Tweak design and try to prevent CSRF issues

2022-07-08 09:01:25 +02:00 · 2022-07-08 09:01:25 +02:00 · 68c13b275d
parent 7bb417759e
commit 68c13b275d
4 changed files with 32 additions and 1 deletions
--- a/app/main.py
+++ b/app/main.py
@ -122,6 +122,17 @@ async def add_security_headers(request: Request, call_next):
    response.headers["x-content-type-options"] = "nosniff"
    response.headers["x-xss-protection"] = "1; mode=block"
    response.headers["x-frame-options"] = "SAMEORIGIN"
+    if request.url.path.startswith("/admin/login") or (
+        is_current_user_admin(request)
+        and not (
+            request.url.path.startswith("/attachments")
+            or request.url.path.startswith("/proxy")
+            or request.url.path.startswith("/static")
+        )
+    ):
+        # Prevent caching (to prevent caching CSRF tokens)
+        response.headers["Cache-Control"] = "private"
+
    # TODO(ts): disallow inline CSS?
    if DEBUG:
        return response
--- a/app/templates/utils.html
+++ b/app/templates/utils.html
@ -165,6 +165,7 @@
            {% if metadata.is_following %}
                <li>already following</li>
                <li>{{ admin_undo_button(metadata.outbox_follow_ap_id, "unfollow")}}</li>
+                <li>{{ admin_profile_button(actor.ap_id) }}</li>
            {% elif metadata.is_follow_request_sent %}
                <li>follow request sent</li>
            {% else %}
@ -172,6 +173,9 @@
            {% endif %}
            {% if metadata.is_follower %}
                <li>follows you</li>
+                {% if not metadata.is_following %}
+                <li>{{ admin_profile_button(actor.ap_id) }}</li>
+                {% endif %}
            {% endif %}
        </li>
    </ul>
--- a/poetry.lock
+++ b/poetry.lock
@ -429,6 +429,17 @@ cli = ["click (>=8.0.0,<9.0.0)", "rich (>=10,<13)", "pygments (>=2.0.0,<3.0.0)"]
 http2 = ["h2 (>=3,<5)"]
 socks = ["socksio (>=1.0.0,<2.0.0)"]

+[[package]]
+name = "humanize"
+version = "4.2.3"
+description = "Python humanize utilities"
+category = "main"
+optional = false
+python-versions = ">=3.7"
+
+[package.extras]
+tests = ["freezegun", "pytest", "pytest-cov"]
+
 [[package]]
 name = "idna"
 version = "3.3"
@ -1151,7 +1162,7 @@ dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"]
 [metadata]
 lock-version = "1.1"
 python-versions = "^3.10"
-content-hash = "4ea5cf809ffddcabfa9f23de9051538b7c8f7b96c5d79883b469a0e1cff2864b"
+content-hash = "1192c7c9d7ce2b93f928406f66c6a6797581bdb4928974679f7b8a0a08a1cf9f"

 [metadata.files]
 aiosqlite = [
@ -1451,6 +1462,10 @@ httpx = [
    {file = "httpx-0.23.0-py3-none-any.whl", hash = "sha256:42974f577483e1e932c3cdc3cd2303e883cbfba17fe228b0f63589764d7b9c4b"},
    {file = "httpx-0.23.0.tar.gz", hash = "sha256:f28eac771ec9eb4866d3fb4ab65abd42d38c424739e80c08d8d20570de60b0ef"},
 ]
+humanize = [
+    {file = "humanize-4.2.3-py3-none-any.whl", hash = "sha256:bed628920d45cd5018abb095710f0c03a8336d6ac0790e7647c6a328f3880b81"},
+    {file = "humanize-4.2.3.tar.gz", hash = "sha256:2bc1fdd831cd00557d3010abdd84d3e41b4a96703a3eaf6c24ee290b26b75a44"},
+]
 idna = [
    {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"},
    {file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"},
--- a/pyproject.toml
+++ b/pyproject.toml
@ -39,6 +39,7 @@ emoji = "^1.7.0"
 PyLD = "^2.0.3"
 aiosqlite = "^0.17.0"
 cachetools = "^5.2.0"
+humanize = "^4.2.3"

 [tool.poetry.dev-dependencies]
 black = "^22.3.0"