7 @@ def to_bool(value): class Config: """Object that holds config values. - * `bind (str)`: the address and port to bind on. Default "0.0.0.0:80". + * `bind (str)`: the address and port to bind on. Default "127.0.0.1:8080". * `datadir (str)`: the directory to store data. Default "~/_timetagger". The user db's are stored in `datadir/users`. * `log_level (str)`: the log level for timetagger and asgineer @@ -43,7 +43,7 @@ class Config: """ _ITEMS = [ - ("bind", str, "0.0.0.0:80"), + ("bind", str, "127.0.0.1:8080"), ("datadir", str, "~/_timetagger"), ("log_level", str, "info"), ("credentials", str, ""),