From f0f790b9f56c34021ba4a74d24d9eb3cf31c1ccc Mon Sep 17 00:00:00 2001
From: Andrew Shu <talklittle@gmail.com>
Date: Sun, 24 Aug 2025 14:01:34 -0700
Subject: [PATCH] Revert "Move Swagger UI JS to separate file"

This reverts commit 049c3d06497039ba5dc85f97d1cc2f59209f4e7a.
---
 ansible/roles/swagger_ui/files/index.html | 22 +++++++++++++++++-
 ansible/roles/swagger_ui/files/index.js   | 26 ---------------------
 ansible/roles/swagger_ui/tasks/main.yml   |  6 -----
 tildes/tildes/tweens.py                   | 28 +++++++++++++++++++++++
 4 files changed, 49 insertions(+), 33 deletions(-)
 delete mode 100644 ansible/roles/swagger_ui/files/index.js

diff --git a/ansible/roles/swagger_ui/files/index.html b/ansible/roles/swagger_ui/files/index.html
index 2a410eb..1cd1014 100644
--- a/ansible/roles/swagger_ui/files/index.html
+++ b/ansible/roles/swagger_ui/files/index.html
@@ -11,6 +11,26 @@
     <div id="swagger-ui"></div>
     <script src="/swagger-ui/swagger-ui-bundle.js" charset="UTF-8"> </script>
     <script src="/swagger-ui/swagger-ui-standalone-preset.js" charset="UTF-8"> </script>
-    <script src="/swagger-ui/index.js" charset="UTF-8"> </script>
+    <script${nonce_attr}>
+        window.onload = function() {
+            const uiConfig = ${ui_config};
+            Object.assign(uiConfig, {
+                presets: [
+                    SwaggerUIBundle.presets.apis,
+                    SwaggerUIStandalonePreset,
+                ],
+                plugins: [
+                    SwaggerUIBundle.plugins.DownloadUrl,
+                ],
+            });
+            const oauthConfig = ${oauth_config};
+            // Build a system
+            const ui = SwaggerUIBundle(uiConfig);
+            if (oauthConfig) {
+                ui.initOAuth(oauthConfig);
+            }
+            window.ui = ui;
+        }
+    </script>
   </body>
 </html>
diff --git a/ansible/roles/swagger_ui/files/index.js b/ansible/roles/swagger_ui/files/index.js
deleted file mode 100644
index ec0b441..0000000
--- a/ansible/roles/swagger_ui/files/index.js
+++ /dev/null
@@ -1,26 +0,0 @@
-window.onload = function() {
-    const uiConfig = {
-        "url": "/api/beta/ui",
-        "dom_id": "#swagger-ui",
-        "deepLinking": True,
-        "validatorUrl": None,
-        "layout": "StandaloneLayout",
-        "oauth2RedirectUrl": "oauth2-redirect",
-    };
-    Object.assign(uiConfig, {
-        presets: [
-            SwaggerUIBundle.presets.apis,
-            SwaggerUIStandalonePreset,
-        ],
-        plugins: [
-            SwaggerUIBundle.plugins.DownloadUrl,
-        ],
-    });
-    const oauthConfig = undefined;
-    // Build a system
-    const ui = SwaggerUIBundle(uiConfig);
-    if (oauthConfig) {
-        ui.initOAuth(oauthConfig);
-    }
-    window.ui = ui;
-}
\ No newline at end of file
diff --git a/ansible/roles/swagger_ui/tasks/main.yml b/ansible/roles/swagger_ui/tasks/main.yml
index 30026ce..f1b03b6 100644
--- a/ansible/roles/swagger_ui/tasks/main.yml
+++ b/ansible/roles/swagger_ui/tasks/main.yml
@@ -22,9 +22,3 @@
         owner: "{{ app_username }}"
         group: "{{ app_username }}"
         mode: 0644
-    - copy:
-        src: "index.js"
-        dest: "{{ app_dir }}/static/swagger-ui/index.js"
-        owner: "{{ app_username }}"
-        group: "{{ app_username }}"
-        mode: 0644
diff --git a/tildes/tildes/tweens.py b/tildes/tildes/tweens.py
index 9031c1f..a4c3879 100644
--- a/tildes/tildes/tweens.py
+++ b/tildes/tildes/tweens.py
@@ -3,6 +3,7 @@
 
 """Contains Pyramid "tweens", used to insert additional logic into request-handling."""
 
+import secrets
 from collections.abc import Callable
 from time import time
 
@@ -106,8 +107,35 @@ def theme_cookie_tween_factory(handler: Callable, registry: Registry) -> Callabl
     return theme_cookie_tween
 
 
+def inject_csp_header_tween_factory(handler: Callable, registry: Registry) -> Callable:
+    # pylint: disable=unused-argument
+    """Return a tween function that sets a CSP nonce (for Swagger UI)."""
+
+    def inject_csp_header_tween(request: Request) -> Response:
+        """Generate a CSP nonce and add it to the request and response.
+
+        Only apply to specific routes defined here, to minimize performance overhead.
+        """
+        nonce = None
+        route_name = request.matched_route.name if request.matched_route else None
+        if route_name == "pyramid_openapi3.explorer":
+            nonce = secrets.token_urlsafe(16)
+            request.csp_nonce = nonce
+
+        response = handler(request)
+
+        if nonce:
+            response.headers["Content-Security-Policy"] = (
+                f"script-src 'self' 'nonce-{nonce}'"
+            )
+        return response
+
+    return inject_csp_header_tween
+
+
 def includeme(config: Configurator) -> None:
     """Attach Tildes tweens to the Pyramid config."""
     config.add_tween("tildes.tweens.http_method_tween_factory")
     config.add_tween("tildes.tweens.metrics_tween_factory")
     config.add_tween("tildes.tweens.theme_cookie_tween_factory")
+    config.add_tween("tildes.tweens.inject_csp_header_tween_factory")