1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-25 07:47:05 +00:00
mailinabox/management
Joshua Tauberer 79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
2021-09-24 08:11:36 -04:00
..
templates Set a cookie for /admin/munin pages to grant access to Munin reports 2021-09-24 08:11:36 -04:00
auth.py Set a cookie for /admin/munin pages to grant access to Munin reports 2021-09-24 08:11:36 -04:00
backup.py Implement Backblaze for Backup (#1812) 2020-11-26 07:13:31 -05:00
cli.py Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost 2020-10-31 10:23:43 -04:00
csr_country_codes.tsv drop the CSR_COUNTRY setting and ask within the control panel 2015-12-26 11:48:23 -05:00
daemon.py Set a cookie for /admin/munin pages to grant access to Munin reports 2021-09-24 08:11:36 -04:00
daily_tasks.sh daily_tasks.sh: redirect stderr to stdout (#1768) 2020-06-07 09:56:45 -04:00
dns_update.py Include NSD config files from /etc/nsd/nsd.conf.d/*.conf (#2035) 2021-09-24 08:07:40 -04:00
email_administrator.py send the mail_log.py report to the box admin every Monday 2018-02-25 11:55:06 -05:00
mail_log.py Ignore bad encoding in email addresses when parsing maillog files (#2017) 2021-08-16 11:46:32 -04:00
mailconfig.py Reorganize the MFA backend methods 2020-09-26 09:58:25 -04:00
mfa.py Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost 2020-10-31 10:23:43 -04:00
munin_start.sh update bind9 configuration 2018-10-03 14:28:43 -04:00
ssl_certificates.py Display certificate expiry dates in ISO format (#1841) 2020-10-16 16:22:36 -04:00
status_checks.py add numeric flag value to DNSSEC DS status message (#2033) 2021-09-10 16:12:41 -04:00
utils.py move the custom exclusive process code from utils.py into a new python package named exclusiveprocess 2017-01-15 11:02:23 -05:00
web_update.py Add null SPF, DMARC, and MX records for automatically generated autoconfig, autodiscover, and mta-sts subdomains; add null MX records for custom A-record subdomains 2021-05-15 16:42:14 -04:00