damir/pgz-sport
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
pgz-sport/_backups/sidebar.js.cc3_pre_redesign.1777937786
T
Damir Radulić f9ebcddf28 CC2 R6: middleware-wide JWT, avatar demo mode, mock mailer, login rate limit 
#1 JWT middleware extended:
- Was: /api/admin/* only
- Now: any POST/PUT/PATCH/DELETE under /api/* requires Bearer JWT
- Whitelist (still anonymous): /api/auth/login, /refresh, /forgot-password,
  /password/reset, /reset-password, /setup-password, /google;
  /api/gdpr/consent; any path ending /avatar
- 14 mutating endpoints verified to return 401 without token

#2 Avatar upload demo mode (routers/clan_panel_router.py):
- Anonymous → returns {demo_mode:true, slika_url:null,
  message:'Demo mode — slika nije spremljena. Prijavite se za pravu pohranu.'},
  no FS write, no DB write
- Authenticated (valid JWT, allowed role) → real save as before
- Auth check now uses auth.auth_v2.decode_token (proper secret + revocation)
  instead of the broken local _resolve_role

#3 Mock mailer (auth/mailer.py):
- send_email writes RFC 822 .eml to /tmp/pgz_mailbox + appends to INDEX.jsonl
- send_password_reset, send_invite helpers with HR text + HTML alt
- Real SMTP active when PGZ_SMTP_HOST is set (env-driven, off by default)
- forgot-password and admin invite both call mailer; audit logs mail status

#5 Rate limiting on /api/auth/login:
- Per-user: 5 wrong attempts → 5-minute DB-backed lockout
  (was 5 → 15 min). Configurable via PGZ_LOGIN_LOCK_THRESHOLD/MINUTES.
- Per-IP: 10 fails / 5-min sliding window in-memory → HTTP 429
  Configurable via PGZ_LOGIN_IP_THRESHOLD/WINDOW_SEC. Successful
  login clears the IP counter.
- Failed attempts respond '(N/5) — račun je zaključan na 5 minuta'
- New audit actions: login.ratelimit.ip; login.fail meta now
  includes fails count, locked, lock_minutes

#4 Live test report: 46/46 across 6 demo users — login, JWT gate on 14
   mutating endpoints, public path whitelist, demo-mode avatar +
   real save, forgot-password e-mail to mailbox, no-leak unknown email,
   5-fail lockout, 423 during lockout, audit coverage.
2026-05-05 01:42:53 +02:00

