From 9f1212fcab26a0a352022bb84daf828319f9a26c Mon Sep 17 00:00:00 2001
From: lelo <leonid.firus@outlook.com>
Date: Mon, 17 Mar 2025 21:37:03 +0000
Subject: [PATCH] fix secret

---
 app.py | 48 ++++++++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 22 deletions(-)

diff --git a/app.py b/app.py
index 0acc711..d5fcb7e 100755
--- a/app.py
+++ b/app.py
@@ -30,36 +30,40 @@ def require_secret(f):
     @wraps(f)
     def decorated_function(*args, **kwargs):
         allowed_secrets = app.config['ALLOWED_SECRETS']
-        current_secret = session.get('secret')
         today = date.today()
-        # be nice if somebody hit you without a secret (no error)
-        if current_secret is None:
-            return render_template('index.html')
-
 
         def is_valid(secret_data):
             expiry_date = secret_data.get('expiry')
             return expiry_date and today <= expiry_date
 
-        # Check if the secret stored in session is still valid
-        if current_secret:
-            secret_data = allowed_secrets.get(current_secret)
-            if secret_data and is_valid(secret_data):
-                # Update FILE_ROOT based on the secret's configuration
-                app.config['FILE_ROOT'] = secret_data.get('file_root')
-                return f(*args, **kwargs)
+        # Check if a secret was provided via GET parameter
+        get_secret = request.args.get('secret')
+        if get_secret is not None:
+            secret_data = allowed_secrets.get(get_secret)
+            if secret_data:
+                if is_valid(secret_data):
+                    # Valid secret provided in URL: update session and config
+                    session['secret'] = get_secret
+                    app.config['FILE_ROOT'] = secret_data.get('file_root')
+                    return f(*args, **kwargs)
+                else:
+                    # Secret provided via URL is expired or invalid
+                    return render_template('error.html', message="Invalid or expired secret."), 403
 
-        # Check secret from GET parameter
-        secret = request.args.get('secret')
-        if secret:
-            secret_data = allowed_secrets.get(secret)
-            if secret_data and is_valid(secret_data):
-                session['secret'] = secret
-                app.config['FILE_ROOT'] = secret_data.get('file_root')
-                return f(*args, **kwargs)
+        # If no secret provided via GET, check the session
+        session_secret = session.get('secret')
+        if session_secret is not None:
+            secret_data = allowed_secrets.get(session_secret)
+            if secret_data:
+                if is_valid(secret_data):
+                    app.config['FILE_ROOT'] = secret_data.get('file_root')
+                    return f(*args, **kwargs)
+                else:
+                    # Session secret exists but is expired
+                    return render_template('error.html', message="Invalid or expired secret."), 403
 
-        # If the secret is invalid or expired, show an error
-        return render_template('error.html', message="Invalid or expired secret."), 403
+        # No secret provided at all; show the public index page
+        return render_template('index.html')
 
     return decorated_function