From 68c13b275d8d1ca623ccb8349e8075aca411505e Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Fri, 8 Jul 2022 09:01:25 +0200 Subject: [PATCH] Tweak design and try to prevent CSRF issues --- app/main.py | 11 +++++++++++ app/templates/utils.html | 4 ++++ poetry.lock | 17 ++++++++++++++++- pyproject.toml | 1 + 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index ea5180d..bf4f79b 100644 --- a/app/main.py +++ b/app/main.py @@ -122,6 +122,17 @@ async def add_security_headers(request: Request, call_next): response.headers["x-content-type-options"] = "nosniff" response.headers["x-xss-protection"] = "1; mode=block" response.headers["x-frame-options"] = "SAMEORIGIN" + if request.url.path.startswith("/admin/login") or ( + is_current_user_admin(request) + and not ( + request.url.path.startswith("/attachments") + or request.url.path.startswith("/proxy") + or request.url.path.startswith("/static") + ) + ): + # Prevent caching (to prevent caching CSRF tokens) + response.headers["Cache-Control"] = "private" + # TODO(ts): disallow inline CSS? if DEBUG: return response diff --git a/app/templates/utils.html b/app/templates/utils.html index 48c5755..d42d051 100644 --- a/app/templates/utils.html +++ b/app/templates/utils.html @@ -165,6 +165,7 @@ {% if metadata.is_following %}
  • already following
  • {{ admin_undo_button(metadata.outbox_follow_ap_id, "unfollow")}}
    • +
  • {{ admin_profile_button(actor.ap_id) }}
    • {% elif metadata.is_follow_request_sent %}
  • follow request sent
    • {% else %} @@ -172,6 +173,9 @@ {% endif %} {% if metadata.is_follower %}
  • follows you
    • + {% if not metadata.is_following %} +
  • {{ admin_profile_button(actor.ap_id) }}
    • + {% endif %} {% endif %} diff --git a/poetry.lock b/poetry.lock index 1c65824..8b38cdc 100644 --- a/poetry.lock +++ b/poetry.lock @@ -429,6 +429,17 @@ cli = ["click (>=8.0.0,<9.0.0)", "rich (>=10,<13)", "pygments (>=2.0.0,<3.0.0)"] http2 = ["h2 (>=3,<5)"] socks = ["socksio (>=1.0.0,<2.0.0)"] +[[package]] +name = "humanize" +version = "4.2.3" +description = "Python humanize utilities" +category = "main" +optional = false +python-versions = ">=3.7" + +[package.extras] +tests = ["freezegun", "pytest", "pytest-cov"] + [[package]] name = "idna" version = "3.3" @@ -1151,7 +1162,7 @@ dev = ["pytest (>=4.6.2)", "black (>=19.3b0)"] [metadata] lock-version = "1.1" python-versions = "^3.10" -content-hash = "4ea5cf809ffddcabfa9f23de9051538b7c8f7b96c5d79883b469a0e1cff2864b" +content-hash = "1192c7c9d7ce2b93f928406f66c6a6797581bdb4928974679f7b8a0a08a1cf9f" [metadata.files] aiosqlite = [ @@ -1451,6 +1462,10 @@ httpx = [ {file = "httpx-0.23.0-py3-none-any.whl", hash = "sha256:42974f577483e1e932c3cdc3cd2303e883cbfba17fe228b0f63589764d7b9c4b"}, {file = "httpx-0.23.0.tar.gz", hash = "sha256:f28eac771ec9eb4866d3fb4ab65abd42d38c424739e80c08d8d20570de60b0ef"}, ] +humanize = [ + {file = "humanize-4.2.3-py3-none-any.whl", hash = "sha256:bed628920d45cd5018abb095710f0c03a8336d6ac0790e7647c6a328f3880b81"}, + {file = "humanize-4.2.3.tar.gz", hash = "sha256:2bc1fdd831cd00557d3010abdd84d3e41b4a96703a3eaf6c24ee290b26b75a44"}, +] idna = [ {file = "idna-3.3-py3-none-any.whl", hash = "sha256:84d9dd047ffa80596e0f246e2eab0b391788b0503584e8945f2368256d2735ff"}, {file = "idna-3.3.tar.gz", hash = "sha256:9d643ff0a55b762d5cdb124b8eaa99c66322e2157b69160bc32796e824360e6d"}, diff --git a/pyproject.toml b/pyproject.toml index 1ae22dc..4a6d373 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -39,6 +39,7 @@ emoji = "^1.7.0" PyLD = "^2.0.3" aiosqlite = "^0.17.0" cachetools = "^5.2.0" +humanize = "^4.2.3" [tool.poetry.dev-dependencies] black = "^22.3.0"