nondeterministic
diff --git a/‎NEWS
+11 b/‎NEWS
+11
diff --git a/‎backend/app/org/multics/baueran/frep/backend/controllers/Get.scala
+101-47 b/‎backend/app/org/multics/baueran/frep/backend/controllers/Get.scala
+101-47
diff --git a/‎backend/app/org/multics/baueran/frep/backend/controllers/package.scala
+1 b/‎backend/app/org/multics/baueran/frep/backend/controllers/package.scala
+1
diff --git a/‎backend/conf/application.conf
+39 b/‎backend/conf/application.conf
+39
diff --git a/‎build.sbt
+2-2 b/‎build.sbt
+2-2
diff --git a/‎docker/.env
+1-1 b/‎docker/.env
+1-1
diff --git a/‎project/plugins.sbt
+2-2 b/‎project/plugins.sbt
+2-2
diff --git a/‎shared/src/main/scala/org/multics/baueran/frep/shared/Defs/package.scala
+5 b/‎shared/src/main/scala/org/multics/baueran/frep/shared/Defs/package.scala
+5
@@ -12,6 +12,17 @@
      ██║ ╚████║███████╗╚███╔███╔╝███████║
      ╚═╝  ╚═══╝╚══════╝ ╚══╝╚══╝ ╚══════╝
 
+v0.16.1 (development)    Sun Mar 24 10:36:47 AM CET 2024
+--------------------------------------------------------
+- Minor features:
+  - Protect the two main lookup pages with a cookie check against
+    leeching attacks
+  - Update to Play 2.9.2, ScalaJS 1.16.0 and Scala 2.13.13
+
+- Bug fixes:
+  - Sorting in file modal dialogue broke with the removal of RX
+    libraries and is fixed now
+
 v0.16.0 (development)       Sa 13. Jan 14:28:21 CET 2024
 --------------------------------------------------------
 - Main features:
 
@@ -60,6 +60,7 @@ class Get @Inject()(cc: ControllerComponents, dbContext: DBContext) extends Abst
             Cookie(CookieFields.id.toString, member.member_id.toString, secure = true, httpOnly = false),
             Cookie(CookieFields.cookiePopupAccepted.toString, "1", secure = true, httpOnly = false)
           )
+          .withSession("id" -> member.member_id.toString)
     }
   }
 
@@ -78,7 +79,14 @@ class Get @Inject()(cc: ControllerComponents, dbContext: DBContext) extends Abst
 
   def show(repertory: String, symptom: String, page: Int, remedyString: String, minWeight: Int) = Action { implicit request: Request[AnyContent] =>
     try {
-      Ok(views.html.index_lookup(request, repertory, URLEncoder.encode(symptom, StandardCharsets.UTF_8.toString()), page - 1, remedyString, minWeight, s"OOREP - ${symptom} (${repertory})"))
+      getAuthenticatedUser(request) match {
+        case None =>
+          Ok(views.html.index_lookup(request, repertory, URLEncoder.encode(symptom, StandardCharsets.UTF_8.toString()), page - 1, remedyString, minWeight, s"OOREP - ${symptom} (${repertory})"))
+            .withSession("id" -> "-1")
+        case Some(member) =>
+          Ok(views.html.index_lookup(request, repertory, URLEncoder.encode(symptom, StandardCharsets.UTF_8.toString()), page - 1, remedyString, minWeight, s"OOREP - ${symptom} (${repertory})"))
+            .withSession("id" -> member.member_id.toString)
+      }
     } catch {
       case e: Exception =>
         Logger.debug(s"GET: show() failed; most likely URLEncoder.encode(): ${e.toString}")
@@ -88,7 +96,14 @@ class Get @Inject()(cc: ControllerComponents, dbContext: DBContext) extends Abst
 
