Merge pull request #24 from vectorize-io/Nonces

DK09876 · web-flow · commit e6d0a1874c3d · 2025-11-03T10:05:16.000-07:00
Update
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@vectorize-io/vectorize-connect",
-  "version": "0.3.7",
+  "version": "0.4.0",
   "description": "A simple package for Google Drive authorization and file selection",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
diff --git a/src/baseOAuth/core/oauth.ts b/src/baseOAuth/core/oauth.ts
@@ -110,9 +110,10 @@ export abstract class BaseOAuth {
   /**
    * Create an error response for the OAuth callback
    * @param error The error to include in the response
+   * @param nonce Optional nonce for Content Security Policy
    * @returns A Response object with the error
    */
-  protected static createErrorResponse(error: OAuthError): Response {
+  protected static createErrorResponse(error: OAuthError, nonce?: string): Response {
     const htmlContent = `
       <!DOCTYPE html>
       <html>
@@ -122,15 +123,15 @@ export abstract class BaseOAuth {
           body { font-family: Arial, sans-serif; text-align: center; margin-top: 50px; }
           .error { color: #f44336; }
         </style>
-        <script>
+        <script${nonce ? ` nonce="${nonce}"` : ''}>
           window.onload = function() {
             if (window.opener && window.opener.__oauthHandler) {
               const errorObj = ${JSON.stringify({
                 message: error.message,
                 code: error.code,
                 details: error.details
               })};
-              
+
               window.opener.__oauthHandler.onError(
                 new window.opener.__oauthHandler.OAuthError(
                   errorObj.message,
diff --git a/src/baseOAuth/types/index.ts b/src/baseOAuth/types/index.ts
@@ -38,6 +38,7 @@ export class OAuthError extends Error {
   export interface OAuthConfig {
     redirectUri: string;
     scopes?: string[];
+    nonce?: string;
     onSuccess?: (selectedFields?: any) => void;
     onError?: (error: OAuthError) => void;
   }
diff --git a/src/baseOAuth/utils/validation.ts b/src/baseOAuth/utils/validation.ts
@@ -27,9 +27,10 @@ export function validateConfig(config: OAuthConfig): void {
 /**
  * Creates an error response for OAuth callbacks
  * @param error The error to include in the response
+ * @param nonce Optional nonce for Content Security Policy
  * @returns A Response object with the error
  */
-export function createErrorResponse(error: OAuthError): Response {
+export function createErrorResponse(error: OAuthError, nonce?: string): Response {
   const htmlContent = `
     <!DOCTYPE html>
     <html>
@@ -39,15 +40,15 @@ export function createErrorResponse(error: OAuthError): Response {
         body { font-family: Arial, sans-serif; text-align: center; margin-top: 50px; }
         .error { color: #f44336; }
       </style>
-      <script>
+      <script${nonce ? ` nonce="${nonce}"` : ''}>
         window.onload = function() {
           if (window.opener && window.opener.__oauthHandler) {
             const errorObj = ${JSON.stringify({
               message: error.message,
               code: error.code,
               details: error.details
             })};
-            
+
             window.opener.__oauthHandler.onError(
               new window.opener.__oauthHandler.OAuthError(
                 errorObj.message,
diff --git a/src/dropBoxOAuth/core/oauth.ts b/src/dropBoxOAuth/core/oauth.ts
@@ -95,7 +95,7 @@ export class DropboxOAuth extends BaseOAuth {
   ): Promise<Response> {
     if (error) {
       const errorObj = typeof error === 'string' ? new OAuthError(error, 'CALLBACK_ERROR') : error;
-      return this.createErrorResponse(errorObj);
+      return this.createErrorResponse(errorObj, nonce);
     }
 
     try {
@@ -116,7 +116,8 @@ export class DropboxOAuth extends BaseOAuth {
           error instanceof Error ? error.message : 'Failed to create callback page',
           'CALLBACK_ERROR',
           error
-        )
+        ),
+        nonce
       );
     }
   }
diff --git a/src/dropBoxOAuth/core/selection.ts b/src/dropBoxOAuth/core/selection.ts
@@ -50,15 +50,16 @@ export class DropboxSelection extends BaseSelection {
         
