admin/parts_website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feat(Security):

Browse Source 
a. Update CORS settings
 b. Update session cookie settings
 c. Remove comments that expose project architecture (and that Claude made most of it :P)
This commit is contained in:
Teddy Middleton-Smith
2025-01-25 14:31:03 +00:00
parent e7231cb67a
commit baa158fcd0
8 changed files with 25 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
app.py
View File

@@ -20,7 +20,7 @@ from config import app_config, Config
from controllers.core import routes_core
from controllers.legal import routes_legal
from controllers.user import routes_user
from extensions import db, csrf, cors, mail, oauth
from extensions import db, csrf, mail, oauth
from helpers.helper_app import Helper_App
# external
from flask import Flask, render_template, jsonify, request, render_template_string, send_from_directory, redirect, url_for, session
@@ -73,12 +73,13 @@ def make_session_permanent():
session.permanent = True
csrf = CSRFProtect()
"""
cors = CORS()
db = SQLAlchemy()
mail = Mail()
oauth = OAuth()
"""
cors = CORS(app, resources={
r"/static/*": {
"origins": [app.config["URL_HOST"]],
"methods": ["GET"],
"max_age": 3600
}
})
csrf.init_app(app)
cors.init_app(app)
@@ -114,4 +115,14 @@ app.register_blueprint(routes_user)
@app.template_filter('console_log')
def console_log(value):
Helper_App.console_log(value)
return value
return value
@app.after_request
def add_cache_headers(response):
if request.path.startswith('/static/'):
# Cache static assets
response.headers['Cache-Control'] = 'public, max-age=31536000'
else:
# No caching for dynamic content
response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, max-age=0'
return response

5
config.py
View File

@@ -40,7 +40,8 @@ class Config:
# Auth0
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
# SESSION_COOKIE_SAMESITE = 'Lax'
SESSION_COOKIE_SAMESITE = 'Strict'
REMEMBER_COOKIE_SECURE = True
# PERMANENT_SESSION_LIFETIME = 3600
WTF_CSRF_ENABLED = True
# WTF_CSRF_CHECK_DEFAULT = False # We'll check it manually for API routes
@@ -52,7 +53,7 @@ class Config:
DOMAIN_AUTH0 = os.getenv('DOMAIN_AUTH0')
ID_TOKEN_USER = 'user'
# PostgreSQL
DB_NAME = os.getenv('partsltd')
DB_NAME = os.getenv('partsltd_prod')
DB_USER = os.getenv('DB_USER')
DB_PASSWORD = os.getenv('DB_PASSWORD')
DB_HOST = os.getenv('DB_HOST')

2
extensions.py
View File

@@ -8,7 +8,7 @@ from authlib.integrations.flask_client import OAuth
csrf = CSRFProtect()
cors = CORS()
# cors = CORS()
db = SQLAlchemy()
mail = Mail()
oauth = OAuth()

4
requirements.txt
View File

@@ -1,5 +1,5 @@
flask
Flask==3.0.3
gunicorn==23.0.0
flask_wtf
flask_sqlalchemy
flask_cors

2
static/js/api.js
View File

@@ -1,6 +1,5 @@
import DOM from './dom.js';
// Module for API calls
export default class API {
static getCsrfToken() {
@@ -151,7 +150,6 @@ export default class API {
const api = new API();
export default api;
Example of using the API
document.addEventListener('DOMContentLoaded', () => {
initializeApp();
setupEventListeners();

15
static/js/app.js
View File

@@ -1,8 +1,6 @@
// Main entry point for the application
'use strict';
// import API from './api.js';
import DOM from './dom.js';
import Router from './router.js';
@@ -19,34 +17,24 @@ class App {
}
setupEventListeners() {
// Global event listeners
// document.addEventListener('click', this.handleGlobalClick.bind(this));
// Add more global event listeners as needed
}
handleGlobalClick(event) {
// Handle global click events
}
start() {
// Additional startup logic
this.initPageCurrent();
}
initPageCurrent() {
/*
_pageCurrent = Router.getPageCurrent();
_pageCurrent.initialize();
*/
this.router.loadPageCurrent();
}
}
// Application instance
const app = new App();
// DOM ready handler
function domReady(fn) {
if (document.readyState !== 'loading') {
fn();
@@ -55,13 +43,10 @@ function domReady(fn) {
}
}
// Initialize and start the app when DOM is ready
domReady(() => {
app.initialize();
});
// Expose app to window for debugging (optional)
window.app = app;
// Export app if using modules
export default app;

1
static/js/dom.js
View File

@@ -1,7 +1,6 @@
import Validation from "./lib/validation.js";
// Module for DOM manipulation
export default class DOM {
static setElementAttributesValuesCurrentAndPrevious(element, data) {
DOM.setElementAttributeValueCurrent(element, data);

23
static/js/router.js
View File

@@ -12,30 +12,11 @@ import PageLicense from './pages/legal/license.js';
// import PageUserLogout from './pages/user/logout.js';
// import PageUserAccount from './pages/user/account.js';
import API from './api.js';
import DOM from './dom.js';
import PagePrivacyPolicy from './pages/legal/privacy_policy.js';
import PageRetentionSchedule from './pages/legal/retention_schedule.js';
// Create a context for the pages
// const pagesContext = require.context('./pages', true, /\.js$/);
/*
const pageModules = {
// Core
[hashPageHome]: () => import('./pages/core/home.js'),
[hashPageContact]: () => import('./pages/core/contact.js'),
[hashPageServices]: () => import('./pages/core/services.js'),
[hashPageAdminHome]: () => import('./pages/core/admin_home.js'),
// Legal
[hashPageAccessibilityStatement]: () => import('./pages/legal/accessibility_statement.js'),
[hashPageLicense]: () => import('./pages/legal/license.js'),
// User
// Add other pages here...
};
*/
export default class Router {
constructor() {
@@ -146,11 +127,8 @@ export default class Router {
}
}
// Create and export a singleton instance
export const router = new Router();
// import this for navigation
// Usage example (you can put this in your main.js or app.js)
/*
router.addRoute('/', () => {
console.log('Home page');
@@ -162,7 +140,6 @@ router.addRoute('/about', () => {
// Load about page content
});
// Example of how to use the router in other parts of your application
export function setupNavigationEvents() {
document.querySelectorAll('a[data-nav]').forEach(link => {
link.addEventListener('click', (e) => {