   def showMM(materiaMedica: String, symptom: String, page: Int, hideSections: Boolean, remedyString: String) = Action { implicit request: Request[AnyContent] =>
     try {
-      Ok(views.html.index_lookup_mm(request, materiaMedica, URLEncoder.encode(symptom, StandardCharsets.UTF_8.toString()), page - 1, hideSections, remedyString, s"OOREP - ${symptom} (${materiaMedica})"))
+      getAuthenticatedUser(request) match {
+        case None =>
+          Ok(views.html.index_lookup_mm(request, materiaMedica, URLEncoder.encode(symptom, StandardCharsets.UTF_8.toString()), page - 1, hideSections, remedyString, s"OOREP - ${symptom} (${materiaMedica})"))
+            .withSession("id" -> "-1")
+        case Some(member) =>
+          Ok(views.html.index_lookup_mm(request, materiaMedica, URLEncoder.encode(symptom, StandardCharsets.UTF_8.toString()), page - 1, hideSections, remedyString, s"OOREP - ${symptom} (${materiaMedica})"))
+            .withSession("id" -> member.member_id.toString)
+      }
     } catch {
       case e: Exception =>
         Logger.debug(s"GET: showMM() failed; most likely URLEncoder.encode(): ${e.toString}")
@@ -160,15 +175,36 @@ class Get @Inject()(cc: ControllerComponents, dbContext: DBContext) extends Abst
   }
 
   def apiAvailableRemedies() = Action { request: Request[AnyContent] =>
-    Ok(repertoryDao.getRemedies().asJson.toString())
+    getAuthenticatedUser(request) match {
+      case Some(member) =>
+        Ok(repertoryDao.getRemedies().asJson.toString())
+          .withSession("id" -> member.member_id.toString)
+      case None =>
+        Ok(repertoryDao.getRemedies().asJson.toString())
+          .withSession("id" -> "-1")
+    }
   }
 
   def apiAvailableRepertoriesAndRemedies() = Action { request: Request[AnyContent] =>
-    Ok((repertoryDao.getRepsAndRemedies(getAuthenticatedUser(request)).asJson.toString))
+    getAuthenticatedUser(request) match {
+      case Some(member) =>
+        Ok((repertoryDao.getRepsAndRemedies(getAuthenticatedUser(request)).asJson.toString))
+          .withSession("id" -> member.member_id.toString)
+      case None =>
+        Ok((repertoryDao.getRepsAndRemedies(getAuthenticatedUser(request)).asJson.toString))
+          .withSession("id" -> "-1")
+    }
   }
 
   def apiAvailableMateriaMedicasAndRemedies() = Action { request: Request[AnyContent] =>
-    Ok(mmDao.getMMsAndRemedies(getAuthenticatedUser(request)).asJson.toString())
+    getAuthenticatedUser(request) match {
+      case Some(member) =>
+        Ok(mmDao.getMMsAndRemedies(getAuthenticatedUser(request)).asJson.toString())
+          .withSession("id" -> member.member_id.toString)
+      case None =>
+        Ok(mmDao.getMMsAndRemedies(getAuthenticatedUser(request)).asJson.toString())
+          .withSession("id" -> "-1")
+    }
   }
 
   /**
@@ -282,57 +318,75 @@ class Get @Inject()(cc: ControllerComponents, dbContext: DBContext) extends Abst
     }
   }
 
