Merge pull request #518 from almarklein/localhost

almarklein · web-flow · commit 79fc32ada3a2 · 2024-12-17T09:17:16.000+01:00
Add check for localhost auth
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -7,7 +7,7 @@
 
 def test_config():
     # Defaults
-    default_bind = "0.0.0.0:80"
+    default_bind = "127.0.0.1:8080"
     set_config([], {})
     assert config.bind == default_bind
     assert config.datadir == "~/_timetagger"
diff --git a/timetagger/__main__.py b/timetagger/__main__.py
@@ -202,7 +202,12 @@ async def get_webtoken_localhost(request, auth_info):
     """An authentication handler that provides a webtoken when the
     hostname is localhost. See `get_webtoken_unsafe()` for details.
     """
-
+    if not config.bind.startswith("127.0.0.1"):
+        return (
+            403,
+            {},
+            "Can only login via localhost if the server address (config.bind) is '127.0.0.1'",
+        )
     # Don't allow localhost validation when proxy auth is enabled
     if config.proxy_auth_enabled:
         return 403, {}, "forbidden: disabled when proxy auth is available"
diff --git a/timetagger/_config.py b/timetagger/_config.py
@@ -13,7 +13,7 @@ def to_bool(value):
 class Config:
     """Object that holds config values.
 
-    * `bind (str)`: the address and port to bind on. Default "0.0.0.0:80".
+    * `bind (str)`: the address and port to bind on. Default "127.0.0.1:8080".
     * `datadir (str)`: the directory to store data. Default "~/_timetagger".
       The user db's are stored in `datadir/users`.
     * `log_level (str)`: the log level for timetagger and asgineer
@@ -43,7 +43,7 @@ class Config:
     """
 
     _ITEMS = [
-        ("bind", str, "0.0.0.0:80"),
+        ("bind", str, "127.0.0.1:8080"),
         ("datadir", str, "~/_timetagger"),
         ("log_level", str, "info"),
         ("credentials", str, ""),