215 lines
8.7 KiB
Plaintext
Raw Permalink Blame History

/* PGŽ SPORT — Unified Sidebar v1.0
* dradulic@outlook.com / damir@rinet.one — 2026-05-05
*
* Usage on each page:
* <link rel="stylesheet" href="/static/shared/sidebar.css">
* <script src="/static/shared/sidebar.js" defer
* data-active="app" // page key for highlight: app|admin|crm|erp|kpi|audit|login|sport2
* data-inline="0"></script> // 0 (default) = render on load. 1 = call PGZSidebar.mount() yourself
*
* The script renders #pgz-sb at start of <body>, adds class "pgz-has-sb" to body
* (so existing layouts can be migrated). Pages that already have their own sidebar
* should pass data-skip="1" — only NAV_EXTERNAL portal links will be appended to
* an element with id="pgz-portal-mount" if present.
*/
(function(){
'use strict';
// ────────── Configuration ──────────
// Per-portal "internal" sections (left as a hint; pages typically own their own internal nav)
// External portal links — same on every page
const NAV_EXTERNAL = [
{id:'login', href:'/sport/login', ic:'\u{1F511}', label:'Prijava'},
{id:'app', href:'/sport/app', ic:'\u{1F4F1}', label:'Aplikacija'},
{id:'admin', href:'/sport/admin', ic:'\u{1F6E1}', label:'Administracija'},
{id:'crm', href:'/sport/crm', ic:'\u{1F465}', label:'CRM'},
{id:'erp', href:'/sport/erp', ic:'\u{1F4B0}', label:'ERP'},
{id:'kpi', href:'/sport/kpi', ic:'\u{1F4C8}', label:'KPI'},
{id:'audit', href:'/sport/audit', ic:'\u{1F4CB}', label:'Audit'},
{id:'sport2', href:'/sport/static/sport2.html', ic:'\u{1F310}', label:'Public portal'}
];
const STATE_KEY = 'sidebarCollapsed'; // shared across all pages
const $ = (s, root) => (root||document).querySelector(s);
function readToken(){
try { return localStorage.getItem('jwt') || localStorage.getItem('access_token') || ''; }
catch(e){ return ''; }
}
function logout(){
if(!confirm('Odjava iz aplikacije?')) return;
try { localStorage.removeItem('jwt'); localStorage.removeItem('access_token'); localStorage.removeItem('app-role'); } catch(e){}
location.href = '/sport/login';
}
function initials(n){
if(!n) return '?';
const p = String(n).trim().split(/\s+/);
return ((p[0]||'')[0]||'').toUpperCase() + ((p[1]||'')[0]||'').toUpperCase();
}
function esc(s){
return String(s==null?'':s).replace(/[&<>"']/g, m => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[m]));
}
// Try to read /api/auth/me for footer display (best effort)
async function tryLoadMe(){
const tok = readToken(); if(!tok) return null;
try {
const r = await fetch('/sport/api/auth/me', {headers:{'Authorization':'Bearer '+tok}});
if(!r.ok) return null;
return await r.json();
} catch(e){ return null; }
}
function renderShell(activeKey, internalNavHTML){
const sb = document.createElement('aside');
sb.id = 'pgz-sb';
sb.innerHTML = `
<div class="pgz-sb-h">
<div class="pgz-logo">PGŽ <span class="g">SPORT</span></div>
<div class="pgz-sub">Operativna platforma</div>
<div class="pgz-sb-toggle" onclick="PGZSidebar.toggle()" title="Skupi/raširi (≡)">≡</div>
<div class="pgz-sb-mx" onclick="PGZSidebar.closeMobile()" title="Zatvori">✕</div>
</div>
${internalNavHTML ? `<div class="pgz-sb-sep">Sekcije</div>` : ''}
<nav class="pgz-sb-nav" id="pgz-sb-nav">
${internalNavHTML || ''}
<div class="pgz-sb-sep" id="pgz-portal-sep">Portali</div>
<div id="pgz-portal-mount">${renderExternal(activeKey)}</div>
</nav>
<div class="pgz-sb-foot" id="pgz-sb-foot">
<div class="av" id="pgz-sb-av">PG</div>
<div class="ui">
<div class="un" id="pgz-sb-un">Gost</div>
<div class="ur" id="pgz-sb-ur">Demo</div>
</div>
<div class="lo" onclick="PGZSidebar.logout()" title="Odjava">⎋</div>
</div>
`;
return sb;
}
function renderExternal(activeKey){
return NAV_EXTERNAL.map(n => `
<a class="pgz-nav-i pgz-nav-ext ${n.id===activeKey?'active':''}"
href="${n.href}" data-id="${n.id}" data-label="${esc(n.label)}">
<span class="ic">${n.ic}</span>
<span class="lbl">${esc(n.label)}</span>
</a>`).join('');
}
function renderBurger(){
