Merge branch 'dev'

* dev: (75 commits) Optionally enable Cross-Origin Resource Sharing via flag Move notices into dedicated section at the top of the page; show notice when device access revoked successfully Switch from godep to govendor; update dependencies Extract client version from X-Client-Version header and store with auth token Clean up web auth tokens immediately after they expire Show note with app download link if not devices are connected Allow query string in redirect parameter to auth request endpoint Confirm delete store within dashboard instead of using separate page Remove unused delete-store-success template Define csp directives as a template block so they can be customized for specific pages Remove activate auth token success page for api token; Log in and redirect to dashboard instead Various changes to improve extensibility Make message field of BadRequest exported so it can be used from other packages Use time.Ticker for StorageCleaner scheduling Implement static and root routes as Handler structs Rafactor way endpoints are registered Move handler, middleware functions out of server struct and into own file Clean out old auth requests every 24 hrs Add 'Created' field to Account Replace Storage::List method with Storage::Iterator method that returns an iterator instead of a string slice ...
padloc · Nov 1, 2016 · e72c5e3 · e72c5e3
2 parents c4994d7 + 9d5cf5a
commit e72c5e3
Show file tree

Hide file tree

Showing 363 changed files with 11,262 additions and 124,225 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 padlock-cloud
+db
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/Godeps/Readme b/Godeps/Readme
diff --git a/README.md b/README.md
@@ -62,7 +62,7 @@ server:
   port: 5555
   tls_cert: cert.crt
   tls_key: cert.key
-  host: cloud.padlock.io
+  base_url: https://cloud.padlock.io
 leveldb:
   path: path/to/db
 email:
@@ -77,7 +77,7 @@ log:
 ```
 
 **NOTE**: If you are using a config file, all other flags and environment
-variables will be ingored.
+variables will be ignored.
 
 ## Security Considerations
 
@@ -90,7 +90,7 @@ through plain http. You should make sure that in this case the server does
 **not** listen on a public port and that any reverse proxies that handle
 outgoing connections are protected via TLS.
 
-### Link spoofing and the --host option
+### Link spoofing and the --base-url option
 
 Padlock Cloud frequently uses confirmation links for things like activating
 authentication tokens, confirmation for deleting an account etc. They usually
@@ -103,24 +103,23 @@ https://hostname:port/activate/?v=1&t=cdB6iEdL4o5PfhLey30Rrg
 
 These links are sent out to a users email address and serve as a form of
 authentication. Only users that actually have control over the email account
-accociated with their Padlock Cloud account may access the correponding data.
+associated with their Padlock Cloud account may access the corresponding data.
 
-Now the `hostname` and `port` portion of the url will obviously differ based on
+Now the `hostname` and `port` portion of the URL will obviously differ based on
 the environment. By default, the app will simply use the value provided by the
 `Host` header of the incoming request. But the `Host` header can easily be
 faked and unless the server is running behind a reverse proxy that sets the it
-to the correct value, this opens the app up to a vulnerabilty we call 'link
-spoofing'. Let's say an attacker sends an authentiation request to our server
+to the correct value, this opens the app up to a vulnerability we call 'link
+spoofing'. Let's say an attacker sends an authentication request to our server
 using a targets email address, but changes the `Host` header to a server that
 he controls. The email that is sent to the target will now contain a link that
 points to the attackers server instead of our own and once the user clicks the
 link the attacker is in possession of the activation token which can in turn be
 used to activate the authentication token he already has.  There is a simple
-solution for this: Explicitly provide a hostname and port to be used for link
-generation when starting up the server. The `runserver` command provides the
-`--host` flag for this. This is a string that contains the hostname and
-optionally a port, e.g. `example.com:3000` or simply `example.com`. it is
-recommended to use this option in production environments at all times!
+solution for this: Explicitly provide a base URL to be used for constructing
+links when starting up the server. The `runserver` command provides the
+`--base-url` flag for this. It is recommended to use this option in production
+environments at all times!
 
 ## Troubleshooting
 

diff --git a/assets/static/css/base.css b/assets/static/css/base.css
@@ -0,0 +1,184 @@
+body {
+    padding: 0;
+    margin: 0;
+    font-family: "Clear Sans", "Helvetica Neue", Helvetica, sans-serif;
+    font-size: 18px;
+    color: #333;
+    font-weight: 300;
+    -webkit-tap-highlight-color: transparent;
+}
+
+body, input, button {
+    -webkit-font-smoothing: antialiased;
+}
+
+input:not([type="checkbox"]), button {
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    border-radius: 0;
+    font-size: inherit;
+    font-family: inherit;
+    padding: 10px 15px;
+    background: #fff;
+    border: solid 1px #ccc;
+    min-width: 0;
+}
+
+input[type="checkbox"] {
+    vertical-align: middle;
+    cursor: pointer;
+}
+
+button {
+    border: none;
+    background: #59c6ff;
+    color: #fff;
+    cursor: pointer;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+
+button.light {
+    background: none;
+    color: #59c6ff;
+    padding: 0;
+    margin: 5px 0 0 2px;
+}
+
+*:focus {
+    outline: none;
+}
+
+h1 {
+    font-size: 250%;
+    font-weight: 100;
+    margin: 20px 0;
+}
+
+h2 {
+    font-size: 120%;
+    font-weight: 400;
+}
+
+h3 {
+    font-size: 110%;
+    font-weight: 400;
+}
+
+a {
+    color: #59c6ff;
+    text-decoration: none;
+    font-weight: 400;
+}
+
+button:hover, a:hover {
+    opacity: 0.7;
+}
+
+section {
+    padding: 0 40px;
+    margin: 40px 0;
+    clear: both;
+}
+
+footer {
+    display: block;
+    padding: 10px;
+    text-align: center;
+    font-size: 80%;
+    border-top: solid 1px #ccc;
+}
+
+footer .copyright {
+    color: #ccc;
+}
+
+footer a {
+    margin: 0 5px;
+}
+
+ul {
+    list-style: none;
+    margin: 0;
+    padding: 0;
+}
+
+th {
+    text-align: left;
+    vertical-align: top;
+    width: 150px;
+}
+
+svg.icon {
+    fill: currentColor;
+    stroke: currentColor;
+}
+
+header {
+    background: #ffffff;
+    position: fixed;
+    top: 0;
+    width: 100%;
+    z-index: 1;
+    padding: 0 10px;
+    box-sizing: border-box;
+    border-bottom: solid 1px #ccc;
+}
+
+header .inner {
+    height: 50px;
+    width: 100%;
+    margin: 0 auto;
+}
+
+header .inner, header .home, header nav, header nav ul {
+    display: flex;
+    align-items: center;
+}
+
+header nav ul li {
+    display: inline-block;
+    margin-left: 10px;
+}
+
+header .logo {
+    width: 35px;
+    height: 35px;
+    margin-right: 10px;
+    margin-left: 3px;
+}
+
+header .spacer {
+    flex: 1;
+}
+
+main {
+    margin: 80px auto;
+}
+
+header .inner, main {
+    max-width: 800px;
+}
+
+.account-email {
+    font-size: 90%;
+    font-weight: bold;
+}
+
+.note {
+    background: rgba(89, 198, 255, 0.1);
+    padding: 20px;
+    border: solid 1px #59c6ff;
+}
+
+@media (max-width: 500px) {
+    header .home .type {
+        display: none;
+    }
+
+    section {
+        padding-left: 20px;
+        padding-right: 20px;
+    }
+}