admin/parts_website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feat(Security):

Browse Source 
a. Update CORS settings
 b. Update session cookie settings
 c. Remove comments that expose project architecture (and that Claude made most of it :P)
This commit is contained in:
Teddy Middleton-Smith
2025-01-25 14:31:03 +00:00
parent e7231cb67a
commit baa158fcd0
8 changed files with 25 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
app.py
View File

@@ -20,7 +20,7 @@ from config import app_config, Config
from controllers.core import routes_core from controllers.core import routes_core
from controllers.legal import routes_legal from controllers.legal import routes_legal
from controllers.user import routes_user from controllers.user import routes_user
from extensions import db, csrf, cors, mail, oauth from extensions import db, csrf, mail, oauth
from helpers.helper_app import Helper_App from helpers.helper_app import Helper_App
# external # external
from flask import Flask, render_template, jsonify, request, render_template_string, send_from_directory, redirect, url_for, session from flask import Flask, render_template, jsonify, request, render_template_string, send_from_directory, redirect, url_for, session
@@ -73,12 +73,13 @@ def make_session_permanent():
session.permanent = True session.permanent = True
csrf = CSRFProtect() csrf = CSRFProtect()
""" cors = CORS(app, resources={
cors = CORS() r"/static/*": {
db = SQLAlchemy() "origins": [app.config["URL_HOST"]],
mail = Mail() "methods": ["GET"],
oauth = OAuth() "max_age": 3600
""" }
})
csrf.init_app(app) csrf.init_app(app)
cors.init_app(app) cors.init_app(app)
@@ -115,3 +116,13 @@ app.register_blueprint(routes_user)
def console_log(value): def console_log(value):
Helper_App.console_log(value) Helper_App.console_log(value)
return value return value
@app.after_request
def add_cache_headers(response):
if request.path.startswith('/static/'):
# Cache static assets
response.headers['Cache-Control'] = 'public, max-age=31536000'
else:
# No caching for dynamic content
response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, max-age=0'
return response

5
config.py
View File

@@ -40,7 +40,8 @@ class Config:
# Auth0 # Auth0
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True SESSION_COOKIE_HTTPONLY = True
# SESSION_COOKIE_SAMESITE = 'Lax' SESSION_COOKIE_SAMESITE = 'Strict'
REMEMBER_COOKIE_SECURE = True
# PERMANENT_SESSION_LIFETIME = 3600 # PERMANENT_SESSION_LIFETIME = 3600
WTF_CSRF_ENABLED = True WTF_CSRF_ENABLED = True
# WTF_CSRF_CHECK_DEFAULT = False # We'll check it manually for API routes # WTF_CSRF_CHECK_DEFAULT = False # We'll check it manually for API routes
@@ -52,7 +53,7 @@ class Config:
DOMAIN_AUTH0 = os.getenv('DOMAIN_AUTH0') DOMAIN_AUTH0 = os.getenv('DOMAIN_AUTH0')
ID_TOKEN_USER = 'user' ID_TOKEN_USER = 'user'
# PostgreSQL # PostgreSQL
DB_NAME = os.getenv('partsltd') DB_NAME = os.getenv('partsltd_prod')
DB_USER = os.getenv('DB_USER') DB_USER = os.getenv('DB_USER')
DB_PASSWORD = os.getenv('DB_PASSWORD') DB_PASSWORD = os.getenv('DB_PASSWORD')
DB_HOST = os.getenv('DB_HOST') DB_HOST = os.getenv('DB_HOST')

2
extensions.py
View File

@@ -8,7 +8,7 @@ from authlib.integrations.flask_client import OAuth
csrf = CSRFProtect() csrf = CSRFProtect()
cors = CORS() # cors = CORS()
db = SQLAlchemy() db = SQLAlchemy()
mail = Mail() mail = Mail()
oauth = OAuth() oauth = OAuth()

4
requirements.txt
View File

@@ -1,5 +1,5 @@
Flask==3.0.3
flask gunicorn==23.0.0
flask_wtf flask_wtf
flask_sqlalchemy flask_sqlalchemy
flask_cors flask_cors

2
static/js/api.js
View File

@@ -1,6 +1,5 @@
import DOM from './dom.js'; import DOM from './dom.js';
// Module for API calls
export default class API { export default class API {
static getCsrfToken() { static getCsrfToken() {
@@ -151,7 +150,6 @@ export default class API {
const api = new API(); const api = new API();
export default api; export default api;
Example of using the API
document.addEventListener('DOMContentLoaded', () => { document.addEventListener('DOMContentLoaded', () => {
initializeApp(); initializeApp();
setupEventListeners(); setupEventListeners();

