Add secure CSRF cookies and discreet timer

The session logout countdown timer is made more discreet. Secure and Httponly flags are added to the CSRF token cookie.

apimanager/apimanager/settings.py

@@ -15,7 +15,6 @@ import os
 from django.core.exceptions import ImproperlyConfigured
 from django.urls import reverse_lazy
 
-
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
@@ -273,9 +272,12 @@ SESSION_SAVE_EVERY_REQUEST = True
 # Session Cookie Settings
 SESSION_COOKIE_SECURE = True
 SESSION_COOKIE_HTTPONLY = True
-SESSION_COOKIE_AGE = 300
 SESSION_ENGINE = "django.contrib.sessions.backends.signed_cookies"
+SESSION_COOKIE_AGE = 300
 
+# CSRF Cookie Settings
+CSRF_COOKIE_HTTPONLY = True
+CSRF_COOKIE_SECURE = True
 
 # Paths on API_HOST to OAuth
 OAUTH_TOKEN_PATH = '/oauth/initiate'
@@ -317,6 +319,8 @@ CALLBACK_BASE_URL = ""
 # Global
 UNDEFINED = "<undefined>"
 
+API_ROOT_KEY = "v500"
+
 # Local settings can replace any value ABOVE
 try:
     from apimanager.local_settings import *     # noqa
@@ -350,7 +354,7 @@ if not OAUTH_CONSUMER_SECRET:
 
 CSP_IMG_SRC = ("'self' data:", 'https://static.openbankproject.com')
 CSP_STYLE_SRC = ("'self' 'sha256-z2a+NIknPDE7NIEqE1lfrnG39eWOhJXWsXHYGGNb5oU=' 'sha256-Dn0vMZLidJplZ4cSlBMg/F5aa7Vol9dBMHzBF4fGEtk=' 'sha256-sA0hymKbXmMTpnYi15KmDw4u6uRdLXqHyoYIaORFtjU=' 'sha256-jUuiwf3ITuJc/jfynxWHLwTZifHIlhddD8NPmmVBztk=' 'sha256-RqzjtXRBqP4i+ruV3IRuHFq6eGIACITqGbu05VSVXsI='", 'https://cdnjs.cloudflare.com', )
-CSP_SCRIPT_SRC = ("'self' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
+CSP_SCRIPT_SRC = ("'self' 'unsafe-eval' 'sha256-4Hr8ttnXaUA4A6o0hGi3NUGNP2Is3Ep0W+rvm+W7BAk=' 'sha256-GgQWQ4Ejk4g9XpAZJ4YxIgZDgp7CdQCmqjMOMh9hD2g=' 'sha256-05NIAwVBHkAzKcXTfkYqTnBPtkpX+AmQvM/raql3qo0='", 'http://code.jquery.com', 'https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/', 'https://cdnjs.cloudflare.com')
 CSP_FONT_SRC = ("'self'", 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/') 
 CSP_FRAME_ANCESTORS = ("'self'")
 CSP_FORM_ACTION = ("'self'")

apimanager/base/static/js/inactivity-timer.js

@@ -8,13 +8,15 @@ function addSeconds(date, seconds) {
 }
 
 export function showCountdownTimer() {
+  //TODO rather than display a timer the whole time in a span, make it only show when there are e.g. 30 seconds left.
+  // Maybe a whole page alert that the user will be logged out soon.
 
   // Get current date and time
   var now = new Date().getTime();
   let distance = countDownDate - now;
   // Output the result in an element with id="countdown-timer-span"
   let elementId = ("countdown-timer-span");
-  document.getElementById(elementId).innerHTML = "in " + Math.floor(distance / 1000) + "s";
+  document.getElementById(elementId).innerHTML = Math.floor(distance / 1000) + "s";
 
   // If the count down is over release resources
   if (distance < 0) {

apimanager/base/templates/base.html

@@ -107,7 +107,7 @@
                                 <p class="navbar-right button-select">
                                     <span id="navbar-login-username">{{API_USERNAME}}</span>&nbsp;&nbsp;
                                     <a id="logout" href="/logout" class="btn btn-default">{% trans "Logout" %}</a> 
-                                    <span class="badge badge-secondary" id="countdown-timer-span"></span> 
+                                    <span id="countdown-timer-span"></span> 
                                 </p>
                                 {% endif %}
                             </li>