-  def apiLookupRep(repertoryAbbrev: String, symptom: String, page: Int, remedyString: String, minWeight: Int, getRemedies: Int) = Action { request: Request[AnyContent] =>
-    // We don't allow '*' in the middle of a search term.  '*' can only be at beginning or end of a word, whether exact search term or not.
-    if (symptom.trim.matches(".*\\w+\\*\\w+.*") || symptom.trim.contains(" * ")) {
-      NoContent
-    } else {
-      val searchTerms = new SearchTerms(symptom.trim)
-      val cleanedUpAbbrev = repertoryAbbrev.replaceAll("[^0-9A-Za-z\\-]", "")
-
-      // Check if user is allowed to access the resource at all (might be Private or Protected and user not logged in)
-      if (repertoryDao.getRepsAndRemedies(getAuthenticatedUser(request)).find(_.info.abbrev == cleanedUpAbbrev) == None) {
-        Logger.info(s"Get: apiLookupRep(abbrev: ${repertoryAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}, weight: ${minWeight}): user not allowed to access ressource.")
-        NoContent
-      }
-      else {
-        // Do actual look-up and return results in case of success.
-        repertoryDao.queryRepertory(cleanedUpAbbrev, searchTerms, page, remedyString.trim, minWeight, getRemedies != 0) match {
-          case Some((ResultsCaseRubrics(totalNumberOfRepertoryRubrics, totalNumberOfResults, totalNumberOfPages, page, results), remedyStats)) if (totalNumberOfPages > 0) =>
-            Ok((ResultsCaseRubrics(totalNumberOfRepertoryRubrics, totalNumberOfResults, totalNumberOfPages, page, results), remedyStats).asJson.toString())
-          case _ =>
-            Logger.info(s"Get: apiLookupRep(abbrev: ${repertoryAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}, weight: ${minWeight}): no results found")
+  private def isCrossSiteRequest(request: Request[AnyContent]): Boolean = {
+    request.session.get("id") == None && getAuthenticatedUser(request) == None
+  }
+
+  def apiLookupRep(repertoryAbbrev: String, symptom: String, page: Int, remedyString: String, minWeight: Int, getRemedies: Int): Action[AnyContent] =
+    Action { request: Request[AnyContent] =>
+      if (isCrossSiteRequest(request)) {
+        val errStr = (s"ERROR: request to ${request.uri} not authorized. Make sure your browser allows cookies. (IP: ${request.remoteAddress})")
+        Logger.error(errStr)
+        Unauthorized(errStr)
+      } else {
+        // We don't allow '*' in the middle of a search term.  '*' can only be at beginning or end of a word, whether exact search term or not.
+        if (symptom.trim.matches(".*\\w+\\*\\w+.*") || symptom.trim.contains(" * ")) {
+          NoContent
+        } else {
+          val searchTerms = new SearchTerms(symptom.trim)
+          val cleanedUpAbbrev = repertoryAbbrev.replaceAll("[^0-9A-Za-z\\-]", "")
+
+          // Check if user is allowed to access the resource at all (might be Private or Protected and user not logged in)
+          if (repertoryDao.getRepsAndRemedies(getAuthenticatedUser(request)).find(_.info.abbrev == cleanedUpAbbrev) == None) {
+            Logger.warn(s"Get: apiLookupRep(abbrev: ${repertoryAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}, weight: ${minWeight}): user not allowed to access ressource.")
             NoContent
+          }
+          else {
+            // Do actual look-up and return results in case of success.
+            repertoryDao.queryRepertory(cleanedUpAbbrev, searchTerms, page, remedyString.trim, minWeight, getRemedies != 0) match {
+              case Some((ResultsCaseRubrics(totalNumberOfRepertoryRubrics, totalNumberOfResults, totalNumberOfPages, page, results), remedyStats)) if (totalNumberOfPages > 0) =>
+                Ok((ResultsCaseRubrics(totalNumberOfRepertoryRubrics, totalNumberOfResults, totalNumberOfPages, page, results), remedyStats).asJson.toString())
+              case _ =>
+                Logger.info(s"Get: apiLookupRep(abbrev: ${repertoryAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}, weight: ${minWeight}): no results found")
+                NoContent
+            }
+          }
         }
       }
     }
-  }
 
