Conditional includes (#17794)

* Split authed/unauthed includes by route

* Only disallow authed includes with robots.txt

* Only fetch authed includes if we are authed

* Update warehouse/static/js/warehouse/utils/html-include.js

Whoopsie

Co-authored-by: Ee Durbin <[email protected]>

* Update warehouse/static/js/warehouse/utils/html-include.js

Whoopsie.

* Handle both full URLs and paths

---------

Co-authored-by: Ee Durbin <[email protected]>

Author: di

tests/functional/manage/test_views.py

@@ -107,7 +107,7 @@ def test_changing_password_succeeds(self, webtest, socket_enabled):
         change_password_form.submit().follow(status=HTTPStatus.OK)
 
         # Request the JavaScript-enabled flash messages directly to get the message
-        resp = webtest.get("/_includes/flash-messages/", status=HTTPStatus.OK)
+        resp = webtest.get("/_includes/authed/flash-messages/", status=HTTPStatus.OK)
         success_message = resp.html.find("span", {"class": "notification-bar__message"})
         assert success_message.text == "Password updated"
 

tests/functional/test_basic.py

@@ -32,7 +32,7 @@ def test_robots_txt(app_config, domain, indexable):
             "User-agent: *\n"
             "Disallow: /simple/\n"
             "Disallow: /packages/\n"
-            "Disallow: /_includes/\n"
+            "Disallow: /_includes/authed/\n"
             "Disallow: /pypi/*/json\n"
             "Disallow: /pypi/*/*/json\n"
             "Disallow: /pypi*?\n"

tests/unit/banners/test_init.py

@@ -26,7 +26,7 @@ def test_includeme():
     assert config.add_route.calls == [
         pretend.call(
             "includes.db-banners",
-            "/_includes/notification-banners/",
+            "/_includes/unauthed/notification-banners/",
             domain="pypi",
         ),
     ]

tests/unit/test_routes.py

@@ -84,65 +84,67 @@ def add_redirect_rule(*args, **kwargs):
         pretend.call("bucket.sitemap.xml", "/{bucket}.sitemap.xml", domain=warehouse),
         pretend.call(
             "includes.current-user-indicator",
-            "/_includes/current-user-indicator/",
+            "/_includes/authed/current-user-indicator/",
             domain=warehouse,
         ),
         pretend.call(
-            "includes.flash-messages", "/_includes/flash-messages/", domain=warehouse
+            "includes.flash-messages",
+            "/_includes/authed/flash-messages/",
+            domain=warehouse,
         ),
         pretend.call(
             "includes.session-notifications",
-            "/_includes/session-notifications/",
+            "/_includes/authed/session-notifications/",
             domain=warehouse,
         ),
         pretend.call(
             "includes.current-user-profile-callout",
-            "/_includes/current-user-profile-callout/{username}",
+            "/_includes/authed/current-user-profile-callout/{username}",
             factory="warehouse.accounts.models:UserFactory",
             traverse="/{username}",
             domain=warehouse,
         ),
         pretend.call(
             "includes.edit-project-button",
-            "/_includes/edit-project-button/{project_name}",
+            "/_includes/authed/edit-project-button/{project_name}",
             factory="warehouse.packaging.models:ProjectFactory",
             traverse="/{project_name}",
             domain=warehouse,
         ),
         pretend.call(
             "includes.profile-actions",
-            "/_includes/profile-actions/{username}",
+            "/_includes/authed/profile-actions/{username}",
             factory="warehouse.accounts.models:UserFactory",
             traverse="/{username}",
             domain=warehouse,
         ),
         pretend.call(
             "includes.profile-public-email",
-            "/_includes/profile-public-email/{username}",
+            "/_includes/authed/profile-public-email/{username}",
             factory="warehouse.accounts.models:UserFactory",
             traverse="/{username}",
             domain=warehouse,
         ),
         pretend.call(
             "includes.sidebar-sponsor-logo",
-            "/_includes/sidebar-sponsor-logo/",
+            "/_includes/unauthed/sidebar-sponsor-logo/",
             domain=warehouse,
         ),
         pretend.call(
             "includes.administer-project-include",
-            "/_includes/administer-project-include/{project_name}",
+            "/_includes/authed/administer-project-include/{project_name}",
             domain=warehouse,
         ),
         pretend.call(
             "includes.administer-user-include",
-            "/_includes/administer-user-include/{user_name}",
+            "/_includes/authed/administer-user-include/{user_name}",
             factory="warehouse.accounts.models:UserFactory",
             traverse="/{user_name}",
             domain=warehouse,
         ),
         pretend.call(
             "includes.submit_malware_report",
-            "/_includes/submit-malware-report/{project_name}",
+            "/_includes/authed/submit-malware-report/{project_name}",
             factory="warehouse.packaging.models:ProjectFactory",
             traverse="/{project_name}",
             domain=warehouse,

