Fix: Redirect loop on formkey or nonce mismatch.

* fix 401-302-401-302-429 loop

* don't logout users on bad form key, just treat the request as unauthenticated

* Handle None/empty case in validate_formkey.

A supplied empty formkey, or the lack of a supplied formkey (None) is not a valid formkey. Handle this inside the function rather than at the call-site.

* Validate as false if no hashstr or string

Co-authored-by: Snakes <104547575+TLSM@users.noreply.github.com>

files/classes/user.py

@@ -366,7 +366,7 @@ class User(Base):
 		return generate_hash(msg)
 
 	def validate_formkey(self, formkey):
-
+		if not formkey: return False
 		return validate_hash(f"{session['session_id']}+{self.id}+{self.login_nonce}", formkey)
 
 	@property

files/helpers/security.py

@@ -13,7 +13,7 @@ def generate_hash(string):
 
 
 def validate_hash(string, hashstr):
-
+	if not string or not hashstr: return False
 	return hmac.compare_digest(hashstr, generate_hash(string))
 
 

files/helpers/wrappers.py

@@ -27,19 +27,22 @@ def get_logged_in_user():
 			id = int(lo_user)
 			v = g.db.query(User).get(id)
 			if v:
+				v.client = None
 				nonce = session.get("login_nonce", 0)
-				if nonce < v.login_nonce or v.id != id: abort(401)
+				if nonce < v.login_nonce or v.id != id:
+					session.pop("lo_user")
+					v = None
 
-				if request.method != "GET":
+				if v and request.method != "GET":
 					submitted_key = request.values.get("formkey")
 					if not submitted_key and request.is_json:
 						json = request.get_json(silent=True)
 						if json and type(json) is dict:
 							submitted_key = json.get('formkey')
-					if not submitted_key: abort(401)
-					if not v.validate_formkey(submitted_key): abort(401)
-
-				v.client = None
+					if not v.validate_formkey(submitted_key):
+						v = None
+			else:
+				session.pop("lo_user")
 
 	if request.method.lower() != "get" \
 			and app.config['SETTINGS']['Read-only mode'] \