-  def apiLookupMM(mmAbbrev: String, symptom: String, page: Int, remedyString: String) = Action { request: Request[AnyContent] =>
-    // We don't allow '*' in the middle of a search term.  '*' can only be at beginning or end of a word, whether exact search term or not.
-    if (symptom.trim.matches(".*\\w+\\*\\w+.*") || symptom.trim.contains(" * ")) {
-      NoContent
-    } else {
-      val searchTerms = new SearchTerms(symptom.trim)
-      val cleanedUpAbbrev = mmAbbrev.replaceAll("[^0-9A-Za-z\\-]", "")
-
-      // Check if user is allowed to access the resource at all (might be Private or Protected and user not logged in)
-      if (mmDao.getMMsAndRemedies(getAuthenticatedUser(request)).find(_.mminfo.abbrev == cleanedUpAbbrev) == None) {
-        Logger.info(s"Get: apiLookupMM(abbrev: ${mmAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}): user not allowed to access ressource.")
-        NoContent
-      }
-      else {
-        // Do actual look-up and return results in case of success.
-        mmDao.getSectionHits(cleanedUpAbbrev, searchTerms, page, Some(remedyString)) match {
-          case Some(sectionHits) if (sectionHits.results.length > 0 || sectionHits.numberOfMatchingSectionsPerChapter.length > 0) =>
-            Ok(sectionHits.asJson.toString())
-          case _ =>
-            Logger.info(s"Get: apiLookupMM(abbrev: ${mmAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}): no results found")
+  def apiLookupMM(mmAbbrev: String, symptom: String, page: Int, remedyString: String): Action[AnyContent] =
+    Action { request: Request[AnyContent] =>
+      if (isCrossSiteRequest(request)) {
+        val errStr = (s"ERROR: request to ${request.uri} not authorized. Make sure your browser allows cookies. (IP: ${request.remoteAddress})")
+        Logger.error(errStr)
+        Unauthorized(errStr)
+      } else {
+        // We don't allow '*' in the middle of a search term.  '*' can only be at beginning or end of a word, whether exact search term or not.
+        if (symptom.trim.matches(".*\\w+\\*\\w+.*") || symptom.trim.contains(" * ")) {
+          NoContent
+        } else {
+          val searchTerms = new SearchTerms(symptom.trim)
+          val cleanedUpAbbrev = mmAbbrev.replaceAll("[^0-9A-Za-z\\-]", "")
+
+          // Check if user is allowed to access the resource at all (might be Private or Protected and user not logged in)
+          if (mmDao.getMMsAndRemedies(getAuthenticatedUser(request)).find(_.mminfo.abbrev == cleanedUpAbbrev) == None) {
+            Logger.info(s"Get: apiLookupMM(abbrev: ${mmAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}): user not allowed to access ressource.")
             NoContent
+          }
+          else {
+            // Do actual look-up and return results in case of success.
+            mmDao.getSectionHits(cleanedUpAbbrev, searchTerms, page, Some(remedyString)) match {
+              case Some(sectionHits) if (sectionHits.results.length > 0 || sectionHits.numberOfMatchingSectionsPerChapter.length > 0) =>
+                Ok(sectionHits.asJson.toString())
+              case _ =>
+                Logger.info(s"Get: apiLookupMM(abbrev: ${mmAbbrev}, symptom: ${symptom}, page: ${page}, remedy: ${remedyString}): no results found")
+                NoContent
+            }
+          }
         }
       }
     }
-  }
 
 }
 
 
@@ -2,6 +2,7 @@ package org.multics.baueran.frep.backend
 
 import play.api.mvc._
 import org.multics.baueran.frep.backend.dao.{CazeDao, EmailHistoryDao, FileDao, MMDao, MemberDao, PasswordChangeRequestDao, RepertoryDao}
+import org.multics.baueran.frep.shared.Defs.{CookieFields, HeaderFields}
 import org.multics.baueran.frep.shared.Member
 
 package object controllers {
 
@@ -7,11 +7,50 @@
 # 'null' means to not set this header at all here.
 play.filters.headers.contentSecurityPolicy = null
 
