oauthController: calculate the script hash on the fly so we can edit it
This commit is contained in:
parent
4b7804872c
commit
928ae4ec22
|
@ -1,3 +1,4 @@
|
||||||
|
import { encodeBase64 } from '@std/encoding/base64';
|
||||||
import { nip19 } from 'nostr-tools';
|
import { nip19 } from 'nostr-tools';
|
||||||
import { z } from 'zod';
|
import { z } from 'zod';
|
||||||
|
|
||||||
|
@ -60,7 +61,7 @@ const createTokenController: AppController = async (c) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
/** Display the OAuth form. */
|
/** Display the OAuth form. */
|
||||||
const oauthController: AppController = (c) => {
|
const oauthController: AppController = async (c) => {
|
||||||
const encodedUri = c.req.query('redirect_uri');
|
const encodedUri = c.req.query('redirect_uri');
|
||||||
if (!encodedUri) {
|
if (!encodedUri) {
|
||||||
return c.text('Missing `redirect_uri` query param.', 422);
|
return c.text('Missing `redirect_uri` query param.', 422);
|
||||||
|
@ -68,17 +69,7 @@ const oauthController: AppController = (c) => {
|
||||||
|
|
||||||
const redirectUri = maybeDecodeUri(encodedUri);
|
const redirectUri = maybeDecodeUri(encodedUri);
|
||||||
|
|
||||||
c.res.headers.set(
|
const script = `
|
||||||
'content-security-policy',
|
|
||||||
"default-src 'self' 'sha256-m2qD6rbE2Ixbo2Bjy2dgQebcotRIAawW7zbmXItIYAM='",
|
|
||||||
);
|
|
||||||
|
|
||||||
return c.html(`<!DOCTYPE html>
|
|
||||||
<html lang="en">
|
|
||||||
<head>
|
|
||||||
<title>Log in with Ditto</title>
|
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
|
||||||
<script>
|
|
||||||
window.addEventListener('load', function() {
|
window.addEventListener('load', function() {
|
||||||
if ('nostr' in window) {
|
if ('nostr' in window) {
|
||||||
nostr.getPublicKey().then(function(pubkey) {
|
nostr.getPublicKey().then(function(pubkey) {
|
||||||
|
@ -87,7 +78,21 @@ const oauthController: AppController = (c) => {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
</script>
|
`;
|
||||||
|
|
||||||
|
const hash = encodeBase64(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(script)));
|
||||||
|
|
||||||
|
c.res.headers.set(
|
||||||
|
'content-security-policy',
|
||||||
|
`default-src 'self' 'sha256-${hash}'`,
|
||||||
|
);
|
||||||
|
|
||||||
|
return c.html(`<!DOCTYPE html>
|
||||||
|
<html lang="en">
|
||||||
|
<head>
|
||||||
|
<title>Log in with Ditto</title>
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
|
||||||
|
<script>${script}</script>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
<form id="oauth_form" action="/oauth/authorize" method="post">
|
<form id="oauth_form" action="/oauth/authorize" method="post">
|
||||||
|
|
Loading…
Reference in New Issue