From 843b59a0ac1e2076a514b9c52fc5c6941b27dff0 Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Mon, 2 Nov 2020 10:16:04 +0200 Subject: [PATCH] Login/Changepassword: change to verifying the hostname without the part. Verifying the port was causing issues, and anyhow, this check is paranoid and isn't strictly necessary for security. The problem is that Django's `get_host()` and the equivalent on some platforms returns it without the port, though on others (like e.g. the library we use from JS) it returns with the port. This was inconsistent and was causing authentication to fail. We thus relaxed the test to not include the port when matching, which should make it work consistently across all platforms. --- django_etebase/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/django_etebase/views.py b/django_etebase/views.py index a60346b..2dc7adf 100644 --- a/django_etebase/views.py +++ b/django_etebase/views.py @@ -710,7 +710,7 @@ class AuthenticationViewSet(viewsets.ViewSet): elif challenge_data['userId'] != user.id: content = {'code': 'wrong_user', 'detail': 'This challenge is for the wrong user'} return Response(content, status=status.HTTP_400_BAD_REQUEST) - elif not settings.DEBUG and host != request.get_host(): + elif not settings.DEBUG and host.split(':', 1)[0] != request.get_host(): detail = 'Found wrong host name. Got: "{}" expected: "{}"'.format(host, request.get_host()) content = {'code': 'wrong_host', 'detail': detail} return Response(content, status=status.HTTP_400_BAD_REQUEST)