Feat(Security):

a. Update CORS settings
 b. Update session cookie settings
 c. Remove comments that expose project architecture (and that Claude made most of it :P)

app.py

@@ -29,7 +29,7 @@ from controllers.store.stock_item import routes_store_stock_item
 from controllers.store.supplier import routes_store_supplier
 from controllers.store.supplier_purchase_order import routes_store_supplier_purchase_order
 from controllers.user import routes_user
-from extensions import db, csrf, cors, mail, oauth
+from extensions import db, csrf, mail, oauth
 from helpers.helper_app import Helper_App
 # external
 from flask import Flask, render_template, jsonify, request,  render_template_string, send_from_directory, redirect, url_for, session
@@ -82,12 +82,13 @@ def make_session_permanent():
     session.permanent = True
 
 csrf = CSRFProtect()
-"""
-cors = CORS()
-db = SQLAlchemy()
-mail = Mail()
-oauth = OAuth()
-"""
+cors = CORS(app, resources={
+    r"/static/*": {
+        "origins": [app.config["URL_HOST"]],
+        "methods": ["GET"],
+        "max_age": 3600
+    }
+})
 
 csrf.init_app(app)
 cors.init_app(app)
@@ -133,3 +134,13 @@ app.register_blueprint(routes_user)
 def console_log(value):
     Helper_App.console_log(value)
     return value
+
+@app.after_request
+def add_cache_headers(response):
+    if request.path.startswith('/static/'):
+        # Cache static assets
+        response.headers['Cache-Control'] = 'public, max-age=31536000'
+    else:
+        # No caching for dynamic content
+        response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, max-age=0'
+    return response

config.py

@@ -40,7 +40,8 @@ class Config:
     # Auth0
     SESSION_COOKIE_SECURE = True
     SESSION_COOKIE_HTTPONLY = True
-    # SESSION_COOKIE_SAMESITE = 'Lax'
+    SESSION_COOKIE_SAMESITE = 'Strict'
+    REMEMBER_COOKIE_SECURE = True
     # PERMANENT_SESSION_LIFETIME = 3600
     WTF_CSRF_ENABLED = True
     # WTF_CSRF_CHECK_DEFAULT = False  # We'll check it manually for API routes

extensions.py

@@ -8,7 +8,7 @@ from authlib.integrations.flask_client import OAuth
 
 
 csrf = CSRFProtect()
-cors = CORS()
+# cors = CORS()
 db = SQLAlchemy()
 mail = Mail()
 oauth = OAuth()

static/js/api.js

@@ -1,6 +1,5 @@
 import DOM from './dom.js';
 
-// Module for API calls
 export default class API {
     
     static getCsrfToken() {
@@ -151,7 +150,6 @@ export default class API {
 const api = new API();
 export default api;
 
-Example of using the API
 document.addEventListener('DOMContentLoaded', () => {
     initializeApp();
     setupEventListeners();

static/js/app.js

@@ -1,30 +1,6 @@
-/*
-// Bundle css imports
-import '../css/lib/reset.css';
-import '../css/lib/typography.css';
-import '../css/lib/variables.css';
-import '../css/lib/utils.css';
 
-import '../css/layouts/header.css';
-import '../css/layouts/footer.css';
-import '../css/layouts/table-main.css'
-
-import '../css/components/button.css';
-import '../css/components/card.css';
-import '../css/components/dialog.css';
-import '../css/components/form.css';
-import '../css/components/modal.css';
-import '../css/components/navigation.css';
-import '../css/components/overlay.css';
-
-import '../css/sections/store.css';
-*/
-
-
-// Main entry point for the application
 'use strict';
 
-// import API from './api.js';
 import DOM from './dom.js';
 import Router from './router.js';
 
@@ -41,34 +17,24 @@ class App {
     }
 
     setupEventListeners() {
-        // Global event listeners
         // document.addEventListener('click', this.handleGlobalClick.bind(this));
-        // Add more global event listeners as needed
     }
 
     handleGlobalClick(event) {
-        // Handle global click events
     }
 
     start() {
-        // Additional startup logic
         this.initPageCurrent();
     }
 
     initPageCurrent() {
-        /*
-        _pageCurrent = Router.getPageCurrent();
-        _pageCurrent.initialize();
-        */
         this.router.loadPageCurrent();
     }
     
 }
 
-// Application instance
 const app = new App();
 
-// DOM ready handler
 function domReady(fn) {
     if (document.readyState !== 'loading') {
         fn();
@@ -77,13 +43,10 @@ function domReady(fn) {
     }
 }
 
-// Initialize and start the app when DOM is ready
 domReady(() => {
     app.initialize();
 });
 
-// Expose app to window for debugging (optional)
 window.app = app;
 
-// Export app if using modules
 export default app;

static/js/dom.js

@@ -1,7 +1,6 @@
 
 import Validation from "./lib/validation.js";
 
-// Module for DOM manipulation
 export default class DOM {
     static setElementAttributesValuesCurrentAndPrevious(element, data) {
         DOM.setElementAttributeValueCurrent(element, data);

static/js/router.js

@@ -27,44 +27,11 @@ import PageStoreSupplierPurchaseOrders from './pages/store/supplier_purchase_ord
 // import PageUserAccount from './pages/user/account.js';
 
 
-/*
-import "./lib/common.js";
-import "./lib/constants.js";
-import "./lib/events.js";
-import "./lib/extras.js";
-// import "./DEPRECATED/init.js";
-import "./lib/local_storage.js";
-import "./lib/utils.js";
-import "./lib/validation.js";
-*/
-
 import API from './api.js';
 import DOM from './dom.js';
 import PagePrivacyPolicy from './pages/legal/privacy_policy.js';
 import PageRetentionSchedule from './pages/legal/retention_schedule.js';
 
-// Create a context for the pages
-// const pagesContext = require.context('./pages', true, /\.js$/);
-
-/*
-const pageModules = {
-    // Core
-    [hashPageHome]: () => import('./pages/core/home.js'),
-    [hashPageContact]: () => import('./pages/core/contact.js'),
-    [hashPageServices]: () => import('./pages/core/services.js'),
-    [hashPageAdminHome]: () => import('./pages/core/admin_home.js'),
-    // Legal
-    [hashPageAccessibilityStatement]: () => import('./pages/legal/accessibility_statement.js'),
-    [hashPageLicense]: () => import('./pages/legal/license.js'),
-    // Store
-    [hashPageStoreProductCategories]: () => import('./pages/store/product_categories.js'),
-    [hashPageStoreProductPermutations]: () => import('./pages/store/product_permutations.js'),
-    // [hashPageStoreProducts]: () => import('./pages/store/products.js'),
-    // User
-    // Add other pages here...
-};
-*/
-
 export default class Router {
     constructor() {
         // Pages
@@ -326,11 +293,8 @@ export default class Router {
     }
 }
 
-// Create and export a singleton instance
 export const router = new Router();
-// import this for navigation
 
-// Usage example (you can put this in your main.js or app.js)
 /*
 router.addRoute('/', () => {
     console.log('Home page');
@@ -342,7 +306,6 @@ router.addRoute('/about', () => {
     // Load about page content
 });
 
-// Example of how to use the router in other parts of your application
 export function setupNavigationEvents() {
     document.querySelectorAll('a[data-nav]').forEach(link => {
         link.addEventListener('click', (e) => {