fix(mana-core-auth): allow inline scripts in CSP for OIDC login page

The login page uses inline JavaScript for the form submission handler. Helmet's default CSP was blocking this, preventing users from logging in via OIDC/SSO flows (e.g., Matrix Synapse). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-14 20:01:09 +02:00 · 2026-01-30 16:35:42 +01:00 · 2026-01-30 16:35:42 +01:00 · 3d4402ad9b
commit 3d4402ad9b
parent 017891b1c8
1 changed files with 13 additions and 1 deletions
--- a/services/mana-core-auth/src/main.ts
+++ b/services/mana-core-auth/src/main.ts
@ -48,11 +48,23 @@ async function bootstrap() {
 		next();
 	});

-	// Security middleware - configure helmet to allow CORS
+	// Security middleware - configure helmet to allow CORS and inline scripts for login page
 	app.use(
 		helmet({
 			crossOriginResourcePolicy: { policy: 'cross-origin' },
 			crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+			contentSecurityPolicy: {
+				directives: {
+					defaultSrc: ["'self'"],
+					scriptSrc: ["'self'", "'unsafe-inline'"], // Allow inline scripts for login page
+					styleSrc: ["'self'", "'unsafe-inline'"], // Allow inline styles
+					imgSrc: ["'self'", 'data:', 'https:'],
+					connectSrc: ["'self'"],
+					fontSrc: ["'self'"],
+					objectSrc: ["'none'"],
+					frameAncestors: ["'none'"],
+				},
+			},
 		})
 	);
 	app.use(cookieParser());