Merge pull request #385 from iiSeymour/master

Use a 401 status code for invalid login attempts. Fixes #384
2025-03-07 13:07:22 +08:00 · 2015-09-03 22:46:23 +02:00 · 2015-09-03 22:46:23 +02:00 · 65484f0b1c
commit 65484f0b1c
parent 39ffd32eba 6880715826
1 changed files with 13 additions and 13 deletions
--- a/notebook/auth/login.py
+++ b/notebook/auth/login.py
@ -14,7 +14,7 @@ from ..base.handlers import IPythonHandler

 class LoginHandler(IPythonHandler):
    """The basic tornado login handler
-    
+
    authenticates with a hashed password from the configuration.
    """
    def _render(self, message=None):
@ -32,7 +32,7 @@ class LoginHandler(IPythonHandler):
            self.redirect(next_url)
        else:
            self._render()
-    
+
    @property
    def hashed_password(self):
        return self.password_from_settings(self.settings)
@ -41,32 +41,33 @@ class LoginHandler(IPythonHandler):
        typed_password = self.get_argument('password', default=u'')
        if self.login_available(self.settings):
            if passwd_check(self.hashed_password, typed_password):
-                # tornado <4.2 have a bug that consider secure==True as soon as 
+                # tornado <4.2 have a bug that consider secure==True as soon as
                # 'secure' kwarg is passed to set_secure_cookie
                if self.settings.get('secure_cookie', self.request.protocol == 'https'):
-                    kwargs = {'secure':True}
+                    kwargs = {'secure': True}
                else:
                    kwargs = {}
                self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **kwargs)
            else:
+                self.set_status(401)
                self._render(message={'error': 'Invalid password'})
                return
-        
+
        next_url = self.get_argument('next', default=self.base_url)
        if not next_url.startswith(self.base_url):
            # require that next_url be absolute path within our path
            next_url = self.base_url
        self.redirect(next_url)
-    
+
    @classmethod
    def get_user(cls, handler):
        """Called by handlers.get_current_user for identifying the current user.
-        
+
        See tornado.web.RequestHandler.get_current_user for details.
        """
        # Can't call this get_current_user because it will collide when
        # called on LoginHandler itself.
-        
+
        user_id = handler.get_secure_cookie(handler.cookie_name)
        # For now the user_id should not return empty, but it could, eventually.
        if user_id == '':
@ -77,12 +78,12 @@ class LoginHandler(IPythonHandler):
            if not handler.login_available:
                user_id = 'anonymous'
        return user_id
-        
-    
+
+
    @classmethod
    def validate_security(cls, app, ssl_options=None):
        """Check the notebook application's security.
-        
+
        Show messages, or abort if necessary, based on the security configuration.
        """
        if not app.ip:
@ -97,7 +98,7 @@ class LoginHandler(IPythonHandler):
    @classmethod
    def password_from_settings(cls, settings):
        """Return the hashed password from the tornado settings.
-        
+
        If there is no configured password, an empty string will be returned.
        """
        return settings.get('password', u'')
@ -106,4 +107,3 @@ class LoginHandler(IPythonHandler):
    def login_available(cls, settings):
        """Whether this LoginHandler is needed - and therefore whether the login page should be displayed."""
        return bool(cls.password_from_settings(settings))
-