import colorsys import json import logging import os import re import time import urllib.request from collections import defaultdict from threading import Lock from odoo import http from odoo.http import request _logger = logging.getLogger(__name__) # Rate limiting per widget key _widget_rate_cache = defaultdict(list) _widget_rate_lock = Lock() _WIDGET_RATE_LIMIT = 60 _WIDGET_RATE_WINDOW = 60 # Impression dedup: (config_id, ip) -> last timestamp _impression_cache = {} _impression_lock = Lock() _IMPRESSION_DEDUP_SECONDS = 300 # Google Fonts mapping: selection key → CSS font-family + import URL _FONT_MAP = { "open-sans": ("'Open Sans', sans-serif", "Open+Sans:wght@400;600;700"), "roboto": ("'Roboto', sans-serif", "Roboto:wght@400;500;700"), "lato": ("'Lato', sans-serif", "Lato:wght@400;700"), "montserrat": ("'Montserrat', sans-serif", "Montserrat:wght@400;600;700"), "raleway": ("'Raleway', sans-serif", "Raleway:wght@400;600;700"), "ubuntu": ("'Ubuntu', sans-serif", "Ubuntu:wght@400;500;700"), "merriweather": ("'Merriweather', serif", "Merriweather:wght@400;700"), "playfair": ("'Playfair Display', serif", "Playfair+Display:wght@400;700"), "pt-sans": ("'PT Sans', sans-serif", "PT+Sans:wght@400;700"), "noto-sans": ("'Noto Sans', sans-serif", "Noto+Sans:wght@400;600;700"), "source-sans": ("'Source Sans Pro', sans-serif", "Source+Sans+Pro:wght@400;600;700"), } def _check_widget_rate_limit(widget_key): """Rate limit per widget key. Returns True if allowed.""" now = time.time() with _widget_rate_lock: _widget_rate_cache[widget_key] = [ t for t in _widget_rate_cache[widget_key] if now - t < _WIDGET_RATE_WINDOW ] if len(_widget_rate_cache[widget_key]) >= _WIDGET_RATE_LIMIT: return False _widget_rate_cache[widget_key].append(now) return True def _should_record_impression(config_id, visitor_ip): """Debounce impressions: 1 per config+IP per 5 minutes.""" now = time.time() cache_key = (config_id, visitor_ip) with _impression_lock: last = _impression_cache.get(cache_key, 0) if now - last < _IMPRESSION_DEDUP_SECONDS: return False _impression_cache[cache_key] = now if len(_impression_cache) > 5000: cutoff = now - _IMPRESSION_DEDUP_SECONDS stale = [k for k, v in _impression_cache.items() if v < cutoff] for k in stale: del _impression_cache[k] return True # ========================================================================= # Color palette utilities (pure Python, no external deps) # ========================================================================= def _hex_to_hsl(hex_color): """Convert #RRGGBB to (h, s, l) where h in [0,360], s/l in [0,1].""" hex_color = hex_color.lstrip("#") if len(hex_color) != 6: hex_color = "c0392b" # fallback r, g, b = (int(hex_color[i:i + 2], 16) / 255.0 for i in (0, 2, 4)) h, l, s = colorsys.rgb_to_hls(r, g, b) return h * 360, s, l def _hsl_to_hex(h, s, l): """Convert (h [0-360], s [0-1], l [0-1]) to #RRGGBB.""" s = max(0, min(1, s)) l = max(0, min(1, l)) r, g, b = colorsys.hls_to_rgb(h / 360.0, l, s) return f"#{int(r * 255):02x}{int(g * 255):02x}{int(b * 255):02x}" def generate_palette(hex_color): """Generate 9 semantic color shades from a base hex color.""" h, s, l = _hex_to_hsl(hex_color) return { "bg": _hsl_to_hex(h, s * 0.08, 0.97), "panel_header": _hsl_to_hex(h, s * 0.25, 0.90), "border": _hsl_to_hex(h, s * 0.15, 0.82), "link": _hsl_to_hex(h, s * 0.75, 0.42), "navbar": _hsl_to_hex(h, s * 0.85, 0.28), "button": hex_color, "heading": _hsl_to_hex(h, s * 0.65, 0.22), "text": _hsl_to_hex(h, s * 0.40, 0.18), "text_secondary": _hsl_to_hex(h, s * 0.25, 0.45), } def _sanitize_hex(value): """Validate and return a hex color, or None if invalid.""" if not value: return None value = value.strip() if re.match(r"^#[0-9a-fA-F]{6}$", value): return value return None def _css_escape(value): """Escape a string for safe use in CSS values.""" if not value: return "" # Remove anything that could break out of CSS context return re.sub(r'[;\{\}\<\>\"\'\\]', '', str(value)) _SCOPE = ".kj-widget-scope" def _scope_css(css_text, scope=_SCOPE): """Prefix all CSS selectors with the scope class. Handles: regular selectors, comma-separated selectors, @media, @keyframes, body/html/:root replacement. """ result = [] in_at_rule = 0 # nesting depth of @keyframes / @font-face for line in css_text.split("\n"): stripped = line.strip() # Track @keyframes / @font-face blocks (don't scope their contents) if stripped.startswith("@keyframes") or stripped.startswith("@font-face"): in_at_rule += 1 result.append(line) continue if in_at_rule > 0: if "{" in stripped: in_at_rule += stripped.count("{") - stripped.count("}") elif "}" in stripped: in_at_rule -= stripped.count("}") result.append(line) continue # @import / @media / @supports — pass through, don't scope the at-rule itself if stripped.startswith("@"): result.append(line) continue # Lines with selectors (contain { but aren't just }) if "{" in stripped and not stripped.startswith("}"): # Extract selector part (before {) idx = stripped.index("{") selector_part = stripped[:idx] rest = stripped[idx:] # Split comma-separated selectors selectors = [s.strip() for s in selector_part.split(",")] scoped = [] for sel in selectors: if not sel: continue if sel in ("body", "html"): scoped.append(scope) elif sel.startswith(":root"): scoped.append(scope + sel.replace(":root", "")) elif sel.startswith("from") or sel.startswith("to") or sel[0:1].isdigit(): scoped.append(sel) # @keyframes percentages else: scoped.append(scope + " " + sel) result.append(", ".join(scoped) + " " + rest) else: result.append(line) return "\n".join(result) class AffiliateWidgetAPI(http.Controller): """Public API endpoints for the affiliate embeddable widget.""" @http.route( "/api/widget/kj-widget.js", type="http", auth="public", methods=["GET"], cors="*", csrf=False, ) def serve_widget_js(self, **kwargs): """Serve the embeddable widget JavaScript file.""" js_path = os.path.join( os.path.dirname(os.path.dirname(__file__)), "static", "src", "js", "kj_widget.js", ) try: with open(js_path, "r", encoding="utf-8") as f: js_content = f.read() except FileNotFoundError: return request.make_response("// Widget not found", status=404) base_url = request.env["ir.config_parameter"].sudo().get_param("web.base.url") js_content = js_content.replace("__KJ_BASE_URL__", base_url) return request.make_response( js_content, headers=[ ("Content-Type", "application/javascript; charset=utf-8"), ("Cache-Control", "public, max-age=3600"), ], ) @http.route( "/api/widget/config/", type="http", auth="public", methods=["GET"], cors="*", csrf=False, ) def get_widget_config(self, widget_key, **kwargs): """Return full widget configuration as JSON. Cached 5 min. This allows the JS to fetch config at runtime using only the key, so affiliates never need to re-embed when they change settings. """ config = ( request.env["affiliate.widget.config"] .sudo() .search( [("widget_key", "=", widget_key), ("is_active", "=", True)], limit=1, ) ) if not config: return request.make_json_response( {"error": "Invalid or inactive widget key"}, status=403, ) base_url = ( request.env["ir.config_parameter"] .sudo() .get_param("web.base.url") ) # Build config dict — all settings the JS needs data = { "key": config.widget_key, "mode": config.widget_mode or "overlay", "lang": config.language or "de", "page": config.landing_page or "/job-offers", "base_url": base_url, # Overlay settings "position": config.position or "bottom-right", "color": config.primary_color or "#c0392b", "text_color": config.text_color or "#ffffff", "btn_style": config.button_style or "pill", "overlay_radius": config.overlay_radius or "16", "text": config.button_text or "Karriere-Jura", "button": config.show_button, "logo": config.show_logo, "toolbar_height": config.toolbar_height or "44", "backdrop": config.backdrop_opacity or "60", "border": config.overlay_border, "border_color": config.border_color or "#d0d0d0", "bg_image": config.bg_image_url or "", "bg_opacity": config.bg_image_opacity or "20", "nav": config.nav_layout or "hidden", "nav_bg": config.nav_bg_color or "#1b2a4a", "nav_fc": config.nav_font_color or "#ffffff", "footer": config.show_footer, "footer_text": config.footer_text or "Powered by Karriere-Jura", "footer_bg": config.footer_bg_color or "#f5f5f5", "footer_fc": config.footer_font_color or "#999999", # Inline settings "width": config.inline_width or "100%", "height": config.inline_height or "800px", "auto_resize": config.inline_auto_resize, "border_radius": config.inline_border_radius or "0", "topbar": config.inline_show_topbar, "show_header": config.inline_show_header, "show_logo": config.inline_show_logo, "custom_logo_url": config.inline_custom_logo_url or "", "show_menu": config.inline_show_menu, "menu_layout": config.inline_menu_layout or "horizontal", "show_menu_stellenangebote": config.inline_show_menu_stellenangebote, "show_menu_firmenprofile": config.inline_show_menu_firmenprofile, "show_menu_karriere_tipps": config.inline_show_menu_karriere_tipps, "show_menu_actions": config.inline_show_menu_actions, # Box