fix secret

2025-03-17 21:37:03 +00:00 · 2025-03-17 21:37:03 +00:00 · 9f1212fcab
commit 9f1212fcab
parent da20329942
1 changed files with 26 additions and 22 deletions
--- a/app.py
+++ b/app.py
@ -30,37 +30,41 @@ def require_secret(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        allowed_secrets = app.config['ALLOWED_SECRETS']
-        current_secret = session.get('secret')
        today = date.today()
-        # be nice if somebody hit you without a secret (no error)
-        if current_secret is None:
-            return render_template('index.html')
-

        def is_valid(secret_data):
            expiry_date = secret_data.get('expiry')
            return expiry_date and today <= expiry_date

-        # Check if the secret stored in session is still valid
-        if current_secret:
-            secret_data = allowed_secrets.get(current_secret)
-            if secret_data and is_valid(secret_data):
-                # Update FILE_ROOT based on the secret's configuration
+        # Check if a secret was provided via GET parameter
+        get_secret = request.args.get('secret')
+        if get_secret is not None:
+            secret_data = allowed_secrets.get(get_secret)
+            if secret_data:
+                if is_valid(secret_data):
+                    # Valid secret provided in URL: update session and config
+                    session['secret'] = get_secret
                    app.config['FILE_ROOT'] = secret_data.get('file_root')
                    return f(*args, **kwargs)
-
-        # Check secret from GET parameter
-        secret = request.args.get('secret')
-        if secret:
-            secret_data = allowed_secrets.get(secret)
-            if secret_data and is_valid(secret_data):
-                session['secret'] = secret
-                app.config['FILE_ROOT'] = secret_data.get('file_root')
-                return f(*args, **kwargs)
-
-        # If the secret is invalid or expired, show an error
+                else:
+                    # Secret provided via URL is expired or invalid
                    return render_template('error.html', message="Invalid or expired secret."), 403

+        # If no secret provided via GET, check the session
+        session_secret = session.get('secret')
+        if session_secret is not None:
+            secret_data = allowed_secrets.get(session_secret)
+            if secret_data:
+                if is_valid(secret_data):
+                    app.config['FILE_ROOT'] = secret_data.get('file_root')
+                    return f(*args, **kwargs)
+                else:
+                    # Session secret exists but is expired
+                    return render_template('error.html', message="Invalid or expired secret."), 403
+
+        # No secret provided at all; show the public index page
+        return render_template('index.html')
+
    return decorated_function

@app.route('/static/icons/<string:size>.png')