warehouse/banners/__init__.py

@@ -17,6 +17,6 @@ def includeme(config):
     # route to async render banner messages
     config.add_route(
         "includes.db-banners",
-        "/_includes/notification-banners/",
+        "/_includes/unauthed/notification-banners/",
         domain=warehouse,
     )

warehouse/routes.py

@@ -76,65 +76,65 @@ def includeme(config):
     # HTML Snippets for including into other pages.
     config.add_route(
         "includes.current-user-indicator",
-        "/_includes/current-user-indicator/",
+        "/_includes/authed/current-user-indicator/",
         domain=warehouse,
     )
     config.add_route(
-        "includes.flash-messages", "/_includes/flash-messages/", domain=warehouse
+        "includes.flash-messages", "/_includes/authed/flash-messages/", domain=warehouse
     )
     config.add_route(
         "includes.session-notifications",
-        "/_includes/session-notifications/",
+        "/_includes/authed/session-notifications/",
         domain=warehouse,
     )
     config.add_route(
         "includes.current-user-profile-callout",
-        "/_includes/current-user-profile-callout/{username}",
+        "/_includes/authed/current-user-profile-callout/{username}",
         factory="warehouse.accounts.models:UserFactory",
         traverse="/{username}",
         domain=warehouse,
     )
     config.add_route(
         "includes.edit-project-button",
-        "/_includes/edit-project-button/{project_name}",
+        "/_includes/authed/edit-project-button/{project_name}",
         factory="warehouse.packaging.models:ProjectFactory",
         traverse="/{project_name}",
         domain=warehouse,
     )
     config.add_route(
         "includes.profile-actions",
-        "/_includes/profile-actions/{username}",
+        "/_includes/authed/profile-actions/{username}",
         factory="warehouse.accounts.models:UserFactory",
         traverse="/{username}",
         domain=warehouse,
     )
     config.add_route(
         "includes.profile-public-email",
-        "/_includes/profile-public-email/{username}",
+        "/_includes/authed/profile-public-email/{username}",
         factory="warehouse.accounts.models:UserFactory",
         traverse="/{username}",
         domain=warehouse,
     )
     config.add_route(
         "includes.sidebar-sponsor-logo",
-        "/_includes/sidebar-sponsor-logo/",
+        "/_includes/unauthed/sidebar-sponsor-logo/",
         domain=warehouse,
     )
     config.add_route(
         "includes.administer-project-include",
-        "/_includes/administer-project-include/{project_name}",
+        "/_includes/authed/administer-project-include/{project_name}",
         domain=warehouse,
     )
     config.add_route(
         "includes.administer-user-include",
-        "/_includes/administer-user-include/{user_name}",
+        "/_includes/authed/administer-user-include/{user_name}",
         factory="warehouse.accounts.models:UserFactory",
         traverse="/{user_name}",
         domain=warehouse,
     )
     config.add_route(
         "includes.submit_malware_report",
-        "/_includes/submit-malware-report/{project_name}",
+        "/_includes/authed/submit-malware-report/{project_name}",
         factory="warehouse.packaging.models:ProjectFactory",
         traverse="/{project_name}",
         domain=warehouse,

warehouse/static/js/warehouse/utils/html-include.js

@@ -19,6 +19,11 @@ const fetchOptions = {
 };
 
 export default () => {
+  // Check if we have an authenticated session
+  let authed = document.cookie.split(";").some(
+    v => v.trim().startsWith("user_id__insecure="),
+  );
+
   // Each HTML include will generate a promise, which we'll later use to wait
   // on once all the promises have been resolved.
   let promises = [];
@@ -31,7 +36,24 @@ export default () => {
   // data-html-include attribute and replace it's content with that. This uses
   // the new fetch() API which returns a Promise.
   elements.forEach((element) => {
-    let p = fetch(element.getAttribute("data-html-include"), fetchOptions)
+    let url = element.getAttribute("data-html-include");
+    if (!authed) {
+      // Don't fetch authed URLs if we aren't authenticated
+      try {
+        // Attempt to parse as full URL
+        const pathname = new URL(url, "http://example.com").pathname;
+        if (pathname.startsWith("/_includes/authed/")) {
+          return;
+        }
+      } catch (e) {
+        // If parsing fails, assume it's just a path
+        if (url.startsWith("/_includes/authed/")) {
+          return;
+        }
+      }
+    }
+
+    let p = fetch(url, fetchOptions)
       .then(response => {
         if (response.ok) { return response.text(); }
         else { return ""; }

warehouse/templates/robots.txt

@@ -6,7 +6,7 @@ Disallow: /
 {% else %}
 Disallow: /simple/
 Disallow: /packages/
-Disallow: /_includes/
+Disallow: /_includes/authed/
 Disallow: /pypi/*/json
 Disallow: /pypi/*/*/json
 Disallow: /pypi*?