settings "box_count": config.box_job_count or 5, "box_layout": config.box_layout or "vertical", "box_target": config.box_link_target or "_blank", "box_title": config.box_title or "", "box_header_bg": config.box_header_bg or "#c0392b", "box_header_text": config.box_header_text or "#ffffff", "box_header_fs": config.box_header_font_size or 14, "box_body_bg": config.box_body_bg or "#ffffff", "box_body_fs": config.box_body_font_size or 12, "box_link_color": config.box_link_color or "#0645AD", "box_border": config.box_show_border, "box_border_color": config.box_border_color or "#dddddd", "box_footer_bg": config.box_footer_bg or "#f5f5f5", "box_footer_text": config.box_footer_text or "#999999", "box_width": config.box_width or "300px", "box_height": config.box_height or "auto", } return request.make_response( json.dumps(data), headers=[ ("Content-Type", "application/json; charset=utf-8"), ("Cache-Control", "public, max-age=300"), ], ) # ================================================================= # Page Proxy — fetch KJ page HTML with CSS scoping for inline mode # ================================================================= # CSS scoping cache: {cache_key: (scoped_css_str, timestamp)} _css_scope_cache = {} _CSS_SCOPE_TTL = 300 # 5 minutes @http.route( "/api/widget/page", type="http", auth="public", methods=["GET"], cors="*", csrf=False, ) def serve_page(self, path="/job-offers", ref="", **kw): """Render a KJ page and return JSON with scoped CSS + HTML. The CSS is prefixed with .kj-widget-scope so it won't leak into the affiliate's page styles. """ if not ref: return request.make_json_response( {"error": "Missing ref parameter"}, status=400, ) config = ( request.env["affiliate.widget.config"] .sudo() .search( [("widget_key", "=", ref), ("is_active", "=", True)], limit=1, ) ) if not config: return request.make_json_response( {"error": "Invalid widget key"}, status=403, ) # Allow specific auth pages, block backend admin routes allowed_web = [ "/web/login", "/web/signup", "/web/reset_password", "/web/recruiter/signup", "/web/applicant/signup", "/web/advertiser/signup", "/web/affiliate/signup", ] blocked = ["/web/", "/admin", "/odoo/", "/api/"] if any(path.startswith(p) for p in blocked): if not any(path.startswith(a) for a in allowed_web): path = "/job-offers" # Ensure path starts with / if not path.startswith("/"): path = "/" + path # Internal fetch — same server base_url = ( request.env["ir.config_parameter"] .sudo() .get_param("web.base.url") ) sep = "&" if "?" in path else "?" # Use internal URL (inside Docker: 127.0.0.1:8069) not web.base.url # which points to external nginx port not reachable from inside container internal_base = "http://127.0.0.1:8069" internal_url = f"{internal_base}{path}{sep}embed=1&ref={ref}" try: req_obj = urllib.request.Request( internal_url, headers={"User-Agent": "KJWidgetProxy/1.0"}, ) with urllib.request.urlopen(req_obj, timeout=15) as resp: html = resp.read().decode("utf-8") except Exception as e: _logger.error(f"Widget page proxy failed for {internal_url}: {e}") return request.make_json_response( {"error": "Failed to load page"}, status=502, ) # Parse the HTML document from html.parser import HTMLParser as _HP body_html, css_links, inline_styles, scripts, title = ( self._parse_page_html(html, base_url) ) # Scope CSS (cached) scoped_css = self._get_scoped_css(css_links, inline_styles, base_url) result = { "html": body_html, "css": scoped_css, "scripts": scripts, "title": title, "base_url": base_url, } return request.make_response( json.dumps(result), headers=[ ("Content-Type", "application/json; charset=utf-8"), ("Cache-Control", "public, max-age=300"), ], ) def _parse_page_html(self, html, base_url): """Parse full HTML document, extract body content, CSS links, scripts.""" # Use a simple approach: split on known tags import re as _re # Extract title_match = _re.search(r"<title[^>]*>(.*?)", html, _re.S) title = title_match.group(1).strip() if title_match else "" # Extract CSS hrefs css_links = [] for m in _re.finditer( r']+rel=["\']stylesheet["\'][^>]+href=["\']([^"\']+)["\']', html, ): href = m.group(1) if href.startswith("/"): href = base_url + href css_links.append(href) # Also check href before rel for m in _re.finditer( r']+href=["\']([^"\']+)["\'][^>]+rel=["\']stylesheet["\']', html, ): href = m.group(1) if href.startswith("/"): href = base_url + href if href not in css_links: css_links.append(href) # Extract inline ", html, _re.S): inline_styles.append(m.group(1)) # Extract