2
0
mirror of https://github.com/offen/website.git synced 2024-12-23 05:20:21 +01:00

Merge pull request #78 from offen/protect-optout

Add signed authentication mechanism to secure optout cookie exchange
This commit is contained in:
Frederik Ring 2019-08-01 12:12:55 +02:00 committed by GitHub
commit 57af647dbc
4 changed files with 24 additions and 5 deletions

View File

@ -3,13 +3,12 @@ version: 2
production_env: &production_env
environment:
- SERVER_HOST=https://server-alpha.offen.dev
- OPT_OUT_PIXEL_LOCATION=https://server-alpha.offen.dev/opt-out
- OPT_IN_PIXEL_LOCATION=https://server-alpha.offen.dev/opt-in
- KMS_HOST=https://kms-alpha.offen.dev
- SCRIPT_HOST=https://script-alpha.offen.dev
- AUDITORIUM_HOST=https://auditorium-alpha.offen.dev
- VAULT_HOST=https://vault-alpha.offen.dev
- ACCOUNTS_HOST=https://accounts-alpha.offen.dev
- HOMEPAGE_HOST=https://www.offen.dev
- NODE_ENV=production
deploy_preconditions: &deploy_preconditions

View File

@ -83,6 +83,9 @@ def post_login():
@json_error
def get_login():
auth_cookie = request.cookies.get(COOKIE_KEY)
if not auth_cookie:
return jsonify({"error": "no auth cookie in request", "status": 401}), 401
public_keys = app.config["JWT_PUBLIC_KEYS"]
token = None

View File

@ -47,6 +47,7 @@ services:
PORT: 8080
JWT_PUBLIC_KEY: http://accounts:5000/api/key
DEVELOPMENT: '1'
COOKIE_EXCHANGE_SECRET: Wsttdo4Z3mXV5sTc
ports:
- 8080:8080
command: refresh run
@ -72,6 +73,7 @@ services:
- SCRIPT_HOST=http://localhost:9977
- AUDITORIUM_HOST=http://localhost:9955
- ACCOUNTS_HOST=http://localhost:5000
- HOMEPAGE_HOST=http://localhost:8000
script:
build:
@ -100,8 +102,6 @@ services:
- 9955:9955
environment:
- VAULT_HOST=http://localhost:9977
- OPT_OUT_PIXEL_LOCATION=http://localhost:8080/opt-out
- OPT_IN_PIXEL_LOCATION=http://localhost:8080/opt-in
accounts:
build:

View File

@ -8,4 +8,21 @@ This will prevent __offen__ from aggregating the actions you have taken on parti
Operators now cannot draw any conclusions from your actions via __offen__. At the same time, however, they *cannot create a better experience* for you and other users.
<img style="-webkit-user-select: none; display:none;" src="https://server-alpha.offen.dev/opt-out">
<script>
var vault = document.createElement('iframe')
vault.style.display = 'none'
vault.setAttribute('width', '0')
vault.setAttribute('height', '0')
vault.setAttribute('frameBorder', '0')
vault.setAttribute('scrolling', 'no')
vault.addEventListener('load', function (e) {
vault.contentWindow.postMessage({
type: 'OPTOUT',
payload: {
status: true
}
}, '*')
})
vault.src = 'https://vault-alpha.offen.dev'
document.body.append(vault)
</script>