From 3d4402ad9b9bbea039d5f58fbecbb1dde6c9ec41 Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Fri, 30 Jan 2026 16:35:42 +0100
Subject: [PATCH] fix(mana-core-auth): allow inline scripts in CSP for OIDC
 login page

The login page uses inline JavaScript for the form submission handler.
Helmet's default CSP was blocking this, preventing users from logging in
via OIDC/SSO flows (e.g., Matrix Synapse).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 services/mana-core-auth/src/main.ts | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/services/mana-core-auth/src/main.ts b/services/mana-core-auth/src/main.ts
index b95692464..b46253a6a 100644
--- a/services/mana-core-auth/src/main.ts
+++ b/services/mana-core-auth/src/main.ts
@@ -48,11 +48,23 @@ async function bootstrap() {
 		next();
 	});
 
-	// Security middleware - configure helmet to allow CORS
+	// Security middleware - configure helmet to allow CORS and inline scripts for login page
 	app.use(
 		helmet({
 			crossOriginResourcePolicy: { policy: 'cross-origin' },
 			crossOriginOpenerPolicy: { policy: 'same-origin-allow-popups' },
+			contentSecurityPolicy: {
+				directives: {
+					defaultSrc: ["'self'"],
+					scriptSrc: ["'self'", "'unsafe-inline'"], // Allow inline scripts for login page
+					styleSrc: ["'self'", "'unsafe-inline'"], // Allow inline styles
+					imgSrc: ["'self'", 'data:', 'https:'],
+					connectSrc: ["'self'"],
+					fontSrc: ["'self'"],
+					objectSrc: ["'none'"],
+					frameAncestors: ["'none'"],
+				},
+			},
 		})
 	);
 	app.use(cookieParser());