1. 01 Jul, 2021 1 commit
  2. 30 Jun, 2021 1 commit
  3. 26 Jun, 2021 4 commits
    • Kevin Morris's avatar
      aurweb.asgi: patch invalid f-string · 04ab9890
      Kevin Morris authored
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
    • Kevin Morris's avatar
      add aurweb.asgi.id_redirect_middleware · dc4cc9b6
      Kevin Morris authored
      A new middleware which redirects requests going to '/route?id=some_id'
      to '/route/some_id'. In the FastAPI application, we'll prefer using
      restful layouts where possible where resource-based ids are
      parameters of the request uri: '/route/{resource_id}'.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
      add /tu/ (get) index · d674aaf7
      Kevin Morris authored
      This commit implements the '/tu' Trusted User index page.
      In addition to this functionality, this commit introduces
      the following jinja2 filters:
      - dt: util.timestamp_to_datetime
      - as_timezone: util.as_timezone
      - dedupe_qs: util.dedupe_qs
      - urlencode: urllib.parse.quote_plus
      There's also a new decorator that can be used to enforce
      permissions: `account_type_required`. If a user does not
      meet account type requirements, they are redirected to '/'.
      @account_type_required({"Trusted User"})
      async def some_route(request: fastapi.Request):
          return Response("You are a Trusted User!")
      Routes added:
      - `GET /tu`: aurweb.routers.trusted_user.trusted_user
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
  4. 25 Jun, 2021 2 commits
    • Kevin Morris's avatar
      [FastAPI] add /tos routes (get, post) · adb42882
      Kevin Morris authored
      This clones the end goal behavior of PHP, but it does not
      concern itself with the revision form array at all.
      Since this page on PHP renders out the entire list of
      terms that a user needs to accept, we can treat a
      POST request with the "accept" checkbox enabled as a
      request to accept all unaccepted (or outdated revision)
      This commit also adds in a new http middleware used to
      redirect authenticated users to '/tos' if they have not
      yet accepted all terms.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
      add logging.config.fileConfig · 55c0637b
      Kevin Morris authored
      This resolves logging issues with alembic on aurweb.initdb
      in addition to adding more logging utilities for aurweb
      and tests in general.
      Developers should fetch a logger for their specific module
      via `logging.getLogger(__name__)`.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
  5. 23 Jun, 2021 1 commit
    • Kevin Morris's avatar
      aurweb.asgi: add security headers middleware · 865c4145
      Kevin Morris authored
      This commit introduces a middleware function which adds
      the following security headers to each response:
      - Content-Security-Policy
          - This includes a new `nonce`, which is tied to a user
            via authentication middleware. Both an anonymous user
            and an authenticated user recieve their own random nonces.
      - X-Content-Type-Options
      - Referrer-Policy
      - X-Frame-Options
      They are then tested for existence in test/test_routes.py.
      Note: The overcomplicated-looking asyncio behavior in the
      middleware function is used to avoid a warning about the old
      coroutine awaits being deprecated. See
      for more detail.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
  6. 06 Jun, 2021 7 commits
    • Kevin Morris's avatar
      bugfix: relax `next` verification · 822905be
      Kevin Morris authored
      AUR renders its own 404 Not Found page when a bad route
      is encountered. Introducing the previous verification
      caused an error in this case when setting a language
      while viewing the Not Found page. So, instead of checking
      through routes, just make sure that the next parameter
      starts with a '/' character, which removes the possibility
      of any cross attacks.
      + Removed aurweb.asgi.routes; no longer needed.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
      add passreset routes · a33d076d
      Kevin Morris authored
      Introduced `get|post` `/passreset` routes. These routes mimic the
      behavior of the existing PHP implementation, with the exception of
      HTTP status code returns.
      Routes added:
          GET /passreset
          POST /passreset
      Routers added:
      * On an unknown user or mismatched resetkey (where resetkey must ==
        user.resetkey), return HTTP status NOT_FOUND (404).
      * On another error in the request, return HTTP status BAD_REQUEST (400).
      Both `get|post` routes requires that the current user is **not**
      authenticated, hence `@auth_required(False, redirect="/")`.
