Refactor login page to not include in history (#5747)

2025-12-17 20:34:37 +03:00 · 2025-03-25 10:26:31 +11:00
parent cc6917f29d
commit 2541e9d1eb
2 changed files with 32 additions and 11 deletions
--- a/internal/api/session.go
+++ b/internal/api/session.go
@@ -78,11 +78,6 @@ func handleLogin() http.HandlerFunc {

 func handleLoginPost() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		url := r.FormValue(returnURLParam)
-		if url == "" {
-			url = getProxyPrefix(r) + "/"
-		}
-
 		err := manager.GetInstance().SessionStore.Login(w, r)
 		if err != nil {
 			// always log the error
@@ -92,17 +87,17 @@ func handleLoginPost() http.HandlerFunc {
 		var invalidCredentialsError *session.InvalidCredentialsError

 		if errors.As(err, &invalidCredentialsError) {
-			// serve login page with an error
-			serveLoginPage(w, r, url, "Username or password is invalid")
+			http.Error(w, "Username or password is invalid", http.StatusUnauthorized)
 			return
 		}

 		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
+			// don't expose the error to the user
+			http.Error(w, "An unexpected error occurred. See logs", http.StatusInternalServerError)
 			return
 		}

-		http.Redirect(w, r, url, http.StatusFound)
+		w.WriteHeader(http.StatusOK)
 	}
 }

--- a/ui/login/login.html
+++ b/ui/login/login.html
@@ -10,11 +10,37 @@
    <link rel="stylesheet" href="login/login.css">
    <link rel="stylesheet" href="css">
 </head>
+
+<script>
+    function login() {
+        var username = document.getElementById("username").value;
+        var password = document.getElementById("password").value;
+        var returnURL = document.getElementById("returnURL").value;
+
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "login", true);
+        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+        xhr.onreadystatechange = function() {
+            if (xhr.readyState == 4) {
+                if (xhr.status == 200) {
+                    window.location.replace(returnURL);
+                } else {
+                    document.getElementsByClassName("login-error")[0].innerHTML = xhr.responseText;
+                }
+            }
+        };
+        xhr.onerror = function() {
+            document.getElementsByClassName("login-error")[0].innerHTML = "An error occurred while trying to login.";
+        };
+        xhr.send("username=" + username + "&password=" + password + "&returnURL=" + returnURL);
+    }
+</script>
+
 <body class="login">

    <div class="dialog">
        <div class="card">
-            <form action="login" method="POST">
+            <form action="login" method="POST" onsubmit="event.preventDefault(); login();">
                <div class="form-group">
                    <label for="username"><h6>Username</h6></label>
                    <input class="text-input form-control" id="username" name="username" type="text" placeholder="Username" />
@@ -27,7 +53,7 @@
                    {{.Error}}
                </div>

-                <input type="hidden" name="returnURL" value="{{.URL}}" />
+                <input type="hidden" id="returnURL" name="returnURL" value="{{.URL}}" />

                <div>
                    <input class="btn btn-primary" type="submit" value="Login">