+play.modules.enabled += "play.filters.csrf.CSRFModule"
 play.filters.enabled += "play.filters.csrf.CSRFFilter"
 
 play.filters.csrf.cookie.name = "csrfCookie"
 play.filters.csrf.token.name = "csrfToken"
 play.filters.csrf.cookie.secure = true
+
+# play.filters.csrf {
+#   bypassCorsTrustedOrigins = false
+
+#   method {
+#       # If non empty, then requests will be checked if the method is not in this list.
+#       # whiteList = ["GET", "HEAD", "OPTIONS"]
+#       whitelist = []
+
+#       # The black list is only used if the white list is empty.
+#       # Only check methods in this list.
+#       blackList = [ "GET", "PUT", "POST", "DELETE" ]
+#   }
+
+#   header {
+#       # The name of the header to accept CSRF tokens from.
+#       # name = "Csrf-Token"
+#       name = "csrfCookie"
+
+#       # Defines headers that must be present to perform the CSRF check. If any of these headers are present, the CSRF
+#       # check will be performed.
+#       #
+#       # By default, we only perform the CSRF check if there are Cookies or an Authorization header.
+#       # Generally, CSRF attacks use a user's browser to execute requests on the client's behalf. If the user does not
+#       # have an active session, there is no danger of this happening.
+#       #
+#       # Setting this to null or an empty object will protect all requests.
+#       protectHeaders {
+#         Cookie = "*"
+#         Authorization = "*"
+#       }
+
+#       # Defines headers that can be used to bypass the CSRF check if any are present. A value of "*" simply
+#       # checks for the presence of the header. A string value checks for a match on that string.
+#       bypassHeaders {}
+#   }
+# }
+
 play.http.session.secure = true
 play.http.session.httpOnly = false
 play.http.session.sameSite = "strict"
 
@@ -1,6 +1,6 @@
 import sbt.Keys.libraryDependencies
 
-val myScalaVersion     = "2.13.12"
+val myScalaVersion     = "2.13.13"
 val scalaTestPlusVersion = "5.1.0"
 val scalaJsDomVersion  = "2.3.0"
 val scalaTagsVersion   = "0.12.0"
@@ -98,7 +98,7 @@ lazy val commonSettings = Seq(
   scalaVersion := myScalaVersion,
   organization := "org.multics.baueran.frep",
   maintainer := "[email protected]",
-  version := "0.16.0"
+  version := "0.16.1"
 )
 
 // loads the frontend project at sbt startup
 
@@ -1 +1 @@
-VERSION=0.16.0
+VERSION=0.16.1
@@ -7,13 +7,13 @@ resolvers += "Typesafe repository" at "https://repo.typesafe.com/typesafe/releas
 
 // Sbt plugins
 addSbtPlugin("com.vmunier"               % "sbt-web-scalajs"               % "1.3.0")
-addSbtPlugin("org.scala-js"              % "sbt-scalajs"                   % "1.15.0")
+addSbtPlugin("org.scala-js"              % "sbt-scalajs"                   % "1.16.0")
 addSbtPlugin("org.scala-js"              % "sbt-jsdependencies"            % "1.0.2")
 
 addSbtPlugin("org.portable-scala"        % "sbt-scalajs-crossproject"      % "1.3.1")
 addSbtPlugin("org.portable-scala"        % "sbt-scala-native-crossproject" % "1.3.1")
 addSbtPlugin("org.scala-native"          % "sbt-scala-native"              % "0.4.14")
 
-addSbtPlugin("com.typesafe.play"         % "sbt-plugin"                    % "2.9.0")
+addSbtPlugin("com.typesafe.play"         % "sbt-plugin"                    % "2.9.2")
 addSbtPlugin("com.typesafe.sbt"          % "sbt-gzip"                      % "1.0.2")
 addSbtPlugin("com.typesafe.sbt"          % "sbt-digest"                    % "1.1.4")
@@ -23,4 +23,9 @@ package object Defs {
     val id, csrfCookie, cookiePopupAccepted, theme = Value
   }
 
+  object HeaderFields extends Enumeration {
+    type HeaderFields = Value
+    val csrfToken = "Csrf-Token"
+  }
+
 }
Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,9 @@ package object Defs {`
`23`	`23`	`val id, csrfCookie, cookiePopupAccepted, theme = Value`
`24`	`24`	`}`
`25`	`25`
	`26`	`+ object HeaderFields extends Enumeration {`
	`27`	`+ type HeaderFields = Value`
	`28`	`+ val csrfToken = "Csrf-Token"`
	`29`	`+ }`
	`30`	`+`
`26`	`31`	`}`