Merge pull request #1 from adrianschlatter/develop

Separate Python and Docker

.github/workflows/tox.yml

@@ -0,0 +1,25 @@
+name: tox
+
+on:
+  pull_request:
+  workflow_dispatch:  # you can trigger this workflow manually
+
+jobs:
+  tox_on_ubuntu:
+
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        python: ["3.6", "3.7", "3.8", "3.9", "3.10", "3.11"]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python }}
+      - name: install tox
+        run: pip install tox
+      - name: run tox
+        # Run tox using the version of Python in `PATH`
+        run: tox -e py

.gitignore

@@ -1,19 +1,10 @@
 # to avoid leaking credentials to github:
-sqldatabasename
-sqlpassword
-sqlserver
-sqlusername
-secrets/
-docker-compose.yml
 hash_password.py
 
 # to avoid leaking references to github:
 references
 references/
 
-# because this relates to my personal config:
-config/www.webref.conf
-
 # general things to ignore:
 build/
 dist/
@@ -27,6 +18,7 @@ __pycache__/
 *.tar.gz
 
 # due to using tox, pytest, vscode:
+.coverage
 .tox
 .cache
 .eggs/

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2021 Adrian Schlatter
+Copyright (c) 2021-2023 Adrian Schlatter
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

MANIFEST.in

@@ -0,0 +1,11 @@
+exclude .gitignore
+exclude MANIFEST.in
+exclude tox.ini
+
+recursive-exclude .github *
+recursive-exclude tests *
+
+recursive-include src *.css
+recursive-include src *.js
+recursive-include src *.php
+recursive-include src *.tmpl

docs/DevNotes.md

@@ -1,91 +1,42 @@
 # Development Notes
 
-## Docker Lessons
 
-* Web server must listen on 0.0.0.0:80: Docker port mapping does not work
-  otherwise (127.0.0.1:80 is not enough).
-* Running apache in the foreground (as it's usually done inside a docker
-  container) has unexpected consequences: Apache reacts to SIGWINCH
-  (WINdow CHange SIGnal) by restarting. Therefore, resizing the terminal
-  stops the container...
-
-
-## Deployment to a Synology NAS
-
-Build docker image:
-
-```
-docker build -t webref:0.x .
-```
-
-Then, save this image into a tar-ball:
-
-```
-docker save webref:0.x | gzip > webref-0.x.tar.gz
-```
-
-Copy this to your NAS where you run:
-
-```
-docker load < webref-0.x.tar.gz
-```
-
-Stop your existing webref container and delete it using the commands:
-
-```
-docker container ls
-docker container stop <hexcode>
-docker container rm <hexcode>
-```
-
-Go into your directory with your docker-compose.yml and run (maybe after
-changing the version number inside docker-compose.yml):
-
-```
-docker-compose up --detach
-```
-
-We want https://webref.ourdomain.com to be handled by the webref
-docker container => need reverse proxy. Also, we want Synology to handle
-https certificates. I.e., we want the traffic decrypted before it reaches
-our docker container. Synology's web interface is not
-flexible enough to do this properly. It is still possible, however,
-but we have to use a terminal:
-[This article](https://primalcortex.wordpress.com/2018/05/07/synology-reverse-proxy-revisited-again/?unapproved=18819&moderation-hash=e368f1dda03465bca9880d8de938786a#comment-18819)
-is useful. The config we put in '/etc/nginx/conf.d/server.webref.conf' is:
-
-```
-server {
-    listen 80;
-    server_name webref.ourdomain.com;
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name webref.ourdomain.com;
-
-    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;
-
-    location / {
-        proxy_pass http://localhost:7000;
-    }
-}
-```
-
-This assumes your webref container has mapped internal port 80 to host port
-7000. Also, it assumes that the NAS's https certificate is valid for
-webref.ourdomain.com (listed as "Subject alternative name:").
-
-Make sure to run
-
-```nginx -s reload```
-
-to activate your new configuration
-
-
-## Ugly
-
-* Docker image httpd:2.4 has apache in /usr/local/apache2. But apt installs
-  additional apache modules (mod_wsgi) in /usr/lib/apache2.
+## Flask
+
+* Project  layout follows [Flask's
+  Tutorial](https://flask.palletsprojects.com/en/3.0.x/tutorial/layout/) but
+  uses a namespace package-layout
+* AJAX: ppf.webref main page sends a document and javascript. When doing
+  things, events are trigged that
+      - request new data from the backend
+      - modify the document based on new data
+
+
+## Security
+
+* CSP (Content Security Policy):
+    - based on flask_talisman
+    - Follow hints by [Mozilla Observatory](https://observatory.mozilla.org)
+      and make sure we get an A+
+* CSRF (Cross-Site Request Forgery):
+    - based on flask_wtf
+    - read
+      [CSRF Protection](https://flask-wtf.readthedocs.io/en/0.15.x/csrf/#javascript-requests)
+    - If you run into the "Bad Request - The CSRF session token is missing."
+      problem, make sure to read [Fix Missing CSRF Token Issues with
+      Flask](https://nickjanetakis.com/blog/fix-missing-csrf-token-issues-with-flask)
+    - And if you start losing your mind while trying to fix CSRF problems: Try
+      running it in your production environment. I was unable to make it work
+      locally, I was unable to make it work on a test host, but it works on my
+      production server. Maybe this is related to the cookie problem related to
+      FQDNs mentioned in the article above: Neither my local computer nor my
+      test host have a fully qualified domain name but my production server
+      has.
+* login: JabRef library is only available to logged-in users
+
+
+## Tests
+
+* pytest
+* read [Testing Flask
+  Applications](https://flask.palletsprojects.com/en/2.2.x/testing/)