      + Added auth_required decorator to aurweb.auth.
      + Added some more utility to aurweb.models.user.User.
      + Added `partials/error.html` template.
      + Added `passreset.html` template.
      + Added aurweb.db.ConnectionExecutor functor for paramstyle logic.
        Decoupling the executor logic from the database connection logic
        is needed for us to easily use the same logic with a fastapi
        database session, when we need to use aurweb.scripts modules.
      At this point, notification configuration is now required to complete
      tests involved with notifications properly, like passreset.
      `conf/config.dev` has been modified to include [notifications] sendmail,
      sender and reply-to overrides. Dockerfile and .gitlab-ci.yml have been
      updated to setup /etc/hosts and start postfix before running tests.
      * setup.cfg: ignore E741, C901 in aurweb.routers.accounts
      These two warnings (shown in the commit) are not dangerous and a bi-product
      of maintaining compatibility with our current code flow.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
      implement login + logout routes and templates · 5d4a5ded
      Kevin Morris authored
      + Added route: GET `/login` via `aurweb.routers.auth.login_get`
      + Added route: POST `/login` via `aurweb.routers.auth.login_post`
      + Added route: GET `/logout` via `aurweb.routers.auth.logout`
      + Added route: POST `/logout` via `aurweb.routers.auth.logout_post`
      * Modify archdev-navbar.html template to toggle displays on auth state
      + Added login.html template
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
      add aurweb.auth and authentication to User · 56f27982
      Kevin Morris authored
      + Added aurweb.auth.AnonymousUser
          * An instance of this model is returned as the request user
            when the request is not authenticated
      + Added aurweb.auth.BasicAuthBackend
      + Add starlette's AuthenticationMiddleware to app middleware,
        which uses our BasicAuthBackend facility
      + Added User.is_authenticated()
      + Added User.authenticate(password)
      + Added User.login(request, password)
      + Added User.logout(request)
      + Added repr(User(...)) representation
      + Added aurweb.auth.auth_required decorator.
      This change uses the same AURSID logic in the PHP implementation.
      Additionally, introduce a few helpers for authentication,
      one of which being `User.update_password(password, rounds = 12)`
      where `rounds` is a configurable number of salt rounds.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Marcus Andersson's avatar
      Adding error 503 catcher · f6744d3e
      Marcus Andersson authored and Kevin Morris's avatar Kevin Morris committed
    • Kevin Morris's avatar
      add aurweb.db.session · 4238a9fc
      Kevin Morris authored
      + Added Session class and global session object to aurweb.db,
        these are sessions created by sqlalchemy ORM's sessionmaker
        and will allow us to use declarative/imperative models.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
    • Kevin Morris's avatar
      port over base HTML layout from PHP to FastAPI+Jinja2 · 2df90ce2
      Kevin Morris authored
      + Mounted static files (at web/html) to /static.
      + Added AURWEB_VERSION to aurweb.config (this is used around HTML
        to refer back to aurweb's release on git.archlinux.org), so we
        need it easily accessible in the Python codebase.
      + Implemented basic Jinja2 partials to put together whole aurweb
        pages. This may be missing some things currently and is a WIP
        until this set is ready to be merged.
      + Added config [options] aurwebdir = YOUR_AUR_ROOT; this configuration
        option should specify the root directory of the aurweb project.
        It is used by various parts of the FastAPI codebase to target
        project directories.
      Added routes via aurweb.routers.html:
          * POST /language: Set your session language.
          * GET /favicon.ico: Redirect to /static/images/favicon.ico.
              * Some browsers always look for $ROOT/favicon.ico to get an icon
                for the page being loaded, regardless of a specified "shortcut
                icon" given in a <link> directive.
          * GET /: Home page; WIP.
      * Updated aurweb.routers.html.language passes query parameters to
        its next redirection.
      When calling aurweb.templates.render_template, the context passed should
      be formed via the aurweb.templates.make_context. See
      aurweb.routers.html.index for an example of this.
      Signed-off-by: Kevin Morris's avatarKevin Morris <kevr@0cost.org>
  7. 20 Feb, 2021 4 commits