From fe1d8bc3abad80f66efddb8cc045ccecd6e5adbb Mon Sep 17 00:00:00 2001
From: freya <frybrdrck@gmail.com>
Date: Sat, 1 Jul 2023 05:50:42 +0100
Subject: [PATCH] Auth fix (#56)

* added some missing auth urls locally to test properly

* added new error messages to auth page

this will be set up for the auth urls to redirect with a message

* set up bad allauth urls to redirect to savageaim auth

* version bump

* updated backend dockerfiles with better procedures

* updated backend requirements for security

* update actions to use omit=dev for audit
---
 .github/workflows/npm-audit.yml              |  2 +-
 backend/backend/settings_live.py             |  2 +-
 backend/backend/urls.py                      | 18 ++++++++++++++++--
 backend/backend/urls_live.py                 | 20 +++++++++++++++-----
 backend/deployment/Dockerfile                | 13 ++++++++-----
 backend/deployment/ws.Dockerfile             | 13 ++++++++-----
 backend/requirements.txt                     |  6 +++---
 frontend/.env                                |  2 +-
 frontend/src/components/modals/changelog.vue |  8 +-------
 frontend/src/main.ts                         |  2 +-
 frontend/src/views/auth.vue                  | 18 ++++++++++++++++++
 11 files changed, 73 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml
index e8cd3666..c63fc314 100644
--- a/.github/workflows/npm-audit.yml
+++ b/.github/workflows/npm-audit.yml
@@ -18,4 +18,4 @@ jobs:
       uses: actions/setup-node@v2
       with:
         node-version: 16
-    - run: npm audit --production
+    - run: npm audit --omit=dev
diff --git a/backend/backend/settings_live.py b/backend/backend/settings_live.py
index 59a061e3..e7b9d18a 100644
--- a/backend/backend/settings_live.py
+++ b/backend/backend/settings_live.py
@@ -178,7 +178,7 @@ def sampler(context):
     # If you wish to associate users to errors (assuming you are using
     # django.contrib.auth) you may enable sending PII data.
     send_default_pii=True,
-    release='savageaim@20230601',
+    release='savageaim@20230701',
 )
 
 # Channels
diff --git a/backend/backend/urls.py b/backend/backend/urls.py
index 82419052..bef0bc2c 100644
--- a/backend/backend/urls.py
+++ b/backend/backend/urls.py
@@ -14,18 +14,32 @@
     2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
 """
 from allauth.socialaccount.providers.discord.urls import urlpatterns as discord_urls
+from django.conf import settings
 from django.contrib import admin
 from django.contrib.auth.views import LogoutView
 from django.http import HttpResponse
 from django.urls import path, include
+from django.views.generic.base import RedirectView
 
 patterns = [
     path('admin/', admin.site.urls),
     path('api/', include(('api.urls', 'api'))),
-    # Auth stuff (TODO - replace this because it's sorta workaroundy)
-    path('accounts/', include(discord_urls)),
     path('health/', lambda _: HttpResponse()),
     path('logout/', LogoutView.as_view()),
+
+    # Auth stuff (TODO - replace this because it's sorta workaroundy)
+    path('accounts/', include(discord_urls)),
+    # Set auth urls to redirect and display an error message instead
+    path(
+        'auth/cancelled/',
+        RedirectView.as_view(url=f'{settings.LOGIN_REDIRECT_URL}/auth/?auth_cancelled=1', permanent=True),
+        name='socialaccount_login_cancelled',
+    ),
+    path(
+        'auth/error/',
+        RedirectView.as_view(url=f'{settings.LOGIN_REDIRECT_URL}/auth/?auth_error=1', permanent=True),
+        name='socialaccount_login_error',
+    ),
 ]
 
