mirror/ditto
mirror/ditto
1
0
Fork 0
mirror of https://gitlab.com/soapbox-pub/ditto.git synced 2025-12-06 11:29:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Include Soapbox sentryDsn in CSP

Browse source
This commit is contained in:
Alex Gleason 2024-11-14 20:12:27 -06:00
parent 55f50ba93d
commit 02ada73f48
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
3 changed files with 49 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
src/controllers/api/pleroma.ts
View file

@ -1,4 +1,3 @@
import { NSchema as n, NStore } from '@nostrify/nostrify';
import { z } from 'zod'; import { z } from 'zod';
import { type AppController } from '@/app.ts'; import { type AppController } from '@/app.ts';
@ -8,11 +7,11 @@ import { AdminSigner } from '@/signers/AdminSigner.ts';
import { Storages } from '@/storages.ts'; import { Storages } from '@/storages.ts';
import { createAdminEvent, updateAdminEvent, updateUser } from '@/utils/api.ts'; import { createAdminEvent, updateAdminEvent, updateUser } from '@/utils/api.ts';
import { lookupPubkey } from '@/utils/lookup.ts'; import { lookupPubkey } from '@/utils/lookup.ts';
import { PleromaConfigDB } from '@/utils/PleromaConfigDB.ts'; import { getPleromaConfigs } from '@/utils/pleroma.ts';
const frontendConfigController: AppController = async (c) => { const frontendConfigController: AppController = async (c) => {
const store = await Storages.db(); const store = await Storages.db();
const configDB = await getConfigs(store, c.req.raw.signal); const configDB = await getPleromaConfigs(store, c.req.raw.signal);
const frontendConfig = configDB.get(':pleroma', ':frontend_configurations'); const frontendConfig = configDB.get(':pleroma', ':frontend_configurations');
if (frontendConfig) { if (frontendConfig) {
@ -29,7 +28,7 @@ const frontendConfigController: AppController = async (c) => {
const configController: AppController = async (c) => { const configController: AppController = async (c) => {
const store = await Storages.db(); const store = await Storages.db();
const configs = await getConfigs(store, c.req.raw.signal); const configs = await getPleromaConfigs(store, c.req.raw.signal);
return c.json({ configs, need_reboot: false }); return c.json({ configs, need_reboot: false });
}; };
@ -38,7 +37,7 @@ const updateConfigController: AppController = async (c) => {
const { pubkey } = Conf; const { pubkey } = Conf;
const store = await Storages.db(); const store = await Storages.db();
const configs = await getConfigs(store, c.req.raw.signal); const configs = await getPleromaConfigs(store, c.req.raw.signal);
const { configs: newConfigs } = z.object({ configs: z.array(configSchema) }).parse(await c.req.json()); const { configs: newConfigs } = z.object({ configs: z.array(configSchema) }).parse(await c.req.json());
configs.merge(newConfigs); configs.merge(newConfigs);
@ -64,29 +63,6 @@ const pleromaAdminDeleteStatusController: AppController = async (c) => {
return c.json({}); return c.json({});
}; };
async function getConfigs(store: NStore, signal: AbortSignal): Promise<PleromaConfigDB> {
const { pubkey } = Conf;
const [event] = await store.query([{
kinds: [30078],
authors: [pubkey],
'#d': ['pub.ditto.pleroma.config'],
limit: 1,
}], { signal });
if (!event) {
return new PleromaConfigDB([]);
}
try {
const decrypted = await new AdminSigner().nip44.decrypt(Conf.pubkey, event.content);
const configs = n.json().pipe(configSchema.array()).catch([]).parse(decrypted);
return new PleromaConfigDB(configs);
} catch (_e) {
return new PleromaConfigDB([]);
}
}
const pleromaAdminTagSchema = z.object({ const pleromaAdminTagSchema = z.object({
nicknames: z.string().array(), nicknames: z.string().array(),
tags: z.string().array(), tags: z.string().array(),

17
src/middleware/cspMiddleware.ts
View file

@ -1,15 +1,30 @@
import { AppMiddleware } from '@/app.ts'; import { AppMiddleware } from '@/app.ts';
import { Conf } from '@/config.ts'; import { Conf } from '@/config.ts';
import { PleromaConfigDB } from '@/utils/PleromaConfigDB.ts';
import { Storages } from '@/storages.ts';
import { getPleromaConfigs } from '@/utils/pleroma.ts';
let configDBCache: Promise<PleromaConfigDB> | undefined;
export const cspMiddleware = (): AppMiddleware => { export const cspMiddleware = (): AppMiddleware => {
return async (c, next) => { return async (c, next) => {
const store = await Storages.db();
if (!configDBCache) {
configDBCache = getPleromaConfigs(store);
}
const { host, protocol, origin } = Conf.url; const { host, protocol, origin } = Conf.url;
const wsProtocol = protocol === 'http:' ? 'ws:' : 'wss:'; const wsProtocol = protocol === 'http:' ? 'ws:' : 'wss:';
const configDB = await configDBCache;
const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn');
const policies = [ const policies = [
'upgrade-insecure-requests', 'upgrade-insecure-requests',
`script-src 'self'`, `script-src 'self'`,
`connect-src 'self' blob: ${origin} ${wsProtocol}//${host}`, `connect-src 'self' blob: ${origin} ${wsProtocol}//${host}` + typeof sentryDsn === 'string'
? ` ${sentryDsn}`
: '',
`media-src 'self' https:`, `media-src 'self' https:`,
`img-src 'self' data: blob: https:`, `img-src 'self' data: blob: https:`,
`default-src 'none'`, `default-src 'none'`,

29
src/utils/pleroma.ts Normal file
View file

@ -0,0 +1,29 @@
import { NSchema as n, NStore } from '@nostrify/nostrify';
import { Conf } from '@/config.ts';
import { configSchema } from '@/schemas/pleroma-api.ts';
import { AdminSigner } from '@/signers/AdminSigner.ts';
import { PleromaConfigDB } from '@/utils/PleromaConfigDB.ts';
export async function getPleromaConfigs(store: NStore, signal?: AbortSignal): Promise<PleromaConfigDB> {
const { pubkey } = Conf;
const [event] = await store.query([{
kinds: [30078],
authors: [pubkey],
'#d': ['pub.ditto.pleroma.config'],
limit: 1,
}], { signal });
if (!event) {
return new PleromaConfigDB([]);
}
try {
const decrypted = await new AdminSigner().nip44.decrypt(Conf.pubkey, event.content);
const configs = n.json().pipe(configSchema.array()).catch([]).parse(decrypted);
return new PleromaConfigDB(configs);
} catch (_e) {
return new PleromaConfigDB([]);
}
}