From 4ac4fcb4ff7c9a1d6c9dea52e3c6cdf38613d888 Mon Sep 17 00:00:00 2001
From: Patrick Jentsch <pjentsch@sfb1288inf-Laptop.local>
Date: Tue, 2 Jun 2020 16:51:08 +0200
Subject: [PATCH] Add security enhancements. See:
 https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications

---
 app/__init__.py    |  4 ++++
 config.py          |  5 +++++
 docker-compose.yml | 13 ++++++-------
 requirements.txt   |  1 +
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 3a1f54fc..cdb6f90b 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -2,6 +2,7 @@ from config import config
 from flask import Flask
 from flask_login import LoginManager
 from flask_mail import Mail
+from flask_paranoid import Paranoid
 from flask_socketio import SocketIO
 from flask_sqlalchemy import SQLAlchemy
 import logging
@@ -12,6 +13,8 @@ logger = logging.getLogger(__name__)
 login_manager = LoginManager()
 login_manager.login_view = 'auth.login'
 mail = Mail()
+paranoid = Paranoid()
+paranoid.redirect_view = '/'
 socketio = SocketIO()
 
 
@@ -23,6 +26,7 @@ def create_app(config_name):
     db.init_app(app)
     login_manager.init_app(app)
     mail.init_app(app)
+    paranoid.init_app(app)
     socketio.init_app(app, message_queue='redis://redis:6379/')
 
     from . import events
diff --git a/config.py b/config.py
index 5b46863a..07b748c6 100644
--- a/config.py
+++ b/config.py
@@ -6,6 +6,11 @@ import logging
 class Config:
     ''' ### Flask ### '''
     SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'
+    SESSION_COOKIE_SECURE = True
+
+    ''' ### Flask-Login ### '''
+    REMEMBER_COOKIE_HTTPONLY = True
+    REMEMBER_COOKIE_SECURE = True
 
     ''' ### Flask-Mail ### '''
     MAIL_SERVER = os.environ.get('MAIL_SERVER')
diff --git a/docker-compose.yml b/docker-compose.yml
index 126d78d0..c1b4ea09 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,17 +27,16 @@ services:
       - "traefik.http.routers.nopaque.rule=Host(`nopaque.localhost`)"  # Change this to match your nopaque domain
       ### </http> ###
       ### <https> ###
-      - "traefik.http.middlewares.nopaquesecure-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.routers.nopaquesecure.entrypoints=websecure"
-      - "traefik.http.routers.nopaquesecure.middlewares=nopaquesecure-headers"
-      - "traefik.http.routers.nopaquesecure.rule=Host(`nopaque.localhost`)"  # Change this to match your nopaque domain
-      - "traefik.http.routers.nopaquesecure.tls=true"
+      - "traefik.http.middlewares.nopaque-secure-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.nopaque-secure.entrypoints=web-secure"
+      - "traefik.http.routers.nopaque-secure.middlewares=nopaque-secure-headers"
+      - "traefik.http.routers.nopaque-secure.rule=Host(`nopaque.localhost`)"  # Change this to match your nopaque domain
+      - "traefik.http.routers.nopaque-secure.tls=true"
       ### </https> ###
       ### <basicauth help="https://docs.traefik.io/middlewares/basicauth/"> ###
       # - "traefik.http.middlewares.nopaque-basicauth.basicauth.users=name:hashed-password"
       # - "traefik.http.routers.nopaque.middlewares=nopaque-basicauth, nopaque-headers, nopaque-redirectscheme"
-      # - "traefik.http.middlewares.nopaquesecure-basicauth.basicauth.users=name:hashed-password"
-      # - "traefik.http.routers.nopaquesecure.middlewares=nopaquesecure-basicauth, nopaquesecure-headers"
+      # - "traefik.http.routers.nopaque-secure.middlewares=nopaque-basicauth, nopaquesecure-headers"
       ### </basicauth> ###
     networks:
       - default
diff --git a/requirements.txt b/requirements.txt
index d5d9f24d..c916b22b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,6 +5,7 @@ Flask
 Flask-Login
 Flask-Mail
 Flask-Migrate
+Flask-Paranoid
 Flask-SocketIO
 Flask-SQLAlchemy
 Flask-Table