Made saved users be in the DB, not in dict in memory of workers in gunicorn - otherwise we had BUG-39, and also added input validation to username to stop ldap injection on login form

main.py

@@ -7,12 +7,10 @@ from wtforms import SubmitField, StringField, HiddenField, SelectField, IntegerF
 from flask_wtf import FlaskForm
 from status import st, Status
 from shared import CreateSelect, CreateFoldersSelect, LocationIcon, DB_URL
-from flask_login import login_required, current_user
-
 
 # for ldap auth
 from flask_ldap3_login import LDAP3LoginManager
-from flask_login import LoginManager, login_user, UserMixin, current_user
+from flask_login import LoginManager, login_user, login_required, UserMixin, current_user
 from flask_ldap3_login.forms import LDAPLoginForm
 
 import re
@@ -49,11 +47,6 @@ login_manager = LoginManager(app)              # Setup a Flask-Login Manager
 ldap_manager = LDAP3LoginManager(app)          # Setup a LDAP3 Login Manager.
 login_manager.login_view = "login"             # default login route, failed with url_for, so hard-coded
 
-# Create a dictionary to store the users in when they authenticate
-# This example stores users in memory.
-users = {}
-
-
 
 ################################# Now, import non-book classes ###################################
 from settings import Settings
@@ -63,6 +56,7 @@ from refimg import Refimg
 from job import Job, GetNumActiveJobs
 from ai import aistats
 from path import StoragePathNames
+from user import PAUser
 
 ####################################### GLOBALS #######################################
 # allow jinja2 to call these python functions directly
@@ -98,9 +92,8 @@ class User(UserMixin):
 # returns None.
 @login_manager.user_loader
 def load_user(id):
-    if id in users:
-        return users[id]
-    return None
+    pau=PAUser.query.filter(PAUser.dn==id).first()
+    return pau
 
 # Declare The User Saver for Flask-Ldap3-Login
 # This method is called whenever a LDAPLoginForm() successfully validates.
@@ -108,9 +101,14 @@ def load_user(id):
 # login controller.
 @ldap_manager.save_user
 def save_user(dn, username, data, memberships):
-    user = User(dn, username, data)
-    users[dn] = user
-    return user
+    pau=PAUser.query.filter(PAUser.dn==dn).first()
+    # if we already have a valid user/session, and say the web has restarted, just re-use it, dont make more users
+    if pau:
+        return pau
+    pau=PAUser(dn=dn)
+    db.session.add(pau)
+    db.session.commit()
+    return pau
 
 # default page, just the navbar
 @app.route("/", methods=["GET"])
@@ -129,9 +127,15 @@ def login():
     form = LDAPLoginForm()
     form.submit.label.text="Login"
 
+    # the re matches on any special LDAP chars, we dont want someone
+    # ldap-injecting our username, so send them back to the login page instead
+    if request.method == 'POST' and re.search( r'[()\\*&!]', request.form['username']):
+       print( f"WARNING: Detected special LDAP chars in username: {request.form['username']}")
+       return redirect('/login')
     if form.validate_on_submit():
         # Successfully logged in, We can now access the saved user object
         # via form.user.
+        print( f"form user = {form.user}" )
         login_user(form.user, remember=True)  # Tell flask-login to log them in.
         next = request.args.get("next")
         if next: