Commit graph

71 commits

Author SHA1 Message Date
Don-Swanson
4852e5b64f
Implement Google Custom Search (BYOK) feature with configuration options and API client 2025-12-29 09:43:20 -06:00
Don-Swanson
cffef7aa15
Update dependencies and configuration for version 1.2.0
- Bump target Python version to 3.12 in `pyproject.toml`.
- Update Flask to version 3.1.2 in `requirements.txt`.
- Remove deprecated dark mode configuration from the application.
- Adjust logo rendering in templates to remove dark mode dependency.
- Update GitHub Actions workflows to support the 'updates' branch for builds.
- Increment version to 1.1.3 with an optional update-testing tag.
2025-11-26 11:47:54 -06:00
Don-Swanson
178d67a73f
Bump version to update Brotli and fix release issue 2025-11-26 11:01:35 -06:00
Don-Swanson
5f17b82735
up pytest to fix errors 2025-11-23 12:05:45 -06:00
Don-Swanson
be83605c77
Update dependencies in requirements.txt and refactor file handling in app initialization and utility functions to use context managers for better resource management. Adjust filter logic to utilize 'string' instead of 'text' for BeautifulSoup queries, enhancing compatibility with future versions. 2025-09-23 22:14:41 -05:00
Don-Swanson
7f80eb1e51
feat(beta): httpx migration, Tor/proxy refactor, JSON results, alt-link fixes, tests, optional static bundling, HTTP/2 env toggle, cleanup 2025-09-21 00:11:54 -05:00
Don
418d9df89c
Merge pull request #1242 from benbusby/dependabot/pip/jinja2-3.1.6
Bump jinja2 from 3.1.5 to 3.1.6
2025-09-20 16:45:25 -05:00
Don
6782413560
Update requirements.txt 2025-09-20 16:24:20 -05:00
Don
1c1dcfc270
Update requirements.txt
Fixed dependency issues
2025-09-20 16:22:19 -05:00
dependabot[bot]
3476367ee1
Bump cryptography from 3.3.2 to 44.0.1
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 44.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...44.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 44.0.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-14 15:00:08 +00:00
dependabot[bot]
7ce8c0b216
Bump jinja2 from 3.1.5 to 3.1.6
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.5 to 3.1.6.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.5...3.1.6)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-version: 3.1.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-09-14 14:59:53 +00:00
dependabot[bot]
d6c8d73147
Bump jinja2 from 3.1.4 to 3.1.5 (#1209)
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.4 to 3.1.5.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.4...3.1.5)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-01-22 12:11:07 -07:00
Ben Busby
041c1fbb35
Update cssutils to 2.7.0
Fixes #1207
2025-01-17 09:54:58 -07:00
dependabot[bot]
4fad68adf2
Bump waitress from 2.1.2 to 3.0.1 (#1192)
Bumps [waitress](https://github.com/Pylons/waitress) from 2.1.2 to 3.0.1.
- [Release notes](https://github.com/Pylons/waitress/releases)
- [Changelog](https://github.com/Pylons/waitress/blob/main/CHANGES.txt)
- [Commits](https://github.com/Pylons/waitress/compare/v2.1.2...v3.0.1)

---
updated-dependencies:
- dependency-name: waitress
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-31 17:20:55 -06:00
dependabot[bot]
89d07abb6c
Bump werkzeug from 3.0.3 to 3.0.6 (#1190)
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.3 to 3.0.6.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/3.0.3...3.0.6)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-31 17:17:11 -06:00
dependabot[bot]
441ce72527
Bump idna from 3.4 to 3.7 (#1137)
Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.7.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](https://github.com/kjd/idna/compare/v3.4...v3.7)