 urlpatterns = [
diff --git a/backend/backend/urls_live.py b/backend/backend/urls_live.py
index 730d3119..b4090904 100644
--- a/backend/backend/urls_live.py
+++ b/backend/backend/urls_live.py
@@ -14,20 +14,30 @@
     2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
 """
 from allauth.socialaccount.providers.discord.urls import urlpatterns as discord_urls
-from allauth.socialaccount.views import login_cancelled, login_error
+from django.conf import settings
 from django.contrib.auth.views import LogoutView
 from django.http import HttpResponse
 from django.urls import path, include
+from django.views.generic.base import RedirectView
 
 patterns = [
     path('api/', include(('api.urls', 'api'))),
+    path('health/', lambda _: HttpResponse()),
+    path('logout/', LogoutView.as_view()),
 
     # Auth stuff (TODO - replace this because it's sorta workaroundy)
     path('accounts/', include(discord_urls)),
-    path('auth/cancelled/', login_cancelled, name='socialaccount_login_cancelled'),
-    path('auth/error/', login_error, name='socialaccount_login_error'),
-    path('health/', lambda _: HttpResponse()),
-    path('logout/', LogoutView.as_view()),
+    # Set auth urls to redirect and display an error message instead
+    path(
+        'auth/cancelled/',
+        RedirectView.as_view(url=f'{settings.LOGIN_REDIRECT_URL}/auth/?auth_cancelled=1', permanent=True),
+        name='socialaccount_login_cancelled',
+    ),
+    path(
+        'auth/error/',
+        RedirectView.as_view(url=f'{settings.LOGIN_REDIRECT_URL}/auth/?auth_error=1', permanent=True),
+        name='socialaccount_login_error',
+    ),
 ]
 
 urlpatterns = [
diff --git a/backend/deployment/Dockerfile b/backend/deployment/Dockerfile
index 3ebe62f1..54a34843 100644
--- a/backend/deployment/Dockerfile
+++ b/backend/deployment/Dockerfile
@@ -2,12 +2,15 @@ FROM python:3
 
 WORKDIR /savage-aim
 
-COPY . .
+# Copy and install requirements
+COPY requirements.txt .
+RUN pip3 install -r requirements.txt
+RUN pip3 install gunicorn
+
 
-# Install requirements and move live files to the correct spot
-RUN pip3 install -r requirements.txt && \
-    pip3 install gunicorn && \
-    mv backend/urls_live.py backend/urls.py && \
+# Copy rest of files, and set up proper live file links
+COPY . .
+RUN mv backend/urls_live.py backend/urls.py && \
     mv backend/settings_live.py backend/settings.py
 
 # Set the gunicorn to run the wsgi file
diff --git a/backend/deployment/ws.Dockerfile b/backend/deployment/ws.Dockerfile
index 6c686b65..c5d50a27 100644
--- a/backend/deployment/ws.Dockerfile
+++ b/backend/deployment/ws.Dockerfile
@@ -2,12 +2,15 @@ FROM python:3
 
 WORKDIR /savage-aim
 
-COPY . .
+# Copy and install requirements
+COPY requirements.txt .
+RUN pip3 install -r requirements.txt
+RUN pip3 install daphne
+
 
-# Install requirements and move live files to the correct spot
-RUN pip3 install -r requirements.txt && \
-    pip3 install daphne && \
-    mv backend/urls_live.py backend/urls.py && \
+# Copy rest of files, and set up proper live file links
+COPY . .
+RUN mv backend/urls_live.py backend/urls.py && \
     mv backend/settings_live.py backend/settings.py
 
