From 928ae4ec2252da2ec2e01930c15c92274f9e7af9 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 12 May 2024 10:56:27 -0500 Subject: [PATCH] oauthController: calculate the script hash on the fly so we can edit it --- src/controllers/api/oauth.ts | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/src/controllers/api/oauth.ts b/src/controllers/api/oauth.ts index 4f1f495..e45b31a 100644 --- a/src/controllers/api/oauth.ts +++ b/src/controllers/api/oauth.ts @@ -1,3 +1,4 @@ +import { encodeBase64 } from '@std/encoding/base64'; import { nip19 } from 'nostr-tools'; import { z } from 'zod'; @@ -60,7 +61,7 @@ const createTokenController: AppController = async (c) => { }; /** Display the OAuth form. */ -const oauthController: AppController = (c) => { +const oauthController: AppController = async (c) => { const encodedUri = c.req.query('redirect_uri'); if (!encodedUri) { return c.text('Missing `redirect_uri` query param.', 422); @@ -68,17 +69,7 @@ const oauthController: AppController = (c) => { const redirectUri = maybeDecodeUri(encodedUri); - c.res.headers.set( - 'content-security-policy', - "default-src 'self' 'sha256-m2qD6rbE2Ixbo2Bjy2dgQebcotRIAawW7zbmXItIYAM='", - ); - - return c.html(` - - - Log in with Ditto - - + `; + + const hash = encodeBase64(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(script))); + + c.res.headers.set( + 'content-security-policy', + `default-src 'self' 'sha256-${hash}'`, + ); + + return c.html(` + + + Log in with Ditto + +