---
updated-dependencies:
- dependency-name: idna
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-30 11:18:24 -06:00
dependabot[bot]
add9313a99
Bump werkzeug from 3.0.1 to 3.0.3 (#1150)
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.0.1 to 3.0.3.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/3.0.1...3.0.3)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-30 11:12:04 -06:00
dependabot[bot]
436233f718
Bump jinja2 from 3.1.3 to 3.1.4 (#1151)
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.3...3.1.4)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-30 11:09:38 -06:00
dependabot[bot]
58b7512707
Bump requests from 2.31.0 to 2.32.2 (#1180)
Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.2.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.31.0...v2.32.2)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-30 11:06:55 -06:00
dependabot[bot]
cc7907fb84
Bump cryptography from 42.0.4 to 43.0.1 (#1179)
* Bump cryptography from 42.0.4 to 43.0.1

Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 43.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...43.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update pyopenssl version

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ben Busby <contact@benbusby.com>
2024-09-30 11:00:43 -06:00
dependabot[bot]
ee5a536861
Bump urllib3 from 1.26.18 to 1.26.19 (#1161)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.18 to 1.26.19.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/1.26.19/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.18...1.26.19)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-30 10:52:25 -06:00
dependabot[bot]
5b8ac0c52e
Bump certifi from 2023.7.22 to 2024.7.4 (#1164)
Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4.
- [Commits](https://github.com/certifi/python-certifi/compare/2023.07.22...2024.07.04)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-30 10:49:01 -06:00
dependabot[bot]
af60509a8d
Bump cryptography to 42.0.4, pyopenssl to 24.0.0 (#1123)
* Bump cryptography to 42.0.4

* Bump pyopenssl to 24.0.0

* Squashed commit of the following:

commit 2395bb7a6a
Author: Ben Busby <contact@benbusby.com>
Date:   Wed Mar 6 09:35:48 2024 -0700

    Remove version from DDG bangs url

    Including the version portion of the URL now redirects to search results
    for the name of the bang file, rather than returning the bang file
    itself. Removing the version from the URL returns the correct bang file.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ben Busby <contact@benbusby.com>
2024-03-06 09:51:16 -07:00
dependabot[bot]
c216c033ef
Bump jinja2 from 3.1.2 to 3.1.3 (#1111)
Bumps [jinja2](https://github.com/pallets/jinja) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/3.1.2...3.1.3)

---
updated-dependencies:
- dependency-name: jinja2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-02-05 09:55:19 -07:00
dependabot[bot]
57398a9b3b
Bump cryptography from 3.3.2 to 41.0.6 (#1101)
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 41.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...41.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-05 15:22:52 -07:00
dependabot[bot]
2a0b9a47b2
Bump werkzeug from 2.3.3 to 3.0.1 (#1093)
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 2.3.3 to 3.0.1.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/2.3.3...3.0.1)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-01 14:08:49 -06:00
dependabot[bot]
1644a4a04e
Bump urllib3 from 1.26.17 to 1.26.18 (#1085)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.17 to 1.26.18.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.17...1.26.18)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-01 14:08:29 -06:00
dependabot[bot]
0d013c788f
Bump urllib3 from 1.26.14 to 1.26.17 (#1073)
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.14 to 1.26.17.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.14...1.26.17)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-10 15:22:47 -06:00
dependabot[bot]
b093d39ed1
Bump cryptography from 3.3.2 to 41.0.4 (#1067)
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 41.0.4.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...41.0.4)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-28 14:32:09 -06:00
Ben Busby
8b99a87020
Include validators in requirements.txt 2023-09-13 15:51:35 -06:00
dependabot[bot]
8a3c9ea397
Bump cryptography from 41.0.0 to 41.0.3 (#1044)
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.0 to 41.0.3.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.0...41.0.3)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-02 10:47:41 -06:00
dependabot[bot]
ee25d3a23d
Bump certifi from 2022.12.7 to 2023.7.22 (#1038)
Bumps [certifi](https://github.com/certifi/python-certifi) from 2022.12.7 to 2023.7.22.
- [Commits](https://github.com/certifi/python-certifi/compare/2022.12.07...2023.07.22)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-08-02 10:46:09 -06:00
Ben Busby
179fc5e020
Update cryptography + pyopenssl 2023-06-26 15:43:18 -06:00
dependabot[bot]
2b8d100cfb
Bump requests from 2.28.2 to 2.31.0 (#1008)
Bumps [requests](https://github.com/psf/requests) from 2.28.2 to 2.31.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.28.2...v2.31.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-25 15:50:12 -06:00
xatier
4b7ab3b283
Bump flask from 2.2.3 to 2.3.2 (#1000)
Note that Flask 2.3.2 also requires Werkzeug>=2.3.3

