implement content-security-policy, static assets cache bust, and fix

stripe back button ratchet issue because the only way to use stripe checkout is to run their proprietary JS, and we arent using a SPA, naturally what happens is, when you land on the stripe payment page if you hit the back button it goes back to the same page where you got re-directed to stripe. this commit fixes that.
2020-05-22 15:20:26 -05:00
parent 5a080fe1c5
commit 672ff49d6d
13 changed files with 202 additions and 65 deletions
--- a/capsulflask/payment.py
+++ b/capsulflask/payment.py
@ -2,9 +2,11 @@ import stripe
 import json
 import time
 import decimal
-from time import sleep
+import re

+from time import sleep
 from flask import Blueprint
+from flask import make_response
 from flask import request
 from flask import current_app
 from flask import session
@ -165,14 +167,46 @@ def stripe_payment():

      #return redirect(f"https://checkout.stripe.com/pay/{stripe_checkout_session_id}")

+      return redirect(f"/payment/stripe/{stripe_checkout_session_id}")
+
  for error in errors:
    flash(error)

-  return render_template(
-    "stripe.html", 
+  return render_template("stripe.html")
+
+@bp.route("/stripe/<string:stripe_checkout_session_id>")
+@account_required
+def redirect_to_stripe(stripe_checkout_session_id):
+
+  if stripe_checkout_session_id and not re.match(r"^[a-zA-Z0-9_=-]+$", stripe_checkout_session_id):
+    stripe_checkout_session_id = '___________'
+
+  response = make_response(render_template(
+    "stripe.html",
    stripe_checkout_session_id=stripe_checkout_session_id,
    stripe_public_key=current_app.config["STRIPE_PUBLISHABLE_KEY"]
-  )
+  ))
+
+  if stripe_checkout_session_id is not None:
+    response.headers['Content-Security-Policy'] = "default-src 'self' https://js.stripe.com"
+  
+  return response
+
+@bp.route("/stripe/<string:stripe_checkout_session_id>/json")
+@account_required
+def stripe_checkout_session_json(stripe_checkout_session_id):
+
+  if stripe_checkout_session_id and not re.match(r"^[a-zA-Z0-9_=-]+$", stripe_checkout_session_id):
+    stripe_checkout_session_id = '___________'
+
+  has_redirected_already = get_model().payment_session_redirect(session['account'], stripe_checkout_session_id)
+
+  if has_redirected_already is None:
+    abort(404, "Not Found")
+
+  return jsonify(dict(hasRedirectedAlready=has_redirected_already))
+
+

 def validate_stripe_checkout_session(stripe_checkout_session_id):
  checkout_session_completed_events = stripe.Event.list(