oauthController: calculate the script hash on the fly so we can edit it

This commit is contained in:
Alex Gleason 2024-05-12 10:56:27 -05:00
parent 4b7804872c
commit 928ae4ec22
No known key found for this signature in database
GPG Key ID: 7211D1F99744FBB7
1 changed files with 18 additions and 13 deletions

View File

@ -1,3 +1,4 @@
import { encodeBase64 } from '@std/encoding/base64';
import { nip19 } from 'nostr-tools'; import { nip19 } from 'nostr-tools';
import { z } from 'zod'; import { z } from 'zod';
@ -60,7 +61,7 @@ const createTokenController: AppController = async (c) => {
}; };
/** Display the OAuth form. */ /** Display the OAuth form. */
const oauthController: AppController = (c) => { const oauthController: AppController = async (c) => {
const encodedUri = c.req.query('redirect_uri'); const encodedUri = c.req.query('redirect_uri');
if (!encodedUri) { if (!encodedUri) {
return c.text('Missing `redirect_uri` query param.', 422); return c.text('Missing `redirect_uri` query param.', 422);
@ -68,17 +69,7 @@ const oauthController: AppController = (c) => {
const redirectUri = maybeDecodeUri(encodedUri); const redirectUri = maybeDecodeUri(encodedUri);
c.res.headers.set( const script = `
'content-security-policy',
"default-src 'self' 'sha256-m2qD6rbE2Ixbo2Bjy2dgQebcotRIAawW7zbmXItIYAM='",
);
return c.html(`<!DOCTYPE html>
<html lang="en">
<head>
<title>Log in with Ditto</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
<script>
window.addEventListener('load', function() { window.addEventListener('load', function() {
if ('nostr' in window) { if ('nostr' in window) {
nostr.getPublicKey().then(function(pubkey) { nostr.getPublicKey().then(function(pubkey) {
@ -87,7 +78,21 @@ const oauthController: AppController = (c) => {
}); });
} }
}); });
</script> `;
const hash = encodeBase64(await crypto.subtle.digest('SHA-256', new TextEncoder().encode(script)));
c.res.headers.set(
'content-security-policy',
`default-src 'self' 'sha256-${hash}'`,
);
return c.html(`<!DOCTYPE html>
<html lang="en">
<head>
<title>Log in with Ditto</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
<script>${script}</script>
</head> </head>
<body> <body>
<form id="oauth_form" action="/oauth/authorize" method="post"> <form id="oauth_form" action="/oauth/authorize" method="post">