Ref: https://github.com/pallets/flask/blob/main/pyproject.toml
2023-05-08 17:22:07 -06:00
Ben Busby
74f7975e62
Split crypto + pyopenssl reqs for armv7 builds
Since including rust in the builder stage of the image didn't address
the issues with building the cryptography library on armv7, that
architecture will just use the last supported version of the affected
libraries. May want to revisit this later.
2023-02-21 14:28:15 -07:00
dependabot[bot]
da53db2a81
Upgrade dependencies (#959)
* Bump werkzeug from 0.16.0 to 2.2.3

Bumps [werkzeug](https://github.com/pallets/werkzeug) from 0.16.0 to 2.2.3.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/0.16.0...2.2.3)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix dependency issue

* Upgrade all dependencies to latest version

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ben Busby <contact@benbusby.com>
2023-02-20 17:14:00 -07:00
dependabot[bot]
c4c32a4bcc
Bump cryptography from 3.3.2 to 39.0.1 (#952)
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 39.0.1.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...39.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-10 10:04:44 -07:00
dependabot[bot]
cd7fce2822
Bump certifi from 2020.4.5.1 to 2022.12.7 (#902)
Bumps [certifi](https://github.com/certifi/python-certifi) from 2020.4.5.1 to 2022.12.7.
- [Release notes](https://github.com/certifi/python-certifi/releases)
- [Commits](https://github.com/certifi/python-certifi/compare/2020.04.05.1...2022.12.07)

---
updated-dependencies:
- dependency-name: certifi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-12-08 10:32:17 -07:00
Ben Busby
7494a14bc2
Remove py dependency, update pytest version
See https://github.com/advisories/GHSA-w596-4wvx-j9j6
2022-10-31 12:58:18 -06:00
João
74503d542e
Encode config params in URL (#842)
Adds support for encoding (and optionally encrypting) user config values as
a single string that can be passed to any endpoint with the "preferences" url
param.

Co-authored-by: Ben Busby <contact@benbusby.com>
2022-09-22 14:14:56 -06:00
Ben Busby
32ad39d0e1
Refactor session behavior, remove Flask-Session dep
Sessions are no longer validated using the "/session/..." route. This
created a lot of problems due to buggy/unexpected behavior coming from
the Flask-Session dependency, which is (more or less) no longer
maintained.

Sessions are also no longer strictly server-side-only. The majority of
information that was being stored in user sessions was aesthetic only,
aside from the session specific key used to encrypt URLs. This key is
still unique per user, but is not (or shouldn't be) in anyone's threat
model to keep absolutely 100% private from everyone. Especially paranoid
users of Whoogle can easily modify the code to use a randomly generated
encryption key that is reset on session invalidation (and set
invalidation time to a short enough period for their liking).

Ultimately, this should result in much more stable sessions per client.
There shouldn't be decryption issues with element URLs or queries
during result page navigation.
2022-08-29 13:36:40 -06:00
dependabot[bot]
57d9ae9351
Bump waitress from 2.1.1 to 2.1.2 (#773)
Bumps [waitress](https://github.com/Pylons/waitress) from 2.1.1 to 2.1.2.
- [Release notes](https://github.com/Pylons/waitress/releases)
- [Changelog](https://github.com/Pylons/waitress/blob/v2.1.2/CHANGES.txt)
- [Commits](https://github.com/Pylons/waitress/compare/v2.1.1...v2.1.2)

---
updated-dependencies:
- dependency-name: waitress
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-03 13:41:12 -06:00
Ben Busby
9317d9217f
Support proxying results through Whoogle (aka "anonymous view") (#682)
* Expand `/window` endpoint to behave like a proxy

The `/window` endpoint was previously used as a type of proxy, but only
for removing Javascript from the result page. This expands the existing
functionality to allow users to proxy search result pages (with or without
Javascript) through their Whoogle instance.

