diff --git a/app.py b/app.py index 59175e18..57bd3e38 100644 --- a/app.py +++ b/app.py @@ -96,10 +96,12 @@ def internal_server_error(error): app.logger.error('Traceback: %s', traceback.format_exc()) return "Internal Server Error", 500 +@app.before_request +def make_session_permanent(): + session.permanent = True - -""" csrf = CSRFProtect() +""" cors = CORS() db = SQLAlchemy() mail = Mail() diff --git a/config.py b/config.py index dbb9213d..99c25b5a 100644 --- a/config.py +++ b/config.py @@ -32,6 +32,15 @@ class Config: SQLALCHEMY_DATABASE_URI = os.getenv('SQLALCHEMY_DATABASE_URI') SQLALCHEMY_TRACK_MODIFICATIONS = False # Auth0 + SESSION_COOKIE_SECURE = True + SESSION_COOKIE_HTTPONLY = True + # SESSION_COOKIE_SAMESITE = 'Lax' + # PERMANENT_SESSION_LIFETIME = 3600 + WTF_CSRF_ENABLED = True + # WTF_CSRF_CHECK_DEFAULT = False # We'll check it manually for API routes + # WTF_CSRF_HEADERS = ['X-CSRFToken'] # Accept CSRF token from this header + WTF_CSRF_TIME_LIMIT = None + WTF_CSRF_SSL_STRICT = False # Allows testing without HTTPS ID_AUTH0_CLIENT = os.getenv('ID_AUTH0_CLIENT') ID_AUTH0_CLIENT_SECRET = os.getenv('ID_AUTH0_CLIENT_SECRET') DOMAIN_AUTH0 = os.getenv('DOMAIN_AUTH0') @@ -71,9 +80,10 @@ class Config: class DevelopmentConfig(Config): is_development = True + # Add development-specific configuration variables DEBUG = True MAIL_DEBUG = True - # Add development-specific configuration variables + SESSION_COOKIE_SECURE = False class ProductionConfig(Config): is_production = True @@ -82,8 +92,9 @@ class ProductionConfig(Config): # Set the configuration class based on the environment # You can change 'development' to 'production' when deploying -config_env = os.getenv('FLASK_ENV', "production") +config_env = os.getenv('FLASK_ENV', "development") with open('app.log', 'a') as f: + print(f'config_env: {config_env}') f.write(f'config_env: {config_env}\n') # current_app.logger.error(f'config_env: {config_env}') # logger not yet initialised if config_env == 'development': diff --git a/controllers/__pycache__/user.cpython-312.pyc b/controllers/__pycache__/user.cpython-312.pyc index 0f09b25d..69b00a52 100644 Binary files a/controllers/__pycache__/user.cpython-312.pyc and b/controllers/__pycache__/user.cpython-312.pyc differ diff --git a/controllers/user.py b/controllers/user.py index 862d6ac3..489f2b67 100644 --- a/controllers/user.py +++ b/controllers/user.py @@ -21,52 +21,92 @@ import lib.argument_validation as av # external from flask import Flask, render_template, jsonify, request, render_template_string, send_from_directory, redirect, url_for, session, Blueprint, current_app from flask_sqlalchemy import SQLAlchemy +from flask_wtf.csrf import generate_csrf +from werkzeug.exceptions import BadRequest from extensions import oauth # db, from urllib.parse import quote_plus, urlencode from authlib.integrations.flask_client import OAuth from authlib.integrations.base_client import OAuthError from urllib.parse import quote, urlparse, parse_qs +from functools import wraps db = SQLAlchemy() routes_user = Blueprint('routes_user', __name__) # User authentication -@routes_user.route("/login", methods=['POST']) +@routes_user.route("/login", methods=['POST', 'OPTIONS']) def login(): + Helper_App.console_log('login') + Helper_App.console_log(f'method={request.method}') + """ + if request.method == 'OPTIONS': + # Handle preflight request + response = current_app.make_default_options_response() + response.headers['Access-Control-Allow-Headers'] = f'Content-Type, {Model_View_Base.FLAG_CSRF_TOKEN}' + response.headers['Access-Control-Allow-Methods'] = 'POST, OPTIONS' + return response + """ try: data = request.json + try: + data = request.get_json() + except: + data = {} except: data = {} Helper_App.console_log(f'data={data}') - # callback_login = F'{Model_View_Base.HASH_CALLBACK_LOGIN}{data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME)}' - - # encoded_path = quote(data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME)) - uri_redirect = url_for('routes_user.login_callback', _external=True) # , subpath=encoded_path - - # uri_redirect = f'{current_app.URL_HOST}/login_callback?subpath={data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME)}' - Helper_App.console_log(f'redirect uri: {uri_redirect}') hash_callback = data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME) Helper_App.console_log(f'hash_callback: {hash_callback}') - red = oauth.auth0.authorize_redirect( - redirect_uri = uri_redirect, - state = quote(hash_callback) - ) - Helper_App.console_log(f'redirect: {red}') - headers = red.headers['Location'] - Helper_App.console_log(f'headers: {headers}') - parsed_url = urlparse(headers) - query_params = parse_qs(parsed_url.query) - Helper_App.console_log(f""" - OAuth Authorize Redirect URL: + """ + # Verify CSRF token manually + Helper_App.console_log(f'request headers={request.headers}') + token = request.headers.get(Model_View_Base.FLAG_CSRF_TOKEN) + Helper_App.console_log(f'token={token}') + Helper_App.console_log(f'session={session}') + Helper_App.console_log(f'session token={session.get('csrf_token')}') + if not token or token != session.get('csrf_token'): + token = data.get(Model_View_Base.FLAG_CSRF_TOKEN, None) + Helper_App.console_log(f'token={token}') + if not token or token != session.get('csrf_token'): + raise BadRequest('Invalid or missing CSRF token') + """ + # OAuth login + try: + # callback_login = F'{Model_View_Base.HASH_CALLBACK_LOGIN}{data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME)}' + + # encoded_path = quote(data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME)) + uri_redirect = url_for('routes_user.login_callback', _external=True) # , subpath=encoded_path + + # uri_redirect = f'{current_app.URL_HOST}/login_callback?subpath={data.get(Model_View_Base.FLAG_CALLBACK, Model_View_Base.HASH_PAGE_HOME)}' + Helper_App.console_log(f'redirect uri: {uri_redirect}') + + Helper_App.console_log(f'Before red') + + red = oauth.auth0.authorize_redirect( + redirect_uri = uri_redirect, + state = quote(hash_callback) + ) + Helper_App.console_log(f'redirect: {red}') + headers = red.headers['Location'] + Helper_App.console_log(f'headers: {headers}') + parsed_url = urlparse(headers) + query_params = parse_qs(parsed_url.query) + Helper_App.console_log(f""" + OAuth Authorize Redirect URL: + + Base URL: {parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path} + {parsed_url} + + Query Parameters: {query_params} + """) + return jsonify({'Success': True, Model_View_Base.FLAG_STATUS: Model_View_Base.FLAG_SUCCESS, f'{Model_View_Base.FLAG_CALLBACK}': headers}) + + return jsonify({'status': 'success', 'redirect': callback}) + except Exception as e: + return jsonify({'status': 'error', 'message': str(e)}), 400 - Base URL: {parsed_url.scheme}://{parsed_url.netloc}{parsed_url.path} - {parsed_url} - - Query Parameters: {query_params} - """) - return jsonify({'Success': True, Model_View_Base.FLAG_STATUS: Model_View_Base.FLAG_SUCCESS, f'{Model_View_Base.FLAG_CALLBACK}': headers}) @routes_user.route("/login_callback") # / def login_callback(): diff --git a/models/__pycache__/model_view_base.cpython-312.pyc b/models/__pycache__/model_view_base.cpython-312.pyc index 03807932..f1ff8428 100644 Binary files a/models/__pycache__/model_view_base.cpython-312.pyc and b/models/__pycache__/model_view_base.cpython-312.pyc differ diff --git a/models/model_view_base.py b/models/model_view_base.py index be0ca7a5..48f266b7 100644 --- a/models/model_view_base.py +++ b/models/model_view_base.py @@ -71,6 +71,7 @@ class Model_View_Base(BaseModel, ABC): FLAG_CONTAINER_ICON_AND_LABEL: ClassVar[str] = 'container-icon-label' FLAG_CONTAINER_INPUT: ClassVar[str] = FLAG_CONTAINER + '-input' FLAG_COUNTY: ClassVar[str] = Base.FLAG_COUNTY + FLAG_CSRF_TOKEN: ClassVar[str] = 'X-CSRFToken' FLAG_CURRENCY: ClassVar[str] = 'currency' FLAG_DATA: ClassVar[str] = 'data' FLAG_DATE_FROM: ClassVar[str] = Base.FLAG_DATE_FROM diff --git a/static/dist/js/main.bundle.js b/static/dist/js/main.bundle.js index 47405187..331d48ad 100644 --- a/static/dist/js/main.bundle.js +++ b/static/dist/js/main.bundle.js @@ -527,6 +527,9 @@ var LocalStorage = /*#__PURE__*/function () { ;// CONCATENATED MODULE: ./static/js/api.js function api_typeof(o) { "@babel/helpers - typeof"; return api_typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, api_typeof(o); } function _regeneratorRuntime() { "use strict"; /*! regenerator-runtime -- Copyright (c) 2014-present, Facebook, Inc. -- license (MIT): https://github.com/facebook/regenerator/blob/main/LICENSE */ _regeneratorRuntime = function _regeneratorRuntime() { return e; }; var t, e = {}, r = Object.prototype, n = r.hasOwnProperty, o = Object.defineProperty || function (t, e, r) { t[e] = r.value; }, i = "function" == typeof Symbol ? Symbol : {}, a = i.iterator || "@@iterator", c = i.asyncIterator || "@@asyncIterator", u = i.toStringTag || "@@toStringTag"; function define(t, e, r) { return Object.defineProperty(t, e, { value: r, enumerable: !0, configurable: !0, writable: !0 }), t[e]; } try { define({}, ""); } catch (t) { define = function define(t, e, r) { return t[e] = r; }; } function wrap(t, e, r, n) { var i = e && e.prototype instanceof Generator ? e : Generator, a = Object.create(i.prototype), c = new Context(n || []); return o(a, "_invoke", { value: makeInvokeMethod(t, r, c) }), a; } function tryCatch(t, e, r) { try { return { type: "normal", arg: t.call(e, r) }; } catch (t) { return { type: "throw", arg: t }; } } e.wrap = wrap; var h = "suspendedStart", l = "suspendedYield", f = "executing", s = "completed", y = {}; function Generator() {} function GeneratorFunction() {} function GeneratorFunctionPrototype() {} var p = {}; define(p, a, function () { return this; }); var d = Object.getPrototypeOf, v = d && d(d(values([]))); v && v !== r && n.call(v, a) && (p = v); var g = GeneratorFunctionPrototype.prototype = Generator.prototype = Object.create(p); function defineIteratorMethods(t) { ["next", "throw", "return"].forEach(function (e) { define(t, e, function (t) { return this._invoke(e, t); }); }); } function AsyncIterator(t, e) { function invoke(r, o, i, a) { var c = tryCatch(t[r], t, o); if ("throw" !== c.type) { var u = c.arg, h = u.value; return h && "object" == api_typeof(h) && n.call(h, "__await") ? e.resolve(h.__await).then(function (t) { invoke("next", t, i, a); }, function (t) { invoke("throw", t, i, a); }) : e.resolve(h).then(function (t) { u.value = t, i(u); }, function (t) { return invoke("throw", t, i, a); }); } a(c.arg); } var r; o(this, "_invoke", { value: function value(t, n) { function callInvokeWithMethodAndArg() { return new e(function (e, r) { invoke(t, n, e, r); }); } return r = r ? r.then(callInvokeWithMethodAndArg, callInvokeWithMethodAndArg) : callInvokeWithMethodAndArg(); } }); } function makeInvokeMethod(e, r, n) { var o = h; return function (i, a) { if (o === f) throw Error("Generator is already running"); if (o === s) { if ("throw" === i) throw a; return { value: t, done: !0 }; } for (n.method = i, n.arg = a;;) { var c = n.delegate; if (c) { var u = maybeInvokeDelegate(c, n); if (u) { if (u === y) continue; return u; } } if ("next" === n.method) n.sent = n._sent = n.arg;else if ("throw" === n.method) { if (o === h) throw o = s, n.arg; n.dispatchException(n.arg); } else "return" === n.method && n.abrupt("return", n.arg); o = f; var p = tryCatch(e, r, n); if ("normal" === p.type) { if (o = n.done ? s : l, p.arg === y) continue; return { value: p.arg, done: n.done }; } "throw" === p.type && (o = s, n.method = "throw", n.arg = p.arg); } }; } function maybeInvokeDelegate(e, r) { var n = r.method, o = e.iterator[n]; if (o === t) return r.delegate = null, "throw" === n && e.iterator["return"] && (r.method = "return", r.arg = t, maybeInvokeDelegate(e, r), "throw" === r.method) || "return" !