check host header for more security

2024-04-07 13:02:52 -04:00 · 2024-04-07 13:02:52 -04:00 · e5c3347380
commit e5c3347380
parent 1c4e703f6f
4 changed files with 6 additions and 101 deletions
--- a/boofilsic/settings.py
+++ b/boofilsic/settings.py
@ -166,7 +166,7 @@ elif _parsed_email_url.scheme:
    EMAIL_TIMEOUT = 5
    vars().update(_parsed_email_config)

-SITE_DOMAIN = env("NEODB_SITE_DOMAIN")
+SITE_DOMAIN = env("NEODB_SITE_DOMAIN").lower()
 SITE_INFO = {
    "neodb_version": NEODB_VERSION,
    "site_name": env("NEODB_SITE_NAME"),
@ -205,10 +205,12 @@ ALLOW_EMAIL_ONLY_ACCOUNT = env.bool(
 # Allow user to login via any Mastodon/Pleroma sites
 MASTODON_ALLOW_ANY_SITE = len(MASTODON_ALLOWED_SITES) == 0

-ALTERNATIVE_DOMAINS = env("NEODB_ALTERNATIVE_DOMAINS", default=[])  # type: ignore
+ALTERNATIVE_DOMAINS = [d.lower() for d in env("NEODB_ALTERNATIVE_DOMAINS", default=[])]  # type: ignore

 SITE_DOMAINS = [SITE_DOMAIN] + ALTERNATIVE_DOMAINS

+ALLOWED_HOSTS = SITE_DOMAINS
+
 ENABLE_LOCAL_ONLY = env("NEODB_ENABLE_LOCAL_ONLY")

 # Timeout of requests to Mastodon, in seconds
@ -260,8 +262,6 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
 # for legacy deployment:
 # DEFAULT_AUTO_FIELD = "django.db.models.AutoField"

-ALLOWED_HOSTS = ["*"]
-
 # To allow debug in template context
 # https://docs.djangoproject.com/en/3.1/ref/settings/#internal-ips
 INTERNAL_IPS = ["127.0.0.1"]
--- a/common/management/commands/setup.py
+++ b/common/management/commands/setup.py
@ -1,95 +0,0 @@
-from django.conf import settings
-from django.core.management.base import BaseCommand
-from loguru import logger
-
-from catalog.search.typesense import Indexer
-from takahe.models import Config as TakaheConfig
-from takahe.models import Domain as TakaheDomain
-from takahe.models import Identity as TakaheIdentity
-from takahe.models import User as TakaheUser
-from users.models import User
-
-
-class Command(BaseCommand):
-    help = "Post-Migration Setup"
-
-    def create_site(self, domain, service_domain):
-        TakaheDomain.objects.create(
-            domain=domain,
-            local=True,
-            service_domain=service_domain,
-            state="updated",
-            notes="NeoDB",
-            nodeinfo={},
-        )
-        TakaheConfig.objects.update_or_create(
-            key="public_timeline",
-            user=None,
-            identity=None,
-            domain=None,
-            defaults={"json": False},
-        )
-
-    def sync_site_config(self):
-        domain = settings.SITE_INFO["site_domain"]
-        if not domain:
-            raise ValueError("Panic: site_domain is not set!")
-        icon = settings.SITE_INFO["site_logo"]
-        name = settings.SITE_INFO["site_name"]
-        service_domain = settings.SITE_INFO.get("site_service_domain")
-        if not TakaheDomain.objects.filter(domain=domain).exists():
-            logger.warning(f"Domain {domain} not found, creating...")
-            self.create_site(domain, service_domain)
-        TakaheConfig.objects.update_or_create(
-            key="site_name",
-            user=None,
-            identity=None,
-            domain=None,
-            defaults={"json": name},
-        )
-        TakaheConfig.objects.update_or_create(
-            key="site_name",
-            user=None,
-            identity=None,
-            domain_id=domain,
-            defaults={"json": name},
-        )
-        TakaheConfig.objects.update_or_create(
-            key="site_icon",
-            user=None,
-            identity=None,
-            domain_id=None,
-            defaults={"json": icon},
-        )
-        TakaheConfig.objects.update_or_create(
-            key="site_icon",
-            user=None,
-            identity=None,
-            domain_id=domain,
-            defaults={"json": icon},
-        )
-
-    def sync_admin_user(self):
-        users = User.objects.filter(username__in=settings.SETUP_ADMIN_USERNAMES)
-        for user in users:
-            if user.is_superuser:
-                logger.debug(f"User {user.username} is already admin")
-            else:
-                user.is_superuser = True
-                user.save(update_fields=["is_superuser"])
-                TakaheUser.objects.filter(email=f"@{user.username}").update(admin=True)
-                logger.info(f"Updated user {user.username} as admin")
-
-    def handle(self, *args, **options):
-        # Update site name if changed
-        self.sync_site_config()
-
-        # Create/update admin user if configured in env
-        self.sync_admin_user()
-
-        # Create basic emoji if not exists
-
-        # Create search index if not exists
-        Indexer.init()
-
-        # Register cron jobs if not yet
--- a/requirements.txt
+++ b/requirements.txt
@ -2,7 +2,7 @@ blurhash-python
 cachetools
 dateparser
 discord.py
-django~=4.2.9
+django~=4.2.11
 django-anymail
 django-auditlog>=3.0.0-beta.4
 django-bleach
--- a/users/models/apidentity.py
+++ b/users/models/apidentity.py
@ -220,7 +220,7 @@ class APIdentity(models.Model):
        ).first()
        if i:
            return i
-        if domain != settings.SITE_INFO["site_domain"].lower():
+        if domain != settings.SITE_DOMAIN:
            identity = Takahe.get_identity_by_handler(username, domain)
            if identity:
                return Takahe.get_or_create_remote_apidentity(identity)