* Implement filtering of remote content from css

* Condense NoJS feature into Anonymous View

Enabling NoJS now removes Javascript from the Anonymous View, rather
than creating a separate option.

* Exclude 'data:' urls from filter, add translations

The 'data:' url must be allowed in results to view certain elements on
the page, such as stars for review based results.

Add translations for the remaining languages.

* Add cssutils to requirements
2022-04-13 11:29:07 -06:00
dependabot[bot]
605338e998
Bump waitress from 1.4.3 to 2.1.1 (#691)
Bumps [waitress](https://github.com/Pylons/waitress) from 1.4.3 to 2.1.1.
- [Release notes](https://github.com/Pylons/waitress/releases)
- [Changelog](https://github.com/Pylons/waitress/blob/master/CHANGES.txt)
- [Commits](https://github.com/Pylons/waitress/compare/v1.4.3...v2.1.1)

---
updated-dependencies:
- dependency-name: waitress
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-22 09:39:26 -06:00
Ben Busby
2a0ad8796c
Switch to defusedxml for xml parsing
xml.etree.ElementTree.fromstring is considered insecure, see:
https://docs.python.org/3/library/xml.etree.elementtree.html

The defusedxml package contains several Python-only workarounds and
fixes for denial of service and other vulnerabilities in Python's XML
libraries: https://github.com/tiran/defusedxml

Fixes #670
2022-03-01 12:54:32 -07:00
Ben Busby
95be59eaab
Roll back crypto library version
This is a temporary reversion to 3.3.2 for the cryptography library.
There's an issue with buildx failing for the arm/v7 build, which is
directly related to cryptography versions > 3.3.2 (after the switch to
rust).

It might be acceptable to include the rust toolchain for armv7 builds,
but that adds a comical amount of time to the full cross platform build.
2021-12-21 17:03:49 -07:00
Ben Busby
b745460a87
Bump cryptography version 2021-12-21 14:02:13 -07:00
Ben Busby
e06ff85579
Improve public instance session management (#480)
This introduces a new approach to handling user sessions, which should
allow for users to set more reliable config settings on public instances.

Previously, when a user with cookies disabled would update their config,
this would modify the app's default config file, which would in turn
cause new users to inherit these settings when visiting the app for the
first time and cause users to inherit these settings when their current
session cookie expired (which was after 30 days by default I believe).
There was also some half-baked logic for determining on the backend
whether or not a user had cookies disabled, which lead to some issues
with out of control session file creation by Flask.

Now, when a user visits the site, their initial request is forwarded to
a session/<session id> endpoint, and during that subsequent request
their current session id is matched against the one found in the url. If
the ids match, the user has cookies enabled. If not, their original
request is modified with a 'cookies_disabled' query param that tells
Flask not to bother trying to set up a new session for that user, and
instead just use the app's fallback Fernet key for encryption and the
default config.

Since attempting to create a session for a user with cookies disabled
creates a new session file, there is now also a clean-up routine included
in the new session decorator, which will remove all sessions that don't
include a valid key in the dict. NOTE!!! This means that current user
sessions on public instances will be cleared once this update is merged
in. In the long run that's a good thing though, since this will allow session
mgmt to be a lot more reliable overall for users regardless of their cookie
preference.

Individual user sessions still use a unique Fernet key for encrypting queries,
but users with cookies disabled will use the default app key for encryption
and decryption.

Sessions are also now (semi)permanent and have a lifetime of 1 year.
2021-11-17 19:35:30 -07:00
Ben Busby
05c492bf82
Update pytest to 6.2.5 2021-10-21 12:45:25 -06:00