         // Generate the Dropbox file picker content
         const content = DropboxPicker.createPickerHTML(
-          { 
+          {
             access_token: tokens.access_token,
             refresh_token: refreshToken,
             expires_in: tokens.expires_in,
             token_type: tokens.token_type
-          }, 
-          config, 
-          refreshToken, 
-          selectedFiles
+          },
+          config,
+          refreshToken,
+          selectedFiles,
+          config.nonce
         );
         
         // Write content to the popup
diff --git a/src/dropBoxOAuth/ui/picker.ts b/src/dropBoxOAuth/ui/picker.ts
@@ -68,6 +68,7 @@ export class DropboxPicker extends BasePicker {
           script.id = 'dropboxjs';
           script.src = 'https://www.dropbox.com/static/api/2/dropins.js';
           script.setAttribute('data-app-key', '${config.appKey}');
+          ${nonce ? `script.setAttribute('nonce', '${nonce}');` : ''}
           script.onload = () => {
             if (isDropboxAvailable()) {
               resolve(true);
diff --git a/src/googleDriveOAuth/core/oauth.ts b/src/googleDriveOAuth/core/oauth.ts
@@ -100,7 +100,7 @@ export class GoogleDriveOAuth extends BaseOAuth {
   ): Promise<Response> {
     if (error) {
       const errorObj = typeof error === 'string' ? new OAuthError(error, 'CALLBACK_ERROR') : error;
-      return this.createErrorResponse(errorObj);
+      return this.createErrorResponse(errorObj, nonce);
     }
 
     try {
@@ -121,7 +121,8 @@ export class GoogleDriveOAuth extends BaseOAuth {
           error instanceof Error ? error.message : 'Failed to create callback page',
           'CALLBACK_ERROR',
           error
-        )
+        ),
+        nonce
       );
     }
   }
diff --git a/src/googleDriveOAuth/core/selection.ts b/src/googleDriveOAuth/core/selection.ts
@@ -51,15 +51,16 @@ export class GoogleDriveSelection extends BaseSelection {
         
         // Generate the Google Drive file picker content
         const content = GoogleDrivePicker.createPickerHTML(
-          { 
+          {
             access_token: tokens.access_token,
             refresh_token: refreshToken,
             expires_in: tokens.expires_in,
             token_type: tokens.token_type
-          }, 
-          config, 
-          refreshToken, 
-          selectedFiles
+          },
+          config,
+          refreshToken,
+          selectedFiles,
+          config.nonce
         );
         
         // Write content to the popup
diff --git a/src/googleDriveOAuth/ui/picker.ts b/src/googleDriveOAuth/ui/picker.ts
@@ -140,8 +140,8 @@ export class GoogleDrivePicker extends BasePicker {
 
     // Google-specific head includes
     const googleHead = `
-      <script src="https://apis.google.com/js/api.js"></script>
-      <script src="https://apis.google.com/js/platform.js"></script>
+      <script src="https://apis.google.com/js/api.js"${nonce ? ` nonce="${nonce}"` : ''}></script>
+      <script src="https://apis.google.com/js/platform.js"${nonce ? ` nonce="${nonce}"` : ''}></script>
     `;
 
     // Assemble the complete HTML
diff --git a/src/googleDriveOAuth/utils/validation.ts b/src/googleDriveOAuth/utils/validation.ts
@@ -23,9 +23,10 @@ export function validateConfig(config: OAuthConfig): void {
 /**
  * Creates an HTML error response for the OAuth popup
  * @param error The error to embed in the response
+ * @param nonce Optional nonce for Content Security Policy
  * @returns A Response object with the error handling HTML
  */
-export function createErrorResponse(error: OAuthError): Response {
+export function createErrorResponse(error: OAuthError, nonce?: string): Response {
   // Create a plain object with all properties we want to transfer
   const errorData = {
     message: error.message,
@@ -35,7 +36,7 @@ export function createErrorResponse(error: OAuthError): Response {
   };
 
