Skip to content

Commit

Permalink
Merge pull request #342 from nemozak1/develop
Browse files Browse the repository at this point in the history
Add Secure and HttpOnly flags to CSRF token cookies, make session timer discreet
  • Loading branch information
simonredfern authored Nov 22, 2023
2 parents b258431 + 385faab commit 460193e
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 5 deletions.
10 changes: 7 additions & 3 deletions apimanager/apimanager/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
from django.core.exceptions import ImproperlyConfigured
from django.urls import reverse_lazy


# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

Expand Down Expand Up @@ -273,9 +272,12 @@
# Session Cookie Settings
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_AGE = 300
SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
SESSION_COOKIE_AGE = 300

# CSRF Cookie Settings
CSRF_COOKIE_HTTPONLY = True
CSRF_COOKIE_SECURE = True

# Paths on API_HOST to OAuth
OAUTH_TOKEN_PATH = '/oauth/initiate'
Expand Down Expand Up @@ -317,6 +319,8 @@
# Global
UNDEFINED = "<undefined>"

API_ROOT_KEY = "v500"

# Local settings can replace any value ABOVE
try:
from apimanager.local_settings import * # noqa
Expand Down Expand Up @@ -350,7 +354,7 @@

CSP_IMG_SRC = ("'self' data:", 'https://static.openbankproject.com')
CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
CSP_SCRIPT_SRC = ("'self' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
CSP_SCRIPT_SRC = ("'self' 'unsafe-eval' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
CSP_FONT_SRC = ("'self'", 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/')
CSP_FRAME_ANCESTORS = ("'self'")
CSP_FORM_ACTION = ("'self'")
Expand Down
4 changes: 3 additions & 1 deletion apimanager/base/static/js/inactivity-timer.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,15 @@ function addSeconds(date, seconds) {
}

export function showCountdownTimer() {
//TODO rather than display a timer the whole time in a span, make it only show when there are e.g. 30 seconds left.
// Maybe a whole page alert that the user will be logged out soon.

// Get current date and time
var now = new Date().getTime();
let distance = countDownDate - now;
// Output the result in an element with id="countdown-timer-span"
let elementId = ("countdown-timer-span");
document.getElementById(elementId).innerHTML = "in " + Math.floor(distance / 1000) + "s";
document.getElementById(elementId).innerHTML = Math.floor(distance / 1000) + "s";

// If the count down is over release resources
if (distance < 0) {
Expand Down
2 changes: 1 addition & 1 deletion apimanager/base/templates/base.html
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@
<p class="navbar-right button-select">
<span id="navbar-login-username">{{API_USERNAME}}</span>&nbsp;&nbsp;
<a id="logout" href="/logout" class="btn btn-default">{% trans "Logout" %}</a>
<span class="badge badge-secondary" id="countdown-timer-span"></span>
<span id="countdown-timer-span"></span>
</p>
{% endif %}
</li>
Expand Down

0 comments on commit 460193e

Please sign in to comment.