From 3054fe5e9f992590bdaadbb0ec171cd8dbcb6369 Mon Sep 17 00:00:00 2001
From: realaravinth <realaravinth@batsense.net>
Date: Fri, 10 Jun 2022 19:12:50 +0530
Subject: [PATCH] fix & chore: inject CSRF token in login form and refactor
 login_view

---
 accounts/templates/accounts/auth/login.html |  1 +
 accounts/views.py                           | 86 +++++++++++----------
 2 files changed, 46 insertions(+), 41 deletions(-)

diff --git a/accounts/templates/accounts/auth/login.html b/accounts/templates/accounts/auth/login.html
index 97ec0c8..0b154fe 100644
--- a/accounts/templates/accounts/auth/login.html
+++ b/accounts/templates/accounts/auth/login.html
@@ -3,6 +3,7 @@
 <h2>Login</h2>
 <form action="{% url 'accounts.login' %}" method="POST" class="form" accept-charset="utf-8">
   {% include "common/components/error.html" %}
+  {% csrf_token %}
   <label class="form__label" for="login">
     Username or Email
     <input 
diff --git a/accounts/views.py b/accounts/views.py
index fce3dd1..15165a6 100644
--- a/accounts/views.py
+++ b/accounts/views.py
@@ -1,59 +1,63 @@
+# Copyright © 2022 Aravinth Manivannan <realaravinth@batsense.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 from django.shortcuts import render, redirect
 from django.contrib.auth import authenticate, login, logout
+from django.contrib.auth import get_user_model
 from django.contrib.auth.decorators import login_required
 from django.http import HttpResponse
 from django.views.decorators.csrf import csrf_protect
 from django.urls import reverse
 
-GREETINGS = {
-    "greeting": "Welcome to Hostea - Free Forge Ecosystem for Free Developers",
-    "features": [
-        "Fully managed",
-        "100% Free Software",
-        "Fully Self-Hostable",
-        "Observable and reliable",
-        "Federation when available",
-        "Radically transparent",
-        "Horizontal community",
-        "Run Hostea and become a service provider!",
-    ],
-}
-
-LOGIN_CONTENT = {
-    "login_name": "Username or Email",
-    "action": "Login",
-    "password": "Password",
-    "forgot_password": "Forgot password?",
-    "register_prompt": "New to Hostea?",
-    "register_action_link_text": "Create an account",
-    "greetings": GREETINGS,
-}
-
 
 @csrf_protect
 def login_view(request):
-    if request.method == "POST":
+    if request.method == "GET":
+        ctx = {}
+        if "next" in request.GET:
+            ctx["next"] = request.GET["next"]
+        return render(request, "accounts/auth/login.html", ctx)
+
+    login_cred = request.POST["login"]
+    user = None
+
+    if "@" in login_cred:
         user = authenticate(
-            request,
-            username=request.POST["username"],
+            email=login_cred,
+            password=request.POST["password"],
+        )
+    else:
+        user = authenticate(
+            username=login_cred,
             password=request.POST["password"],
         )
-        if user is not None:
-            login(request, user)
-            print("user logged in")
-            if "next" in request.POST:
-                next_url = request.POST["next"]
-                if next_url:
-                    return redirect(next_url)
-            return redirect(reverse("accounts.protected"))
-        else:
-            return HttpResponse("Login required")
 
-    ctx = LOGIN_CONTENT
-    if "next" in request.GET:
-        ctx["next"] = request.GET["next"]
+    if user is not None:
+        login(request, user)
+        if "next" in request.POST:
+            next_url = request.POST["next"]
+            if next_url:
+                return redirect(next_url)
+        return redirect(reverse("accounts.protected"))
 
-    return render(request, "accounts/auth/login.html", ctx)
+    ctx = {
+        "error": {
+            "title": "Login Failed",
+            "reason": "Username or passwrod is incorrect, please try again.",
+        }
+    }
+    return render(request, "accounts/auth/login.html", status=401, context=ctx)
 
 
 @login_required