From d697a99bac86e2ab957c6d4c0fcf0d7d18245251 Mon Sep 17 00:00:00 2001
From: Andrew Shu <talklittle@gmail.com>
Date: Sun, 24 Aug 2025 15:23:27 -0700
Subject: [PATCH] Move Swagger UI inline script to index.js

Remove unsafe-inline CSP from previous commit
---
 .../templates/tildes.conf.jinja2              |  3 ---
 ansible/roles/swagger_ui/files/index.html     | 22 +---------------
 ansible/roles/swagger_ui/files/index.js       | 26 +++++++++++++++++++
 ansible/roles/swagger_ui/tasks/main.yml       |  6 +++++
 4 files changed, 33 insertions(+), 24 deletions(-)
 create mode 100644 ansible/roles/swagger_ui/files/index.js

diff --git a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2 b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
index a025e7c..e7a348c 100644
--- a/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
+++ b/ansible/roles/nginx_site_config/templates/tildes.conf.jinja2
@@ -18,9 +18,6 @@ map $request_uri $csp_header {
     # The CSP for the Stripe donation page:
     # - "https://js.stripe.com" in script-src and frame-src is needed for Stripe
     "~^/donate_stripe$" "default-src 'none'; script-src 'self' https://js.stripe.com; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; frame-src 'self' https://js.stripe.com; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
-    # The CSP for the API explorer Swagger UI:
-    # - "unsafe-inline" in script-src is needed for the script in the template index.html
-    "~^/api/beta/ui$" "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; img-src 'self' data:; connect-src 'self'; manifest-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
 }
 
 server {
diff --git a/ansible/roles/swagger_ui/files/index.html b/ansible/roles/swagger_ui/files/index.html
index 1cd1014..2a410eb 100644
--- a/ansible/roles/swagger_ui/files/index.html
+++ b/ansible/roles/swagger_ui/files/index.html
@@ -11,26 +11,6 @@
     <div id="swagger-ui"></div>
     <script src="/swagger-ui/swagger-ui-bundle.js" charset="UTF-8"> </script>
     <script src="/swagger-ui/swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
-    <script${nonce_attr}>
-        window.onload = function() {
-            const uiConfig = ${ui_config};
-            Object.assign(uiConfig, {
-                presets: [
-                    SwaggerUIBundle.presets.apis,
-                    SwaggerUIStandalonePreset,
-                ],
-                plugins: [
-                    SwaggerUIBundle.plugins.DownloadUrl,
-                ],
-            });
-            const oauthConfig = ${oauth_config};
-            // Build a system
-            const ui = SwaggerUIBundle(uiConfig);
-            if (oauthConfig) {
-                ui.initOAuth(oauthConfig);
-            }
-            window.ui = ui;
-        }
-    </script>
+    <script src="/swagger-ui/index.js" charset="UTF-8"> </script>
   </body>
 </html>
diff --git a/ansible/roles/swagger_ui/files/index.js b/ansible/roles/swagger_ui/files/index.js
new file mode 100644
index 0000000..20b2626
--- /dev/null
+++ b/ansible/roles/swagger_ui/files/index.js
@@ -0,0 +1,26 @@
+window.onload = function() {
+    const uiConfig = {
+        "url": "/api/beta/openapi.yaml",
+        "dom_id": "#swagger-ui",
+        "deepLinking": true,
+        "validatorUrl": null,
+        "layout": "StandaloneLayout",
+        "oauth2RedirectUrl": "/api/beta/ui/oauth2-redirect"
+    };
+    Object.assign(uiConfig, {
+        presets: [
+            SwaggerUIBundle.presets.apis,
+            SwaggerUIStandalonePreset,
+        ],
+        plugins: [
+            SwaggerUIBundle.plugins.DownloadUrl,
+        ],
+    });
+    const oauthConfig = null;
+    // Build a system
+    const ui = SwaggerUIBundle(uiConfig);
+    if (oauthConfig) {
+        ui.initOAuth(oauthConfig);
+    }
+    window.ui = ui;
+}
\ No newline at end of file
diff --git a/ansible/roles/swagger_ui/tasks/main.yml b/ansible/roles/swagger_ui/tasks/main.yml
index f1b03b6..30026ce 100644
--- a/ansible/roles/swagger_ui/tasks/main.yml
+++ b/ansible/roles/swagger_ui/tasks/main.yml
@@ -22,3 +22,9 @@
         owner: "{{ app_username }}"
         group: "{{ app_username }}"
         mode: 0644
+    - copy:
+        src: "index.js"
+        dest: "{{ app_dir }}/static/swagger-ui/index.js"
+        owner: "{{ app_username }}"
+        group: "{{ app_username }}"
+        mode: 0644