 # Set the gunicorn to run the wsgi file
diff --git a/backend/requirements.txt b/backend/requirements.txt
index f0e30ea7..51923b60 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -20,7 +20,7 @@ click-repl==0.2.0
 constantly==15.1.0
 coreapi==2.3.3
 coreschema==0.0.4
-cryptography==40.0.2
+cryptography==41.0.1
 daphne==3.0.2
 defusedxml==0.7.1
 Deprecated==1.2.13
@@ -47,13 +47,13 @@ pyasn1==0.4.8
 pyasn1-modules==0.2.8
 pycparser==2.21
 PyJWT==2.4.0
-pyOpenSSL==23.1.1
+pyOpenSSL==23.2.0
 pyparsing==3.0.6
 python3-openid==3.2.0
 pytz==2021.3
 PyYAML==5.4
 redis==4.5.5
-requests==2.26.0
+requests==2.31.0
 requests-oauthlib==1.3.0
 sentry-sdk==1.22.2
 service-identity==21.1.0
diff --git a/frontend/.env b/frontend/.env
index 4c5931f1..63359cee 100644
--- a/frontend/.env
+++ b/frontend/.env
@@ -1 +1 @@
-VUE_APP_VERSION="20230601"
+VUE_APP_VERSION="20230701"
diff --git a/frontend/src/components/modals/changelog.vue b/frontend/src/components/modals/changelog.vue
index 6a4ee9b3..ce101de6 100644
--- a/frontend/src/components/modals/changelog.vue
+++ b/frontend/src/components/modals/changelog.vue
@@ -13,14 +13,8 @@
     <div class="card-content content">
       <h2 class="has-text-primary subtitle">{{ version }}</h2>
 
-      <div class="divider"><i class="material-icons icon">expand_more</i> Minor Updates <i class="material-icons icon">expand_more</i></div>
-      <p>Item Level filtering in BIS pages now uses a slider instead of two large dropdowns.</p>
-      <p class="has-text-info">The dropdowns had 21 entries in them as of 6.4's release, so it felt like it was a good time to move it to something more manageable.</p>
-      <p class="has-text-info">If there are any alternative suggestions, please consider leaving them in the Discord!</p>
-
       <div class="divider"><i class="material-icons icon">expand_more</i> Fixes <i class="material-icons icon">expand_more</i></div>
-      <p>Set the default Item Level filters on BIS pages to be the item level range for Anabaseios.</p>
-      <p>Fixed issue where error messages were not correctly appearing on the New Proxy Character page.</p>
+      <p>Fixed a HTTP 500 Server Error that could occur during login.</p>
 
     </div>
   </div>
diff --git a/frontend/src/main.ts b/frontend/src/main.ts
index 6bcf37b1..13992b2d 100644
--- a/frontend/src/main.ts
+++ b/frontend/src/main.ts
@@ -27,7 +27,7 @@ Sentry.init({
   Vue,
   dsn: 'https://06f41b525a40497a848fb726f6d03244@o242258.ingest.sentry.io/6180221',
   logErrors: true,
-  release: 'savageaim@20230601',
+  release: 'savageaim@20230701',
 })
 
 new Vue({
diff --git a/frontend/src/views/auth.vue b/frontend/src/views/auth.vue
index 84f820cf..347e2ec4 100644
--- a/frontend/src/views/auth.vue
+++ b/frontend/src/views/auth.vue
@@ -1,8 +1,17 @@
 <template>
   <div id="auth" class="container">
+    <!-- Error Messages -->
     <div v-if="redirect" class="notification is-warning">
       <p>Please log in to continue.</p>
     </div>
+    <div v-if="wasCancelled" class="notification is-info">
+      Login attempt cancelled!
+    </div>
+    <div v-if="wasError" class="notification is-danger">
+      An error occurred while attempting to log in. Please try again later or report it in the Discord server if it persists.
+    </div>
+
+    <!-- Actual Auth Stuff -->
     <div class="card">
       <div class="card-header">
         <div class="card-header-title">
@@ -49,6 +58,15 @@ export default class Auth extends SavageAimMixin {
     this.checkAuth()
     document.title = 'Login - Savage Aim'
   }
+
+  // Handlers for the other potential error messages
+  get wasCancelled(): boolean {
+    return this.$route.query.auth_cancelled === '1'
+  }
+
+  get wasError(): boolean {
+    return this.$route.query.auth_error === '1'
+  }
 }
 </script>