15
static/js/app.js
View File

@@ -1,8 +1,6 @@
// Main entry point for the application
'use strict'; 'use strict';
// import API from './api.js';
import DOM from './dom.js'; import DOM from './dom.js';
import Router from './router.js'; import Router from './router.js';
@@ -19,34 +17,24 @@ class App {
} }
setupEventListeners() { setupEventListeners() {
// Global event listeners
// document.addEventListener('click', this.handleGlobalClick.bind(this)); // document.addEventListener('click', this.handleGlobalClick.bind(this));
// Add more global event listeners as needed
} }
handleGlobalClick(event) { handleGlobalClick(event) {
// Handle global click events
} }
start() { start() {
// Additional startup logic
this.initPageCurrent(); this.initPageCurrent();
} }
initPageCurrent() { initPageCurrent() {
/*
_pageCurrent = Router.getPageCurrent();
_pageCurrent.initialize();
*/
this.router.loadPageCurrent(); this.router.loadPageCurrent();
} }
} }
// Application instance
const app = new App(); const app = new App();
// DOM ready handler
function domReady(fn) { function domReady(fn) {
if (document.readyState !== 'loading') { if (document.readyState !== 'loading') {
fn(); fn();
@@ -55,13 +43,10 @@ function domReady(fn) {
} }
} }
// Initialize and start the app when DOM is ready
domReady(() => { domReady(() => {
app.initialize(); app.initialize();
}); });
// Expose app to window for debugging (optional)
window.app = app; window.app = app;
// Export app if using modules
export default app; export default app;

1
static/js/dom.js
View File

@@ -1,7 +1,6 @@
import Validation from "./lib/validation.js"; import Validation from "./lib/validation.js";
// Module for DOM manipulation
export default class DOM { export default class DOM {
static setElementAttributesValuesCurrentAndPrevious(element, data) { static setElementAttributesValuesCurrentAndPrevious(element, data) {
DOM.setElementAttributeValueCurrent(element, data); DOM.setElementAttributeValueCurrent(element, data);

23
static/js/router.js
View File

@@ -12,30 +12,11 @@ import PageLicense from './pages/legal/license.js';
// import PageUserLogout from './pages/user/logout.js'; // import PageUserLogout from './pages/user/logout.js';
// import PageUserAccount from './pages/user/account.js'; // import PageUserAccount from './pages/user/account.js';
import API from './api.js'; import API from './api.js';
import DOM from './dom.js'; import DOM from './dom.js';
import PagePrivacyPolicy from './pages/legal/privacy_policy.js'; import PagePrivacyPolicy from './pages/legal/privacy_policy.js';
import PageRetentionSchedule from './pages/legal/retention_schedule.js'; import PageRetentionSchedule from './pages/legal/retention_schedule.js';
// Create a context for the pages
// const pagesContext = require.context('./pages', true, /\.js$/);
/*
const pageModules = {
// Core
[hashPageHome]: () => import('./pages/core/home.js'),
[hashPageContact]: () => import('./pages/core/contact.js'),
[hashPageServices]: () => import('./pages/core/services.js'),
[hashPageAdminHome]: () => import('./pages/core/admin_home.js'),
// Legal
[hashPageAccessibilityStatement]: () => import('./pages/legal/accessibility_statement.js'),
[hashPageLicense]: () => import('./pages/legal/license.js'),
// User
// Add other pages here...
};
*/
export default class Router { export default class Router {
constructor() { constructor() {
@@ -146,11 +127,8 @@ export default class Router {
} }
} }
// Create and export a singleton instance
export const router = new Router(); export const router = new Router();
// import this for navigation
// Usage example (you can put this in your main.js or app.js)
/* /*
router.addRoute('/', () => { router.addRoute('/', () => {
console.log('Home page'); console.log('Home page');
@@ -162,7 +140,6 @@ router.addRoute('/about', () => {
// Load about page content // Load about page content
}); });
// Example of how to use the router in other parts of your application
export function setupNavigationEvents() { export function setupNavigationEvents() {
document.querySelectorAll('a[data-nav]').forEach(link => { document.querySelectorAll('a[data-nav]').forEach(link => {
link.addEventListener('click', (e) => { link.addEventListener('click', (e) => {