mailinabox/management/templates
Joshua Tauberer 79966e36e3 Set a cookie for /admin/munin pages to grant access to Munin reports
The /admin/munin routes used the same Authorization: header logic as the other API routes, but they are browsed directly in the browser because they are handled as static pages or as a proxy to a CGI script.

This required users to enter their email username/password for HTTP basic authentication in the standard browser auth prompt, which wasn't ideal (and may leak the password in browser storage). It also stopped working when MFA was enabled for user accounts.

A token is now set in a cookie when visiting /admin/munin which is then checked in the routes that proxy the Munin pages. The cookie's lifetime is kept limited to limit the opportunity for any unknown CSRF attacks via the Munin CGI script.
2021-09-24 08:11:36 -04:00
..
aliases.html Sort the Custom DNS by zone and qname, and add an option to go back to the old sort order (creation order) 2021-02-28 09:40:32 -05:00
custom-dns.html Sort the Custom DNS by zone and qname, and add an option to go back to the old sort order (creation order) 2021-02-28 09:40:32 -05:00
external-dns.html Add download zonefile button to external DNS page (#1853) 2020-11-16 06:03:41 -05:00
index.html Set a cookie for /admin/munin pages to grant access to Munin reports 2021-09-24 08:11:36 -04:00
login.html Allow non-admin login to the control panel and show/hide menu items depending on the login state 2021-09-06 09:23:58 -04:00
mail-guide.html Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849) 2021-05-15 16:42:14 -04:00
mfa.html Add MFA list/disable to the management CLI so admins can restore access if MFA device is lost 2020-10-31 10:23:43 -04:00
munin.html Set a cookie for /admin/munin pages to grant access to Munin reports 2021-09-24 08:11:36 -04:00
ssl.html replace free_tls_certificates with certbot 2018-06-29 16:46:21 -04:00
sync-guide.html update F-Droid DAVdroid link (#1253) 2017-10-04 17:47:15 -04:00
system-backup.html Show backup retention period form when configuring B2 backups (#2024) 2021-08-23 06:25:41 -04:00
system-status.html move the reboot button, fix grammar, refactor check for DRY, add changelog entry 2016-03-23 16:37:15 -04:00
users.html Allow non-admin login to the control panel and show/hide menu items depending on the login state 2021-09-06 09:23:58 -04:00
web.html Instructions on how to create a web site for a domain weren't rendered. Users would miss the step about manually creating the directory to put files in there and wouldn't see anything happen 2016-03-25 13:37:55 +01:00
welcome.html Add a 'welcome' panel to the control panel and make it the default page instead of the status checks which take too long to load 2021-09-06 09:23:58 -04:00