From 210cd898e31e181be1b988478bd67e0dd1712c20 Mon Sep 17 00:00:00 2001
From: Andrew Shu <talklittle@gmail.com>
Date: Sun, 24 Aug 2025 13:48:09 -0700
Subject: [PATCH] Move Swagger UI JS to separate file

Instead of injecting CSP nonce, which does not work
because nginx configuration is overwriting the header
---
 ansible/roles/swagger_ui/files/index.html | 22 +-----------------
 ansible/roles/swagger_ui/files/index.js   | 26 +++++++++++++++++++++
 ansible/roles/swagger_ui/tasks/main.yml   |  6 +++++
 tildes/tildes/tweens.py                   | 28 -----------------------
 4 files changed, 33 insertions(+), 49 deletions(-)
 create mode 100644 ansible/roles/swagger_ui/files/index.js

diff --git a/ansible/roles/swagger_ui/files/index.html b/ansible/roles/swagger_ui/files/index.html
index 1cd1014..2a410eb 100644
--- a/ansible/roles/swagger_ui/files/index.html
+++ b/ansible/roles/swagger_ui/files/index.html
@@ -11,26 +11,6 @@
     <div id="swagger-ui"></div>
     <script src="/swagger-ui/swagger-ui-bundle.js" charset="UTF-8"> </script>
     <script src="/swagger-ui/swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
-    <script${nonce_attr}>
-        window.onload = function() {
-            const uiConfig = ${ui_config};
-            Object.assign(uiConfig, {
-                presets: [
-                    SwaggerUIBundle.presets.apis,
-                    SwaggerUIStandalonePreset,
-                ],
-                plugins: [
-                    SwaggerUIBundle.plugins.DownloadUrl,
-                ],
-            });
-            const oauthConfig = ${oauth_config};
-            // Build a system
-            const ui = SwaggerUIBundle(uiConfig);
-            if (oauthConfig) {
-                ui.initOAuth(oauthConfig);
-            }
-            window.ui = ui;
-        }
-    </script>
+    <script src="/swagger-ui/index.js" charset="UTF-8"> </script>
   </body>
 </html>
diff --git a/ansible/roles/swagger_ui/files/index.js b/ansible/roles/swagger_ui/files/index.js
new file mode 100644
index 0000000..ec0b441
--- /dev/null
+++ b/ansible/roles/swagger_ui/files/index.js
@@ -0,0 +1,26 @@
+window.onload = function() {
+    const uiConfig = {
+        "url": "/api/beta/ui",
+        "dom_id": "#swagger-ui",
+        "deepLinking": True,
+        "validatorUrl": None,
+        "layout": "StandaloneLayout",
+        "oauth2RedirectUrl": "oauth2-redirect",
+    };
+    Object.assign(uiConfig, {
+        presets: [
+            SwaggerUIBundle.presets.apis,
+            SwaggerUIStandalonePreset,
+        ],
+        plugins: [
+            SwaggerUIBundle.plugins.DownloadUrl,
+        ],
+    });
+    const oauthConfig = undefined;
+    // Build a system
+    const ui = SwaggerUIBundle(uiConfig);
+    if (oauthConfig) {
+        ui.initOAuth(oauthConfig);
+    }
+    window.ui = ui;
+}
\ No newline at end of file
diff --git a/ansible/roles/swagger_ui/tasks/main.yml b/ansible/roles/swagger_ui/tasks/main.yml
index f1b03b6..30026ce 100644
--- a/ansible/roles/swagger_ui/tasks/main.yml
+++ b/ansible/roles/swagger_ui/tasks/main.yml
@@ -22,3 +22,9 @@
         owner: "{{ app_username }}"
         group: "{{ app_username }}"
         mode: 0644
+    - copy:
+        src: "index.js"
+        dest: "{{ app_dir }}/static/swagger-ui/index.js"
+        owner: "{{ app_username }}"
+        group: "{{ app_username }}"
+        mode: 0644
diff --git a/tildes/tildes/tweens.py b/tildes/tildes/tweens.py
index a4c3879..9031c1f 100644
--- a/tildes/tildes/tweens.py
+++ b/tildes/tildes/tweens.py
@@ -3,7 +3,6 @@
 
 """Contains Pyramid "tweens", used to insert additional logic into request-handling."""
 
-import secrets
 from collections.abc import Callable
 from time import time
 
@@ -107,35 +106,8 @@ def theme_cookie_tween_factory(handler: Callable, registry: Registry) -> Callabl
     return theme_cookie_tween
 
 
-def inject_csp_header_tween_factory(handler: Callable, registry: Registry) -> Callable:
-    # pylint: disable=unused-argument
-    """Return a tween function that sets a CSP nonce (for Swagger UI)."""
-
-    def inject_csp_header_tween(request: Request) -> Response:
-        """Generate a CSP nonce and add it to the request and response.
-
-        Only apply to specific routes defined here, to minimize performance overhead.
-        """
-        nonce = None
-        route_name = request.matched_route.name if request.matched_route else None
-        if route_name == "pyramid_openapi3.explorer":
-            nonce = secrets.token_urlsafe(16)
-            request.csp_nonce = nonce
-
-        response = handler(request)
-
-        if nonce:
-            response.headers["Content-Security-Policy"] = (
-                f"script-src 'self' 'nonce-{nonce}'"
-            )
-        return response
-
-    return inject_csp_header_tween
-
-
 def includeme(config: Configurator) -> None:
     """Attach Tildes tweens to the Pyramid config."""
     config.add_tween("tildes.tweens.http_method_tween_factory")
     config.add_tween("tildes.tweens.metrics_tween_factory")
     config.add_tween("tildes.tweens.theme_cookie_tween_factory")
-    config.add_tween("tildes.tweens.inject_csp_header_tween_factory")