refactor/fix: api redoc

2025-04-26 17:31:51 -04:00
parent 0a9d332d60
commit 41ade2e205
4 changed files with 15 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,8 @@
 - **Controller**: Updated `FolderController::shareFolder()` (folderController) to include the gallery-view toggle script block intact, ensuring the “Switch to Gallery View” button works when sharing folders.  
 - **UI (fileListView.js)**: Refactored `renderGalleryView` to remove all inline `onclick=` handlers; switched to using data-attributes and `addEventListener()` for preview, download, edit and rename buttons, fully CSP-compliant.
 - Moved logout button handler out of inline `<script>` in `index.html` and into the `DOMContentLoaded` init in **main.js** (via `auth.js`), so it now attaches reliably after the CSRF token is loaded and DOM is ready.
+- Added Content-Security-Policy for `<Files "api.php">` block to allow embedding the ReDoc iframe.
+- Extracted inline ReDoc init into `public/js/redoc-init.js` and updated `public/api.php` to use deferred `<script>` tags.

 ---

--- a/6
+++ b/6
@@ -120,6 +120,10 @@ RUN cat <<'EOF' > /etc/apache2/sites-available/000-default.conf
    <FilesMatch "^\.">
      Require all denied
    </FilesMatch>
+    
+    <Files "api.php">
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.redoc.ly; style-src 'self' 'unsafe-inline'; worker-src 'self' https://cdn.redoc.ly blob:; connect-src 'self'; img-src 'self' data: blob:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';"
+    </Files>

    ErrorLog /var/www/metadata/log/error.log
    CustomLog /var/www/metadata/log/access.log combined
@@ -127,7 +131,7 @@ RUN cat <<'EOF' > /etc/apache2/sites-available/000-default.conf
 EOF

 # Enable required modules
-RUN a2enmod rewrite headers proxy proxy_fcgi expires deflate
+RUN a2enmod rewrite headers proxy proxy_fcgi expires deflate ssl

 EXPOSE 80 443
 COPY start.sh /usr/local/bin/start.sh
--- a/public/api.php
+++ b/public/api.php
@@ -19,17 +19,13 @@ if (isset($_GET['spec'])) {
  <meta charset="utf-8"/>
  <meta name="viewport" content="width=device-width, initial-scale=1"/>
  <title>FileRise API Docs</title>
-  <script src="https://cdn.redoc.ly/redoc/latest/bundles/redoc.standalone.js"
+  <script defer src="https://cdn.redoc.ly/redoc/latest/bundles/redoc.standalone.js"
          integrity="sha384-4vOjrBu7SuDWXcAw1qFznVLA/sKL+0l4nn+J1HY8w7cpa6twQEYuh4b0Cwuo7CyX"
          crossorigin="anonymous"></script>
+  <script defer src="/js/redoc-init.js"></script>
 </head>
 <body>
  <redoc spec-url="api.php?spec=1"></redoc>
  <div id="redoc-container"></div>
-  <script>
-    if (!customElements.get('redoc')) {
-      Redoc.init('api.php?spec=1', {}, document.getElementById('redoc-container'));
-    }
-  </script>
 </body>
 </html>
--- a/public/js/redoc-init.js
+++ b/public/js/redoc-init.js
@@ -0,0 +1,6 @@
+// public/js/redoc-init.js
+if (!customElements.get('redoc')) {
+    Redoc.init(window.location.origin + '/api.php?spec=1',
+               {},
+               document.getElementById('redoc-container'));
+  }