feat(dev): no cache, security;

- Use cache_bust webasset filter.
- Added console logging.
- Syntax fixes.
- Added extra security to JWT handshakes.

Author: JVickery-TBS

ckanext/language_domains/assets/scripts/language_login_sender.js

@@ -54,10 +54,9 @@ window.addEventListener('load', function(){
           return;
         }
 
-        console.log(_event.data);
-
         if( typeof _event.data.login_successful != 'undefined' ){
           loginWindow.close();
+          console.log('Logged into ' + _event.origin + ' - ' + _event.data.login_successful);
           if( _index >= _max ){
             setTimeout(function(){
               window.location.assign(login_redirect);

ckanext/language_domains/assets/scripts/language_logout_sender.js

@@ -56,6 +56,7 @@ window.addEventListener('load', function(){
 
         if( typeof _event.data.logout_successful != 'undefined' ){
           logoutWindow.close();
+          console.log('Logged out of ' + _event.origin + ' - ' + _event.data.logout_successful);
           if( _index >= _max ){
             let tokenFieldName = $('meta[name="csrf_field_name"]').attr('content');
             let tokenValue = $('meta[name="' + tokenFieldName + '"]').attr('content');

ckanext/language_domains/assets/webassets.yml

@@ -2,6 +2,7 @@ css:
   contents:
     - styles/language_domains.css
   output: language_domains/%(version)s_language_domains.css
+  filters: cache_bust
 
 js_login_sender:
   contents:
@@ -10,6 +11,7 @@ js_login_sender:
     preload:
       - base/main  # need ckan JS and jQuery
   output: language_domains/%(version)s_language_login_sender.js
+  filters: cache_bust
 
 js_login_receiver:
   contents:
@@ -18,6 +20,7 @@ js_login_receiver:
     preload:
       - base/main  # need ckan JS and jQuery
   output: language_domains/%(version)s_language_login_receiver.js
+  filters: cache_bust
 
 js_logout_sender:
   contents:
@@ -26,11 +29,13 @@ js_logout_sender:
     preload:
       - base/main  # need ckan JS and jQuery
   output: language_domains/%(version)s_language_logout_sender.js
+  filters: cache_bust
 
 js_logout_receiver:
   contents:
     - scripts/language_logout_receiver.js
   extra:
     preload:
       - base/main  # need ckan JS and jQuery
-  output: language_domains/%(version)s_language_logout_receiver.js
+  output: language_domains/%(version)s_language_logout_receiver.js
+  filters: cache_bust

ckanext/language_domains/blueprint.py

@@ -85,6 +85,8 @@ def login_master():
     if jwt_secret:
         token_data = {
             'user_id': g.userobj.id,
+            'user_agent': request.environ['HTTP_USER_AGENT'],
+            'user_addr': request.remote_addr,
             'exp': datetime.datetime.now(datetime.timezone.utc) +
             datetime.timedelta(minutes=10),
             "iat": datetime.datetime.now(datetime.timezone.utc)
@@ -177,9 +179,14 @@ def login():
 
         userobj = User.get(token_data.get('user_id'))
 
-        if not userobj or userobj.name != post_data['session_user']:
-            return _finish(404,
-                           {'error': _('User not found'),
+        if (
+          not userobj or
+          userobj.name != post_data['session_user'] or
+          token_data.get('user_agent') != request.environ['HTTP_USER_AGENT'] or
+          token_data.get('user_addr') != request.remote_addr
+        ):
+            return _finish(400,
+                           {'error': _('Unable to verify login session'),
                             'success': False},
                            content_type='json')
 
@@ -232,6 +239,8 @@ def logout_master():
         if jwt_secret:
             token_data = {
                 'user_id': g.userobj.id,
+                'user_agent': request.environ['HTTP_USER_AGENT'],
+                'user_addr': request.remote_addr,
                 'exp': datetime.datetime.now(datetime.timezone.utc) +
                 datetime.timedelta(minutes=10),
                 "iat": datetime.datetime.now(datetime.timezone.utc)
@@ -279,9 +288,16 @@ def logout_master():
 
     userobj = User.get(token_data.get('user_id'))
 
-    if not userobj or userobj.name != post_data['session_user']:
-        return _finish(404, {'error': _('User not found'),
-                             'success': False}, content_type='json')
+    if (
+        not userobj or
+        userobj.name != post_data['session_user'] or
+        token_data.get('user_agent') != request.environ['HTTP_USER_AGENT'] or
+        token_data.get('user_addr') != request.remote_addr
+    ):
+        return _finish(400,
+                       {'error': _('Unable to verify login session'),
+                        'success': False},
+                       content_type='json')
 
     g.user = None
     g.userobj = None
@@ -360,9 +376,16 @@ def logout():
 
     userobj = User.get(token_data.get('user_id'))
 
-    if not userobj or userobj.name != post_data['session_user']:
-        return _finish(404, {'error': _('User not found'),
-                             'success': False}, content_type='json')
+    if (
+        not userobj or
+        userobj.name != post_data['session_user'] or
+        token_data.get('user_agent') != request.environ['HTTP_USER_AGENT'] or
+        token_data.get('user_addr') != request.remote_addr
+    ):
+        return _finish(400,
+                       {'error': _('Unable to verify login session'),
+                        'success': False},
+                       content_type='json')
 
     g.user = None
     g.userobj = None

ckanext/language_domains/helpers.py

@@ -182,4 +182,4 @@ def local_url(url_to_amend: str, **kw: Any):
         error = 'There is a broken url being created %s' % kw
         raise CkanUrlException(error)
 
-    return url
+    return url