bstein/bstein-dev-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

portal: request email scope and fix access rate limiting

Browse Source
This commit is contained in:
Brad Stein 2026-01-02 03:09:07 -03:00
parent 7dac934a81
commit 8b5a8bda3d
3 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
backend/atlas_portal/routes/access_requests.py
View File

@ -28,6 +28,16 @@ def _random_request_code(username: str) -> str:
return f"{username}~{suffix}" return f"{username}~{suffix}"
def _client_ip() -> str:
xff = (request.headers.get("X-Forwarded-For") or "").strip()
if xff:
return xff.split(",", 1)[0].strip() or "unknown"
x_real_ip = (request.headers.get("X-Real-IP") or "").strip()
if x_real_ip:
return x_real_ip
return request.remote_addr or "unknown"
def register(app) -> None: def register(app) -> None:
@app.route("/api/access/request", methods=["POST"]) @app.route("/api/access/request", methods=["POST"])
def request_access() -> Any: def request_access() -> Any:
@ -36,7 +46,7 @@ def register(app) -> None:
if not configured(): if not configured():
return jsonify({"error": "server not configured"}), 503 return jsonify({"error": "server not configured"}), 503
ip = request.remote_addr or "unknown" ip = _client_ip()
if not rate_limit_allow( if not rate_limit_allow(
ip, ip,
key="access_request_submit", key="access_request_submit",
@ -112,7 +122,7 @@ def register(app) -> None:
if not configured(): if not configured():
return jsonify({"error": "server not configured"}), 503 return jsonify({"error": "server not configured"}), 503
ip = request.remote_addr or "unknown" ip = _client_ip()
if not rate_limit_allow( if not rate_limit_allow(
ip, ip,
key="access_request_status", key="access_request_status",

8
backend/atlas_portal/routes/account.py
View File

@ -33,9 +33,11 @@ def register(app) -> None:
keycloak_email = str(full.get("email") or "") keycloak_email = str(full.get("email") or "")
attrs = full.get("attributes") or {} attrs = full.get("attributes") or {}
if isinstance(attrs, dict): if isinstance(attrs, dict):
values = attrs.get("mailu_app_password") or [] raw_pw = attrs.get("mailu_app_password")
if isinstance(values, list) and values: if isinstance(raw_pw, list) and raw_pw:
mailu_app_password = str(values[0]) mailu_app_password = str(raw_pw[0])
elif isinstance(raw_pw, str):
mailu_app_password = raw_pw
except Exception: except Exception:
pass pass

2
frontend/src/auth.js
View File

@ -58,6 +58,7 @@ export async function initAuth() {
pkceMethod: "S256", pkceMethod: "S256",
silentCheckSsoRedirectUri: `${window.location.origin}/silent-check-sso.html`, silentCheckSsoRedirectUri: `${window.location.origin}/silent-check-sso.html`,
checkLoginIframe: true, checkLoginIframe: true,
scope: "openid profile email",
}); });
auth.authenticated = authenticated; auth.authenticated = authenticated;
@ -103,4 +104,3 @@ export async function authFetch(url, options = {}) {
if (auth.token) headers.set("Authorization", `Bearer ${auth.token}`); if (auth.token) headers.set("Authorization", `Bearer ${auth.token}`);
return fetch(url, { ...options, headers }); return fetch(url, { ...options, headers });
} }