   return new Response(
-    `<script>
+    `<script${nonce ? ` nonce="${nonce}"` : ''}>
       const errorObj = ${JSON.stringify(errorData)};
       window.opener.__oauthHandler?.onError(errorObj);
       window.close();
diff --git a/src/notionOAuth/core/oauth.ts b/src/notionOAuth/core/oauth.ts
@@ -84,16 +84,18 @@ export class NotionOAuth extends BaseOAuth {
    * @param code Authorization code from the OAuth redirect
    * @param config The OAuth configuration
    * @param error Optional error from the OAuth process
+   * @param nonce Optional nonce for Content Security Policy
    * @returns A Response object with the callback page
    */
   public static override async createCallbackResponse(
     code: string,
     config: NotionOAuthConfig,
-    error?: string | OAuthError
+    error?: string | OAuthError,
+    nonce?: string
   ): Promise<Response> {
     if (error) {
       const errorObj = typeof error === 'string' ? new OAuthError(error, 'CALLBACK_ERROR') : error;
-      return this.createErrorResponse(errorObj);
+      return this.createErrorResponse(errorObj, nonce);
     }
 
     try {
@@ -105,16 +107,17 @@ export class NotionOAuth extends BaseOAuth {
       );
 
       // Use the Notion picker template
-      const htmlContent = NotionPicker.createPickerHTML(tokens, config, tokens.access_token);
-      
+      const htmlContent = NotionPicker.createPickerHTML(tokens, config, tokens.access_token, undefined, nonce);
+
       return new Response(htmlContent, { headers: { 'Content-Type': 'text/html' } });
     } catch (error) {
       return this.createErrorResponse(
         error instanceof OAuthError ? error : new OAuthError(
           error instanceof Error ? error.message : 'Failed to create callback page',
           'CALLBACK_ERROR',
           error
-        )
+        ),
+        nonce
       );
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@vectorize-io/vectorize-connect",`
`3`		`- "version": "0.3.7",`
	`3`	`+ "version": "0.4.0",`
`4`	`4`	`"description": "A simple package for Google Drive authorization and file selection",`
`5`	`5`	`"main": "dist/index.js",`
`6`	`6`	`"module": "dist/index.mjs",`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ export class OAuthError extends Error {`
`38`	`38`	`export interface OAuthConfig {`
`39`	`39`	`redirectUri: string;`
`40`	`40`	`scopes?: string[];`
	`41`	`+ nonce?: string;`
`41`	`42`	`onSuccess?: (selectedFields?: any) => void;`
`42`	`43`	`onError?: (error: OAuthError) => void;`
`43`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ export class DropboxOAuth extends BaseOAuth {`
`95`	`95`	`): Promise<Response> {`
`96`	`96`	`if (error) {`
`97`	`97`	`const errorObj = typeof error === 'string' ? new OAuthError(error, 'CALLBACK_ERROR') : error;`
`98`		`- return this.createErrorResponse(errorObj);`
	`98`	`+ return this.createErrorResponse(errorObj, nonce);`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`try {`
`@@ -116,7 +116,8 @@ export class DropboxOAuth extends BaseOAuth {`
`116`	`116`	`error instanceof Error ? error.message : 'Failed to create callback page',`
`117`	`117`	`'CALLBACK_ERROR',`
`118`	`118`	`error`
`119`		`- )`
	`119`	`+ ),`
	`120`	`+ nonce`
`120`	`121`	`);`
`121`	`122`	`}`
`122`	`123`	`}`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ export class GoogleDriveOAuth extends BaseOAuth {`
`100`	`100`	`): Promise<Response> {`
`101`	`101`	`if (error) {`
`102`	`102`	`const errorObj = typeof error === 'string' ? new OAuthError(error, 'CALLBACK_ERROR') : error;`
`103`		`- return this.createErrorResponse(errorObj);`
	`103`	`+ return this.createErrorResponse(errorObj, nonce);`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`try {`
`@@ -121,7 +121,8 @@ export class GoogleDriveOAuth extends BaseOAuth {`
`121`	`121`	`error instanceof Error ? error.message : 'Failed to create callback page',`
`122`	`122`	`'CALLBACK_ERROR',`
`123`	`123`	`error`
`124`		`- )`
	`124`	`+ ),`
	`125`	`+ nonce`
`125`	`126`	`);`
`126`	`127`	`}`
`127`	`128`	`}`