mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-10 13:40:11 -06:00
e61c628526
Implement comprehensive CSRF token management with cookie-based double-submit pattern to improve security and SPA compatibility. Changes: - Add CSRF cookie configuration in app/config.py * WTF_CSRF_SSL_STRICT for strict SSL validation in production * CSRF_COOKIE_NAME (default: XSRF-TOKEN) for framework compatibility * CSRF_COOKIE_SECURE inherits from SESSION_COOKIE_SECURE by default * CSRF_COOKIE_HTTPONLY, CSRF_COOKIE_SAMESITE, and CSRF_COOKIE_DOMAIN settings - Implement CSRF cookie handler in app/__init__.py * Set CSRF token in cookie after each request * Configure cookie with secure flags based on environment settings * Support for double-submit pattern and SPA frameworks - Add client-side CSRF token management in base.html * JavaScript utilities for token retrieval and validation * Cookie synchronization for frameworks that read XSRF-TOKEN * Auto-refresh mechanism for stale tokens (>15 minutes) * Pre-submit token validation and refresh * User notification for missing cookies/tokens - Clean up docker-compose.yml environment variables * Remove redundant SECRET_KEY, WTF_CSRF_*, and cookie security settings * These are now managed through .env files and config.py This enhancement provides better CSRF protection while maintaining compatibility with modern JavaScript frameworks and SPA architectures.
20 lines
468 B
Python
20 lines
468 B
Python
"""
|
|
Setup configuration for TimeTracker application.
|
|
This allows the app to be installed as a package for testing.
|
|
"""
|
|
|
|
from setuptools import setup, find_packages
|
|
|
|
setup(
|
|
name='timetracker',
|
|
version='2.3.5',
|
|
packages=find_packages(),
|
|
include_package_data=True,
|
|
install_requires=[
|
|
# Core requirements are in requirements.txt
|
|
# This file is mainly for making the app importable during testing
|
|
],
|
|
python_requires='>=3.11',
|
|
)
|
|
|