From f1b601008a3a343c0c0412a1d3471c30454c0170 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Tue, 30 Jul 2019 12:21:33 +0200 Subject: [PATCH 1/3] add signed authentication mechanism to secure optout cookie exchange --- .circleci/config.yml | 2 -- docker-compose.yml | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 81e8f98..1ece902 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -3,8 +3,6 @@ version: 2 production_env: &production_env environment: - SERVER_HOST=https://server-alpha.offen.dev - - OPT_OUT_PIXEL_LOCATION=https://server-alpha.offen.dev/opt-out - - OPT_IN_PIXEL_LOCATION=https://server-alpha.offen.dev/opt-in - KMS_HOST=https://kms-alpha.offen.dev - SCRIPT_HOST=https://script-alpha.offen.dev - AUDITORIUM_HOST=https://auditorium-alpha.offen.dev diff --git a/docker-compose.yml b/docker-compose.yml index b541138..229795d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -47,6 +47,7 @@ services: PORT: 8080 JWT_PUBLIC_KEY: http://accounts:5000/api/key DEVELOPMENT: '1' + COOKIE_EXCHANGE_SECRET: Wsttdo4Z3mXV5sTc ports: - 8080:8080 command: refresh run @@ -100,8 +101,6 @@ services: - 9955:9955 environment: - VAULT_HOST=http://localhost:9977 - - OPT_OUT_PIXEL_LOCATION=http://localhost:8080/opt-out - - OPT_IN_PIXEL_LOCATION=http://localhost:8080/opt-in accounts: build: From a0c7b3582dab8c82f7ee1722f2e8662634c33281 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Thu, 1 Aug 2019 11:01:19 +0200 Subject: [PATCH 2/3] use iframed opt out in homepage too --- .circleci/config.yml | 1 + docker-compose.yml | 1 + homepage/content/pages/opt-out.md | 19 ++++++++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1ece902..1a7c841 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,6 +8,7 @@ production_env: &production_env - AUDITORIUM_HOST=https://auditorium-alpha.offen.dev - VAULT_HOST=https://vault-alpha.offen.dev - ACCOUNTS_HOST=https://accounts-alpha.offen.dev + - HOMEPAGE_HOST=https://www.offen.dev - NODE_ENV=production deploy_preconditions: &deploy_preconditions diff --git a/docker-compose.yml b/docker-compose.yml index 229795d..339581d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -73,6 +73,7 @@ services: - SCRIPT_HOST=http://localhost:9977 - AUDITORIUM_HOST=http://localhost:9955 - ACCOUNTS_HOST=http://localhost:5000 + - HOMEPAGE_HOST=http://localhost:8000 script: build: diff --git a/homepage/content/pages/opt-out.md b/homepage/content/pages/opt-out.md index 2452c2d..9f40621 100644 --- a/homepage/content/pages/opt-out.md +++ b/homepage/content/pages/opt-out.md @@ -8,4 +8,21 @@ This will prevent __offen__ from aggregating the actions you have taken on parti Operators now cannot draw any conclusions from your actions via __offen__. At the same time, however, they *cannot create a better experience* for you and other users. - + From 35bc38608739891d7695bf1cb2490a5189888304 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Thu, 1 Aug 2019 11:59:27 +0200 Subject: [PATCH 3/3] clean up response handling in vault --- accounts/accounts/api.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/accounts/accounts/api.py b/accounts/accounts/api.py index 8fba6ae..aad2ab4 100644 --- a/accounts/accounts/api.py +++ b/accounts/accounts/api.py @@ -83,6 +83,9 @@ def post_login(): @json_error def get_login(): auth_cookie = request.cookies.get(COOKIE_KEY) + if not auth_cookie: + return jsonify({"error": "no auth cookie in request", "status": 401}), 401 + public_keys = app.config["JWT_PUBLIC_KEYS"] token = None