offen/website
2
0
Fork 0
mirror of https://github.com/offen/website.git synced 2024-11-22 17:10:29 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #78 from offen/protect-optout

Browse Source 
Add signed authentication mechanism to secure optout cookie exchange
This commit is contained in:
Frederik Ring 2019-08-01 12:12:55 +02:00 committed by GitHub
commit 57af647dbc
4 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.circleci/config.yml
View File

@ -3,13 +3,12 @@ version: 2
production_env: &production_env production_env: &production_env
environment: environment:
- SERVER_HOST=https://server-alpha.offen.dev - SERVER_HOST=https://server-alpha.offen.dev
- OPT_OUT_PIXEL_LOCATION=https://server-alpha.offen.dev/opt-out
- OPT_IN_PIXEL_LOCATION=https://server-alpha.offen.dev/opt-in
- KMS_HOST=https://kms-alpha.offen.dev - KMS_HOST=https://kms-alpha.offen.dev
- SCRIPT_HOST=https://script-alpha.offen.dev - SCRIPT_HOST=https://script-alpha.offen.dev
- AUDITORIUM_HOST=https://auditorium-alpha.offen.dev - AUDITORIUM_HOST=https://auditorium-alpha.offen.dev
- VAULT_HOST=https://vault-alpha.offen.dev - VAULT_HOST=https://vault-alpha.offen.dev
- ACCOUNTS_HOST=https://accounts-alpha.offen.dev - ACCOUNTS_HOST=https://accounts-alpha.offen.dev
- HOMEPAGE_HOST=https://www.offen.dev
- NODE_ENV=production - NODE_ENV=production
deploy_preconditions: &deploy_preconditions deploy_preconditions: &deploy_preconditions

3
accounts/accounts/api.py
View File

@ -83,6 +83,9 @@ def post_login():
@json_error @json_error
def get_login(): def get_login():
auth_cookie = request.cookies.get(COOKIE_KEY) auth_cookie = request.cookies.get(COOKIE_KEY)
if not auth_cookie:
return jsonify({"error": "no auth cookie in request", "status": 401}), 401
public_keys = app.config["JWT_PUBLIC_KEYS"] public_keys = app.config["JWT_PUBLIC_KEYS"]
token = None token = None

4
docker-compose.yml
View File

@ -47,6 +47,7 @@ services:
PORT: 8080 PORT: 8080
JWT_PUBLIC_KEY: http://accounts:5000/api/key JWT_PUBLIC_KEY: http://accounts:5000/api/key
DEVELOPMENT: '1' DEVELOPMENT: '1'
COOKIE_EXCHANGE_SECRET: Wsttdo4Z3mXV5sTc
ports: ports:
- 8080:8080 - 8080:8080
command: refresh run command: refresh run
@ -72,6 +73,7 @@ services:
- SCRIPT_HOST=http://localhost:9977 - SCRIPT_HOST=http://localhost:9977
- AUDITORIUM_HOST=http://localhost:9955 - AUDITORIUM_HOST=http://localhost:9955
- ACCOUNTS_HOST=http://localhost:5000 - ACCOUNTS_HOST=http://localhost:5000
- HOMEPAGE_HOST=http://localhost:8000
script: script:
build: build:
@ -100,8 +102,6 @@ services:
- 9955:9955 - 9955:9955
environment: environment:
- VAULT_HOST=http://localhost:9977 - VAULT_HOST=http://localhost:9977
- OPT_OUT_PIXEL_LOCATION=http://localhost:8080/opt-out
- OPT_IN_PIXEL_LOCATION=http://localhost:8080/opt-in
accounts: accounts:
build: build:

19
homepage/content/pages/opt-out.md
View File

@ -8,4 +8,21 @@ This will prevent __offen__ from aggregating the actions you have taken on parti
Operators now cannot draw any conclusions from your actions via __offen__. At the same time, however, they *cannot create a better experience* for you and other users. Operators now cannot draw any conclusions from your actions via __offen__. At the same time, however, they *cannot create a better experience* for you and other users.
<img style="-webkit-user-select: none; display:none;" src="https://server-alpha.offen.dev/opt-out"> <script>
var vault = document.createElement('iframe')
vault.style.display = 'none'
vault.setAttribute('width', '0')
vault.setAttribute('height', '0')
vault.setAttribute('frameBorder', '0')
vault.setAttribute('scrolling', 'no')
vault.addEventListener('load', function (e) {
vault.contentWindow.postMessage({
type: 'OPTOUT',
payload: {
status: true
}
}, '*')
})
vault.src = 'https://vault-alpha.offen.dev'
document.body.append(vault)
</script>