Tweak design and try to prevent CSRF issues

2022-07-08 09:01:25 +02:00 · 2022-07-08 09:01:25 +02:00 · 68c13b275d
commit 68c13b275d
parent 7bb417759e
4 changed files with 32 additions and 1 deletions
--- a/app/main.py
+++ b/app/main.py
@ -122,6 +122,17 @@ async def add_security_headers(request: Request, call_next):
    response.headers["x-content-type-options"] = "nosniff"
    response.headers["x-xss-protection"] = "1; mode=block"
    response.headers["x-frame-options"] = "SAMEORIGIN"
+    if request.url.path.startswith("/admin/login") or (
+        is_current_user_admin(request)
+        and not (
+            request.url.path.startswith("/attachments")
+            or request.url.path.startswith("/proxy")
+            or request.url.path.startswith("/static")
+        )
+    ):
+        # Prevent caching (to prevent caching CSRF tokens)
+        response.headers["Cache-Control"] = "private"
+
    # TODO(ts): disallow inline CSS?
    if DEBUG:
        return response
--- a/app/templates/utils.html
+++ b/app/templates/utils.html
@ -165,6 +165,7 @@
            {% if metadata.is_following %}
                <li>already following</li>
                <li>{{ admin_undo_button(metadata.outbox_follow_ap_id, "unfollow")}}</li>
+                <li>{{ admin_profile_button(actor.ap_id) }}</li>
            {% elif metadata.is_follow_request_sent %}
                <li>follow request sent</li>
            {% else %}
@ -172,6 +173,9 @@
            {% endif %}
            {% if metadata.is_follower %}
                <li>follows you</li>
+                {% if not metadata.is_following %}
+                <li>{{ admin_profile_button(actor.ap_id) }}</li>
+                {% endif %}
            {% endif %}
        </li>
    </ul>