kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(auth,frontend): secure cookie HTTP fix, technique links y CSP
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Details

Browse Source 
- auth: desacopla SECURE_COOKIES de AEGIS_ENV para que el login
  funcione sobre HTTP (SECURE_COOKIES=false en servidor local)
- TechniqueCell: button -> Link para href real (right-click, a11y)
- TechniquesPage: añade Link en celda MITRE ID en vista lista
- nginx CSP: amplía connect-src con ws:/wss: para evitar bloqueos

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
kitos
2026-05-19 09:28:39 +02:00
parent 1249391ef0
commit 2495423790
4 changed files with 24 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/app/routers/auth.py
View File

@@ -34,7 +34,16 @@ from app.schemas.user import PasswordChange
router = APIRouter(prefix="/auth", tags=["auth"]) router = APIRouter(prefix="/auth", tags=["auth"])
_IS_HTTPS = os.environ.get("AEGIS_ENV", "").lower() == "production" # SECURE_COOKIES desacopla la seguridad de la cookie del entorno de ejecucion.
# Por defecto activo en produccion; ponlo en "false" para servidores HTTP.
_aegis_env = os.environ.get("AEGIS_ENV", "development").lower()
_secure_cookie_env = os.environ.get("SECURE_COOKIES", "auto").lower()
if _secure_cookie_env == "false":
_IS_HTTPS = False
elif _secure_cookie_env == "true":
_IS_HTTPS = True
else: # "auto" — activo solo si AEGIS_ENV=production
_IS_HTTPS = _aegis_env == "production"
_COOKIE_NAME = "aegis_token" _COOKIE_NAME = "aegis_token"

2
frontend/nginx.conf
View File

@@ -14,7 +14,7 @@ server {
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# CSP: allow self + inline styles (React build) + data: URIs for fonts/images # CSP: allow self + inline styles (React build) + data: URIs for fonts/images
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' ws: wss:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" always;
# Hide Nginx version # Hide Nginx version
server_tokens off; server_tokens off;

15
frontend/src/components/TechniqueCell.tsx
View File

@@ -1,4 +1,4 @@
import { useNavigate } from "react-router-dom"; import { Link } from "react-router-dom";
import { AlertTriangle } from "lucide-react"; import { AlertTriangle } from "lucide-react";
import type { TechniqueStatus } from "../types/models"; import type { TechniqueStatus } from "../types/models";
@@ -48,18 +48,13 @@ export default function TechniqueCell({
status, status,
reviewRequired = false, reviewRequired = false,
}: TechniqueCellProps) { }: TechniqueCellProps) {
const navigate = useNavigate();
const colors = statusColors[status] || statusColors.not_evaluated; const colors = statusColors[status] || statusColors.not_evaluated;
const handleClick = () => {
navigate(`/techniques/${mitreId}`);
};
return ( return (
<button <Link
onClick={handleClick} to={`/techniques/${mitreId}`}
className={` className={`
relative w-full rounded-md border p-2 text-left transition-all relative block w-full rounded-md border p-2 text-left transition-all
hover:scale-[1.02] hover:shadow-lg hover:z-10 hover:scale-[1.02] hover:shadow-lg hover:z-10
${colors.bg} ${colors.border} ${colors.bg} ${colors.border}
`} `}
@@ -73,6 +68,6 @@ export default function TechniqueCell({
<p className="mt-0.5 truncate text-xs text-gray-300" title={name}> <p className="mt-0.5 truncate text-xs text-gray-300" title={name}>
{name} {name}
</p> </p>
</button> </Link>
); );
} }

10
frontend/src/pages/TechniquesPage.tsx
View File

@@ -4,7 +4,7 @@ import { Loader2, AlertCircle, Filter, X, Grid3X3, List } from "lucide-react";
import { getTechniques, type TechniqueSummary } from "../api/techniques"; import { getTechniques, type TechniqueSummary } from "../api/techniques";
import AttackMatrix from "../components/AttackMatrix"; import AttackMatrix from "../components/AttackMatrix";
import type { TechniqueStatus } from "../types/models"; import type { TechniqueStatus } from "../types/models";
import { useNavigate } from "react-router-dom"; import { useNavigate, Link } from "react-router-dom";
const STATUS_OPTIONS: { value: TechniqueStatus | "all"; label: string; color: string }[] = [ const STATUS_OPTIONS: { value: TechniqueStatus | "all"; label: string; color: string }[] = [
{ value: "all", label: "All Statuses", color: "text-gray-400" }, { value: "all", label: "All Statuses", color: "text-gray-400" },
@@ -224,7 +224,13 @@ export default function TechniquesPage() {
className="cursor-pointer border-b border-gray-800/50 hover:bg-gray-800/50 transition-colors" className="cursor-pointer border-b border-gray-800/50 hover:bg-gray-800/50 transition-colors"
> >
<td className="px-4 py-3"> <td className="px-4 py-3">
<span className="font-mono text-cyan-400">{tech.mitre_id}</span> <Link
to={`/techniques/${tech.mitre_id}`}
onClick={(e) => e.stopPropagation()}
className="font-mono text-cyan-400 hover:underline"
>
{tech.mitre_id}
</Link>
</td> </td>
<td className="px-4 py-3 text-gray-200">{tech.name}</td> <td className="px-4 py-3 text-gray-200">{tech.name}</td>
<td className="px-4 py-3"> <td className="px-4 py-3">