71715c38d8
When a session has expired, require_role now bounces to /login?next=<path> and sends the user back there after re-login. - middleware: safe_next_url() (same-site relative path/query only; rejects off-site, protocol-relative, javascript:, and the auth pages — no open redirect). _login_redirect() builds the next param; for HTMX requests it uses HX-Current-URL (the page, not the fragment) and HX-Redirect so the whole browser navigates instead of swapping the login page into a fragment. - login GET/POST carry `next` (hidden field), validated, used on success for local + LDAP; OIDC stashes it in session across the IdP round-trip. - login.html: hidden next field + next on the SSO link. - tests for safe_next_url. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
38 lines
1.8 KiB
HTML
38 lines
1.8 KiB
HTML
{% extends "base.html" %}
|
|
{% block title %}Login — Steward{% endblock %}
|
|
{% block content %}
|
|
<div style="max-width:400px;margin:4rem auto;">
|
|
<div class="card">
|
|
<p style="color: var(--text-dim); font-family: var(--font-serif); font-style: italic; font-size: 1.15rem; text-align: center; margin: 0 0 1.5rem;">Under Watch, Under Care.</p>
|
|
{% if error %}
|
|
<div style="color:var(--red);font-size:0.88rem;margin-bottom:1rem;
|
|
background:var(--red-dim);padding:0.6rem 0.75rem;border-radius:4px;">
|
|
{{ error }}
|
|
</div>
|
|
{% endif %}
|
|
{% if oidc_enabled %}
|
|
<a href="/login/oidc{% if next_url %}?next={{ next_url | urlencode }}{% endif %}" class="btn" style="width:100%;text-align:center;margin-bottom:1.25rem;display:block;">
|
|
Sign in with SSO
|
|
</a>
|
|
<div style="display:flex;align-items:center;gap:0.75rem;margin-bottom:1.25rem;">
|
|
<div style="flex:1;height:1px;background:var(--border-mid);"></div>
|
|
<span style="font-size:0.78rem;color:var(--text-dim);">or</span>
|
|
<div style="flex:1;height:1px;background:var(--border-mid);"></div>
|
|
</div>
|
|
{% endif %}
|
|
<form method="post" action="/login">
|
|
{% if next_url %}<input type="hidden" name="next" value="{{ next_url }}">{% endif %}
|
|
<div class="form-group">
|
|
<input type="text" name="username" placeholder="Username" autofocus required>
|
|
</div>
|
|
<div class="form-group">
|
|
<input type="password" name="password" placeholder="Password" required>
|
|
</div>
|
|
<button type="submit" class="btn {% if oidc_enabled %}btn-ghost{% endif %}" style="width:100%;">
|
|
Sign In
|
|
</button>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
{% endblock %}
|