Lots of Bugfixes (#1426)

* Fixed bookmarks not being able to load due to missing [AllowAnonymous] * Downgraded Docnet to 2.4.0-alpha2 which is the version we added our patches to. This might fix reports of broken PDF reading on ARM * Updated all but one api in collections to admin only policy * Ensure all config folders are created or exist on first load * Ensure plugins can authenticate * Updated some headers we use on Kavita to tighten security. * Tightened up cover upload flow to restrict more APIs to only the admin * Enhanced the reset password flow to ensure that the user passes their existing password in (if already authenticated). Admins can still change other users without having existing password. * Removed an additional copy during build and copied over the prod appsettings and not Development. * Fixed up the caching mechanism for cover resets and migrated to profiles. Left an etag filter for reference. * Fixed up manual jump key calculation to include period in # * Added jumpbar to reading lists page * Fixed a double scrollbar on library detail page * Fixed weird scroll issues with want to read * Fixed a bug where remove from want to read list wasn't hooked up on series card * Cleaned up Clear bookmarks to use a dedicated api for bulk clearing. Converted Bookmark page to OnPush. * Fixed jump bar being offset when clicking a jump key * Ensure we don't overflow on add to reading list * Fixed a bad name format on reading list items
2022-08-11 20:16:31 -05:00 · 2022-08-11 20:16:31 -05:00 · b6a38bbd86
commit b6a38bbd86
parent 7392747388
37 changed files with 497 additions and 96 deletions
--- a/API/Startup.cs
+++ b/API/Startup.cs
@ -25,6 +25,7 @@ using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.ResponseCompression;
 using Microsoft.AspNetCore.StaticFiles;
 using Microsoft.Extensions.Configuration;
@ -52,7 +53,23 @@ namespace API
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddApplicationServices(_config, _env);
-            services.AddControllers();
+            services.AddControllers(options =>
+            {
+                options.CacheProfiles.Add("Images",
+                    new CacheProfile()
+                    {
+                        Duration = 60,
+                        Location = ResponseCacheLocation.None,
+                        NoStore = false
+                    });
+                options.CacheProfiles.Add("Hour",
+                    new CacheProfile()
+                    {
+                        Duration = 60 * 10,
+                        Location = ResponseCacheLocation.None,
+                        NoStore = false
+                    });
+            });
            services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.All;
@ -252,6 +269,12 @@ namespace API
                context.Response.Headers[Microsoft.Net.Http.Headers.HeaderNames.Vary] =
                    new[] { "Accept-Encoding" };

+                // Don't let the site be iframed outside the same origin (clickjacking)
+                context.Response.Headers.XFrameOptions = "SAMEORIGIN";
+
+                // Setup CSP to ensure we load assets only from these origins
+                context.Response.Headers.Add("Content-Security-Policy", "default-src 'self' frame-ancestors 'none';");
+
                await next();
            });