if(document.getElementById('pgz-sb-burger')) return;
const b = document.createElement('div');
b.id = 'pgz-sb-burger';
b.className = 'pgz-sb-burger';
b.innerHTML = '≡';
b.onclick = () => PGZSidebar.openMobile();
document.body.appendChild(b);
}
function setUserDisplay(me){
if(!me){
$('#pgz-sb-un') && ($('#pgz-sb-un').textContent = 'Gost');
$('#pgz-sb-ur') && ($('#pgz-sb-ur').textContent = 'Demo · click Prijava');
$('#pgz-sb-av') && ($('#pgz-sb-av').textContent = '?');
return;
}
const name = me.full_name || ((me.ime||'')+' '+(me.prezime||'')).trim() || me.email || '—';
const role = me.user_type || '';
const av = me.avatar_url || me.google_picture;
if($('#pgz-sb-un')) $('#pgz-sb-un').textContent = name;
if($('#pgz-sb-ur')) $('#pgz-sb-ur').textContent = role;
const avEl = $('#pgz-sb-av');
if(avEl){
if(av) avEl.innerHTML = `<img src="${esc(av)}" alt="">`;
else avEl.textContent = initials(name);
}
}
function applyCollapsedFromStorage(){
let col = false;
try { col = localStorage.getItem(STATE_KEY) === '1'; } catch(e){}
const sb = document.getElementById('pgz-sb');
if(!sb) return;
sb.classList.toggle('pgz-collapsed', col);
document.body.classList.toggle('pgz-sb-col', col);
}
// ────────── Public API ──────────
const PGZSidebar = {
NAV_EXTERNAL,
// Render: insert sidebar shell at document start; if a page provides internalNavHTML, use it
mount(opts){
opts = opts || {};
const activeKey = opts.activeKey || (document.currentScript && document.currentScript.dataset.active) || '';
const internalNavHTML = opts.internalNavHTML || '';
// Skip mount if the page already has its own sidebar AND a portal mount point is provided
if(opts.skipShell){
const mount = document.getElementById('pgz-portal-mount');
if(mount){ mount.innerHTML = renderExternal(activeKey); }
return;
}
const existing = document.getElementById('pgz-sb');
if(existing) existing.remove();
const sb = renderShell(activeKey, internalNavHTML);
document.body.insertBefore(sb, document.body.firstChild);
document.body.classList.add('pgz-has-sb');
renderBurger();
applyCollapsedFromStorage();
tryLoadMe().then(setUserDisplay);
},
// Append portal links to an existing custom sidebar (call this from a page's own buildNav)
appendPortalLinksTo(navEl, activeKey){
if(!navEl) return;
activeKey = activeKey || '';
navEl.insertAdjacentHTML('beforeend',
'<div class="pgz-sb-sep" style="padding:14px 14px 4px 14px;font-size:9.5px;color:var(--t4,#4e5a7a);text-transform:uppercase;letter-spacing:1.2px;font-weight:700">Portali</div>'
);
navEl.insertAdjacentHTML('beforeend', renderExternal(activeKey));
},
toggle(){
const sb = document.getElementById('pgz-sb');
if(!sb) return;
const col = sb.classList.toggle('pgz-collapsed');
document.body.classList.toggle('pgz-sb-col', col);
try { localStorage.setItem(STATE_KEY, col ? '1' : '0'); } catch(e){}
},
openMobile(){
const sb = document.getElementById('pgz-sb');
if(!sb) return;
sb.classList.add('pgz-mobile-open');
document.body.classList.add('pgz-mobile-sb-open');
// close on backdrop click
const closer = (ev) => {
if(!sb.contains(ev.target) && ev.target.id !== 'pgz-sb-burger'){
PGZSidebar.closeMobile();
document.removeEventListener('click', closer, true);
}
};
setTimeout(() => document.addEventListener('click', closer, true), 50);
},
closeMobile(){
const sb = document.getElementById('pgz-sb');
if(!sb) return;
sb.classList.remove('pgz-mobile-open');
document.body.classList.remove('pgz-mobile-sb-open');
},
logout
};
window.PGZSidebar = PGZSidebar;
// Auto-mount unless data-inline=1
function autoMount(){
const cs = document.currentScript || Array.from(document.scripts).find(s => /sidebar\.js/.test(s.src||''));
const inline = cs && cs.dataset && cs.dataset.inline === '1';
if(inline) return; // page will call PGZSidebar.mount() itself
if(document.readyState === 'loading'){
document.addEventListener('DOMContentLoaded', () => PGZSidebar.mount({}));
} else {
PGZSidebar.mount({});
}
}
autoMount();
})();
Reference in New Issue View Git Blame Copy Permalink