Fix #34

Fix #33
Fix CSP config
2023-06-20 15:47:00 +02:00 · 2023-06-20 15:45:09 +02:00 · 2023-06-20 15:30:30 +02:00 · 2023-06-20 15:09:48 +02:00
5 changed files with 34 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -88,6 +88,8 @@ Copy `apache2.conf.EXAMPLE` to `/etc/apache2/sites-available/moshingmammut.conf`
 Domain. If you do not need or want SSL support, remove the whole `<IfModule mod_ssl.c>` block.
 If you do, add the path to your SSLCertificateFile and SSLCertificateKeyFile.

+Modify DocumentRoot and the two Alias and Directory statements, so that thumbnails and avatars are served directly by apache.
+
 Copy `moshing-mammut.service.EXAMPLE` to `/etc/systemd/system/moshing-mammut.service`
 and set your `User`, `Group`, `ExecStart` and `WorkingDirectory` accordingly.

--- a/apache2.conf.EXAMPLE
+++ b/apache2.conf.EXAMPLE
@ -15,6 +15,23 @@

    Include /etc/letsencrypt/options-ssl-apache.conf

+    DocumentRoot /home/moshing-mammut/app/
+
+    ProxyPass /avatars/ !
+    ProxyPass /thumbnails/ !
+    Alias /avatars/ /home/moshing-mammut/app/avatars/
+    Alias /thumbnails/ /home/moshing-mammut/app/thumbnails/
+
+    <Directory "/home/moshing-mammut/app/avatars/">
+      Require all granted
+      Header set Cache-Control "public,max-age=31536000,immutable"
+    </Directory>
+
+    <Directory "/home/moshing-mammut/app/thumbnails/">
+      Require all granted
+      Header set Cache-Control "public,max-age=31536000,immutable"
+    </Directory>
+
    ProxyPass / http://localhost:3000/
    ProxyPassReverse / http://localhost:3000/

--- a/src/app.html
+++ b/src/app.html
@ -10,6 +10,10 @@
    <meta name="apple-mobile-web-app-title" content="Moshing Mammut" />
    <meta name="application-name" content="Moshing Mammut" />
    <meta name="msapplication-TileColor" content="#2e0b78" />
+    <meta
+      name="description"
+      content="A collection of music recommendations and now-listenings by the users of metalhead.club"
+    />

    <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
    <meta name="theme-color" content="#17063b" media="(prefers-color-scheme: dark)" />
--- a/src/lib/server/timeline.ts
+++ b/src/lib/server/timeline.ts
@ -4,7 +4,7 @@ import {
  ODESLI_API_KEY,
  YOUTUBE_API_KEY
 } from '$env/static/private';
-import { enableVerboseLog, log } from '$lib/log';
+import { log } from '$lib/log';
 import type {
  Account,
  AccountAvatar,
@ -59,17 +59,13 @@ export class TimelineReader {
    }

    const item = respObj.items[0];
-    if (!item.snippet) {
-      console.warn('Could not load snippet for video', videoId, item);
-      return false;
-    }
-    if (item.snippet.tags?.includes('music')) {
+    if (item.tags?.includes('music')) {
      return true;
    }

    const categorySearchParams = new URLSearchParams([
      ['part', 'snippet'],
-      ['id', item.snippet.categoryId],
+      ['id', item.categoryId],
      ['key', YOUTUBE_API_KEY]
    ]);
    const youtubeCategoryUrl = new URL(
@ -77,25 +73,7 @@ export class TimelineReader {
    );
    const categoryTitle: string = await fetch(youtubeCategoryUrl)
      .then((r) => r.json())
-      .then((r) => r.items[0]?.snippet?.title);
-    if (enableVerboseLog) {
-      log.verbose(
-        'Video',
-        videoId,
-        'category',
-        categoryTitle,
-        'tags',
-        item.snippet.tags,
-        'category id',
-        item.snippet.categoryId,
-        'response',
-        respObj,
-        'snippet',
-        item.snippet
-      );
-    } else {
-      log.debug('Video', videoId, 'category', categoryTitle);
-    }
+      .then((r) => r.items[0]?.title);
    return categoryTitle === 'Music';
  }

--- a/svelte.config.js
+++ b/svelte.config.js
@ -11,15 +11,14 @@ const config = {
    // adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list.
    // If your environment is not supported or you settled on a specific environment, switch out the adapter.
    // See https://kit.svelte.dev/docs/adapters for more information about adapters.
-    adapter: adapter()
-  },
+    adapter: adapter(),

-  csp: {
-    directives: {
-      'script-src': ['self']
-    },
-    reportOnly: {
-      'script-src': ['self']
+    csp: {
+      directives: {
+        'script-src': ['self', 'unsafe-inline'],
+        'base-uri': ['self'],
+        'object-src': ['none']
+      }
    }
  }
 };
Author	SHA1	Message	Date
Max Nuding	87b8317c90	Fix #34	2023-06-20 15:47:00 +02:00
Max Nuding	e103bef84c	Fix #33	2023-06-20 15:45:09 +02:00
Max Nuding	6d13aed0f0	Fix CSP config	2023-06-20 15:30:30 +02:00
Max Nuding	185d28c295	Fix CSP config being in the wrong section	2023-06-20 15:09:48 +02:00