== n && (r.method = "throw", r.arg = new TypeError("The iterator does not provide a '" + n + "' method")), y; var i = tryCatch(o, e.iterator, r.arg); if ("throw" === i.type) return r.method = "throw", r.arg = i.arg, r.delegate = null, y; var a = i.arg; return a ? a.done ? (r[e.resultName] = a.value, r.next = e.nextLoc, "return" !== r.method && (r.method = "next", r.arg = t), r.delegate = null, y) : a : (r.method = "throw", r.arg = new TypeError("iterator result is not an object"), r.delegate = null, y); } function pushTryEntry(t) { var e = { tryLoc: t[0] }; 1 in t && (e.catchLoc = t[1]), 2 in t && (e.finallyLoc = t[2], e.afterLoc = t[3]), this.tryEntries.push(e); } function resetTryEntry(t) { var e = t.completion || {}; e.type = "normal", delete e.arg, t.completion = e; } function Context(t) { this.tryEntries = [{ tryLoc: "root" }], t.forEach(pushTryEntry, this), this.reset(!0); } function values(e) { if (e || "" === e) { var r = e[a]; if (r) return r.call(e); if ("function" == typeof e.next) return e; if (!isNaN(e.length)) { var o = -1, i = function next() { for (; ++o < e.length;) if (n.call(e, o)) return next.value = e[o], next.done = !1, next; return next.value = t, next.done = !0, next; }; return i.next = i; } } throw new TypeError(api_typeof(e) + " is not iterable"); } return GeneratorFunction.prototype = GeneratorFunctionPrototype, o(g, "constructor", { value: GeneratorFunctionPrototype, configurable: !0 }), o(GeneratorFunctionPrototype, "constructor", { value: GeneratorFunction, configurable: !0 }), GeneratorFunction.displayName = define(GeneratorFunctionPrototype, u, "GeneratorFunction"), e.isGeneratorFunction = function (t) { var e = "function" == typeof t && t.constructor; return !!e && (e === GeneratorFunction || "GeneratorFunction" === (e.displayName || e.name)); }, e.mark = function (t) { return Object.setPrototypeOf ? Object.setPrototypeOf(t, GeneratorFunctionPrototype) : (t.__proto__ = GeneratorFunctionPrototype, define(t, u, "GeneratorFunction")), t.prototype = Object.create(g), t; }, e.awrap = function (t) { return { __await: t }; }, defineIteratorMethods(AsyncIterator.prototype), define(AsyncIterator.prototype, c, function () { return this; }), e.AsyncIterator = AsyncIterator, e.async = function (t, r, n, o, i) { void 0 === i && (i = Promise); var a = new AsyncIterator(wrap(t, r, n, o), i); return e.isGeneratorFunction(r) ? a : a.next().then(function (t) { return t.done ? t.value : a.next(); }); }, defineIteratorMethods(g), define(g, u, "Generator"), define(g, a, function () { return this; }), define(g, "toString", function () { return "[object Generator]"; }), e.keys = function (t) { var e = Object(t), r = []; for (var n in e) r.push(n); return r.reverse(), function next() { for (; r.length;) { var t = r.pop(); if (t in e) return next.value = t, next.done = !1, next; } return next.done = !0, next; }; }, e.values = values, Context.prototype = { constructor: Context, reset: function reset(e) { if (this.prev = 0, this.next = 0, this.sent = this._sent = t, this.done = !1, this.delegate = null, this.method = "next", this.arg = t, this.tryEntries.forEach(resetTryEntry), !e) for (var r in this) "t" === r.charAt(0) && n.call(this, r) && !isNaN(+r.slice(1)) && (this[r] = t); }, stop: function stop() { this.done = !0; var t = this.tryEntries[0].completion; if ("throw" === t.type) throw t.arg; return this.rval; }, dispatchException: function dispatchException(e) { if (this.done) throw e; var r = this; function handle(n, o) { return a.type = "throw", a.arg = e, r.next = n, o && (r.method = "next", r.arg = t), !!o; } for (var o = this.tryEntries.length - 1; o >= 0; --o) { var i = this.tryEntries[o], a = i.completion; if ("root" === i.tryLoc) return handle("end"); if (i.tryLoc <= this.prev) { var c = n.call(i, "catchLoc"), u = n.call(i, "finallyLoc"); if (c && u) { if (this.prev < i.catchLoc) return handle(i.catchLoc, !0); if (this.prev < i.finallyLoc) return handle(i.finallyLoc); } else if (c) { if (this.prev < i.catchLoc) return handle(i.catchLoc, !0); } else { if (!u) throw Error("try statement without catch or finally"); if (this.prev < i.finallyLoc) return handle(i.finallyLoc); } } } }, abrupt: function abrupt(t, e) { for (var r = this.tryEntries.length - 1; r >= 0; --r) { var o = this.tryEntries[r]; if (o.tryLoc <= this.prev && n.call(o, "finallyLoc") && this.prev < o.finallyLoc) { var i = o; break; } } i && ("break" === t || "continue" === t) && i.tryLoc <= e && e <= i.finallyLoc && (i = null); var a = i ? i.completion : {}; return a.type = t, a.arg = e, i ? (this.method = "next", this.next = i.finallyLoc, y) : this.complete(a); }, complete: function complete(t, e) { if ("throw" === t.type) throw t.arg; return "break" === t.type || "continue" === t.type ? this.next = t.arg : "return" === t.type ? (this.rval = this.arg = t.arg, this.method = "return", this.next = "end") : "normal" === t.type && e && (this.next = e), y; }, finish: function finish(t) { for (var e = this.tryEntries.length - 1; e >= 0; --e) { var r = this.tryEntries[e]; if (r.finallyLoc === t) return this.complete(r.completion, r.afterLoc), resetTryEntry(r), y; } }, "catch": function _catch(t) { for (var e = this.tryEntries.length - 1; e >= 0; --e) { var r = this.tryEntries[e]; if (r.tryLoc === t) { var n = r.completion; if ("throw" === n.type) { var o = n.arg; resetTryEntry(r); } return o; } } throw Error("illegal catch attempt"); }, delegateYield: function delegateYield(e, r, n) { return this.delegate = { iterator: values(e), resultName: r, nextLoc: n }, "next" === this.method && (this.arg = t), y; } }, e; } +function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; } +function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { api_defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; } +function api_defineProperty(e, r, t) { return (r = api_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; } function asyncGeneratorStep(n, t, e, r, o, a, c) { try { var i = n[a](c), u = i.value; } catch (n) { return void e(n); } i.done ? t(u) : Promise.resolve(u).then(r, o); } function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; } function api_classCallCheck(a, n) { if (!(a instanceof n)) throw new TypeError("Cannot call a class as a function"); } @@ -544,7 +547,6 @@ var api_API = /*#__PURE__*/function () { return api_createClass(API, null, [{ key: "getCsrfToken", value: function getCsrfToken() { - // return document.querySelectorAll('meta[name=' + nameCSRFToken + ']').getAttribute('content'); return document.querySelector(idCSRFToken).getAttribute('content'); } }, { @@ -555,6 +557,7 @@ var api_API = /*#__PURE__*/function () { data, params, url, + csrfToken, options, response, _args = arguments; @@ -565,41 +568,42 @@ var api_API = /*#__PURE__*/function () { data = _args.length > 2 && _args[2] !== undefined ? _args[2] : null; params = _args.length > 3 && _args[3] !== undefined ? _args[3] : null; url = API.getUrlFromHash(hashEndpoint, params); + csrfToken = API.getCsrfToken(); options = { method: method, - headers: { - 'Content-Type': 'application/json', - 'X-CSRFToken': API.getCsrfToken() - } + headers: api_defineProperty({ + 'Content-Type': 'application/json' + }, flagCsrfToken, csrfToken) }; if (data && (method === 'POST' || method === 'PUT' || method === 'PATCH')) { + data = _objectSpread(_objectSpread({}, data), {}, api_defineProperty({}, flagCsrfToken, csrfToken)); options.body = JSON.stringify(data); } - _context.prev = 6; - _context.next = 9; + _context.prev = 7; + _context.next = 10; return fetch(url, options); - case 9: + case 10: response = _context.sent; if (response.ok) { - _context.next = 12; + _context.next = 13; break; } throw new Error("HTTP error! status: ".concat(response.status)); - case 12: - _context.next = 14; + case 13: + _context.next = 15; return response.json(); - case 14: + case 15: return _context.abrupt("return", _context.sent); - case 17: - _context.prev = 17; - _context.t0 = _context["catch"](6); + case 18: + _context.prev = 18; + _context.t0 = _context["catch"](7); console.error('API request failed:', _context.t0); throw _context.t0; - case 21: + case 22: case "end": return _context.stop(); } - }, _callee, null, [[6, 17]]); + }, _callee, null, [[7, 18]]); })); function request(_x) { return _request.apply(this, arguments); @@ -3203,8 +3207,8 @@ function mixin_typeof(o) { "@babel/helpers - typeof"; return mixin_typeof = "fun function mixin_createForOfIteratorHelper(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = mixin_unsupportedIterableToArray(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t["return"] || t["return"](); } finally { if (u) throw o; } } }; } function mixin_unsupportedIterableToArray(r, a) { if (r) { if ("string" == typeof r) return mixin_arrayLikeToArray(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? mixin_arrayLikeToArray(r, a) : void 0; } } function mixin_arrayLikeToArray(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; } -function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; } -function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { mixin_defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; } +function mixin_ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; } +function mixin_objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? mixin_ownKeys(Object(t), !0).forEach(function (r) { mixin_defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : mixin_ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; } function mixin_defineProperty(e, r, t) { return (r = mixin_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; } function mixin_classCallCheck(a, n) { if (!(a instanceof n)) throw new TypeError("Cannot call a class as a function"); } function mixin_defineProperties(e, r) { for (var t = 0; t < r.length; t++) { var o = r[t]; o.enumerable = o.enumerable || !1, o.configurable = !0, "value" in o && (o.writable = !0), Object.defineProperty(e, mixin_toPropertyKey(o.key), o); } } @@ -3692,7 +3696,7 @@ var StoreMixinPage = /*#__PURE__*/function () { }, { key: "mergeBaskets", value: function mergeBaskets(basketPrimary, basketSecondary) { - var basket = _objectSpread(_objectSpread({}, basketSecondary), basketPrimary); + var basket = mixin_objectSpread(mixin_objectSpread({}, basketSecondary), basketPrimary); var items = {}; var _iterator = mixin_createForOfIteratorHelper(basketSecondary[keyItems]), _step; diff --git a/static/js/api.js b/static/js/api.js index 6b281dbc..ece66adb 100644 --- a/static/js/api.js +++ b/static/js/api.js @@ -4,21 +4,25 @@ import DOM from './dom.js'; export default class API { static getCsrfToken() { - // return document.querySelectorAll('meta[name=' + nameCSRFToken + ']').getAttribute('content'); return document.querySelector(idCSRFToken).getAttribute('content'); } static async request(hashEndpoint, method = 'GET', data = null, params = null) { const url = API.getUrlFromHash(hashEndpoint, params); + const csrfToken = API.getCsrfToken(); const options = { method, headers: { 'Content-Type': 'application/json', - 'X-CSRFToken': API.getCsrfToken() + [flagCsrfToken]: csrfToken, } }; if (data && (method === 'POST' || method === 'PUT' || method === 'PATCH')) { + data = { + ...data, + [flagCsrfToken]: csrfToken, + }; options.body = JSON.stringify(data); } diff --git a/templates/layouts/layout.html b/templates/layouts/layout.html index 93e500f3..57c2647b 100644 --- a/templates/layouts/layout.html +++ b/templates/layouts/layout.html @@ -33,7 +33,7 @@ } - +