From 8a917484730c2aa4793665f57b01433de4a6b33d Mon Sep 17 00:00:00 2001
From: Michiel Scholten <michiel@diginaut.net>
Date: Tue, 18 Mar 2025 15:42:04 +0100
Subject: [PATCH] Parse the challenge response from the mothership

---
 staticshield.py | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/staticshield.py b/staticshield.py
index f5ac54a..4d9d759 100644
--- a/staticshield.py
+++ b/staticshield.py
@@ -1,3 +1,4 @@
+import json
 import os
 import urllib.request
 from logging.config import dictConfig
@@ -63,10 +64,6 @@ def all_routes(path):
         redirect_path = '/'
         if len(secret_redirect_split) > 1:
             redirect_path = '/'.join(secret_redirect_split[1:])
-        app.logger.info('starting new session with secret "%s"', secret)
-        print(f'afterwards, redirecting to "{redirect_path}"')
-        us = f'{request.host_url}{path}'
-        print(us)
         # Ask the mothership if the secret is known to them, to prevent someone from just making up a URL
         # Mothership will invalidate this secret token upon handling this request to prevent replay
         try:
@@ -74,9 +71,18 @@ def all_routes(path):
             with urllib.request.urlopen(f'{MOTHERSHIP}/verify/{secret}') as response:
                 challenge_response = response.read()
                 print(challenge_response)
-                # Start session if challenge response was successful
-                session['id'] = secret
-                return redirect(redirect_path)
+                try:
+                    # Expects a JSON dict with {'correct': true/false}
+                    challenge_response_dict = json.loads(challenge_response)
+                    if challenge_response_dict.get('correct', False):
+                        # Start session if challenge response was successful
+                        session['id'] = secret
+                        app.logger.info('starting new session with secret "%s", afterwards redirecting to %s', secret, redirect_path)
+                        return redirect(redirect_path)
+                    app.logger.warning('new session aborted, secret "%s" was incorrect, not redirecting to %s', secret, redirect_path)
+                except ValueError as e:
+                    app.logger.error('Error while decoding challenge response: %s', str(e))
+                    return 'Unable to set up session', 403
         except urllib.error.URLError as e:
             app.logger.error('lolwtf, server not found: %s', str(e.reason))
             return 'Unable to set up session', 403