From 9a320ba8149a3efae1235b3b68dbf1bbad423e0d Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Fri, 16 Dec 2022 11:50:25 +0000 Subject: [PATCH] make 2fa UI less awful --- .gitattributes | 3 +- lib/pleroma/web/plugs/http_security_plug.ex | 4 +- lib/pleroma/web/preload.ex | 9 ++- .../templates/o_auth/mfa/recovery.html.eex | 47 ++++++----- .../web/templates/o_auth/mfa/totp.html.eex | 48 ++++++------ .../o_auth/o_auth/oob_token_exists.html.eex | 10 ++- .../web/templates/o_auth/o_auth/show.html.eex | 64 ++++++++------- priv/static/static-fe/forms.css | 78 +++++++++++++++---- 8 files changed, 163 insertions(+), 100 deletions(-) diff --git a/.gitattributes b/.gitattributes index 7273afe43..ac67c53c2 100644 --- a/.gitattributes +++ b/.gitattributes @@ -7,5 +7,4 @@ *.js.map binary *.css binary -priv/static/instance/static.css diff=css -priv/static/static-fe/static-fe.css diff=css +*.css diff=css diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 6593347ca..5f0b775be 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -111,8 +111,8 @@ defp csp_string(conn) do ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] end - style_src = "style-src 'self' '#{nonce_tag}'" - font_src = "font-src 'self' '#{nonce_tag}' data:" + style_src = "style-src 'self' 'unsafe-inline'" + font_src = "font-src 'self' data:" script_src = if Config.get(:env) == :dev do diff --git a/lib/pleroma/web/preload.ex b/lib/pleroma/web/preload.ex index 34a181e17..e554965a2 100644 --- a/lib/pleroma/web/preload.ex +++ b/lib/pleroma/web/preload.ex @@ -5,7 +5,7 @@ defmodule Pleroma.Web.Preload do alias Phoenix.HTML - def build_tags(_conn, params) do + def build_tags(%{assigns: %{csp_nonce: nonce}} = conn, params) do preload_data = Enum.reduce(Pleroma.Config.get([__MODULE__, :providers], []), %{}, fn parser, acc -> terms = @@ -20,16 +20,17 @@ def build_tags(_conn, params) do rendered_html = preload_data |> Jason.encode!() - |> build_script_tag() + |> build_script_tag(nonce) |> HTML.safe_to_string() rendered_html end - def build_script_tag(content) do + def build_script_tag(content, nonce) do HTML.Tag.content_tag(:script, HTML.raw(content), id: "initial-results", - type: "application/json" + type: "application/json", + nonce: nonce ) end end diff --git a/lib/pleroma/web/templates/o_auth/mfa/recovery.html.eex b/lib/pleroma/web/templates/o_auth/mfa/recovery.html.eex index e45d13bdf..ee40cf277 100644 --- a/lib/pleroma/web/templates/o_auth/mfa/recovery.html.eex +++ b/lib/pleroma/web/templates/o_auth/mfa/recovery.html.eex @@ -1,24 +1,29 @@ -<%= if get_flash(@conn, :info) do %> - -<% end %> -<%= if get_flash(@conn, :error) do %> - -<% end %> +
+ <%= if get_flash(@conn, :info) do %> + + <% end %> + <%= if get_flash(@conn, :error) do %> + + <% end %> +
+ <%= Gettext.dpgettext("static_pages", "mfa recover page title", "Two-factor recovery") %> +
+
+ <%= form_for @conn, Routes.mfa_verify_path(@conn, :verify), [as: "mfa"], fn f -> %> +
+ <%= label f, :code, Gettext.dpgettext("static_pages", "mfa recover recovery code prompt", "Recovery code") %> + <%= text_input f, :code, [autocomplete: false, autocorrect: "off", autocapitalize: "off", autofocus: true, spellcheck: false] %> + <%= hidden_input f, :mfa_token, value: @mfa_token %> + <%= hidden_input f, :state, value: @state %> + <%= hidden_input f, :redirect_uri, value: @redirect_uri %> + <%= hidden_input f, :challenge_type, value: "recovery" %> +
-

<%= Gettext.dpgettext("static_pages", "mfa recover page title", "Two-factor recovery") %>

+ <%= submit Gettext.dpgettext("static_pages", "mfa recover verify recovery code button", "Verify") %> + <% end %> + "> + <%= Gettext.dpgettext("static_pages", "mfa recover use 2fa code link", "Enter a two-factor code") %> + -<%= form_for @conn, Routes.mfa_verify_path(@conn, :verify), [as: "mfa"], fn f -> %> -
- <%= label f, :code, Gettext.dpgettext("static_pages", "mfa recover recovery code prompt", "Recovery code") %> - <%= text_input f, :code, [autocomplete: false, autocorrect: "off", autocapitalize: "off", autofocus: true, spellcheck: false] %> - <%= hidden_input f, :mfa_token, value: @mfa_token %> - <%= hidden_input f, :state, value: @state %> - <%= hidden_input f, :redirect_uri, value: @redirect_uri %> - <%= hidden_input f, :challenge_type, value: "recovery" %> +
- -<%= submit Gettext.dpgettext("static_pages", "mfa recover verify recovery code button", "Verify") %> -<% end %> -"> - <%= Gettext.dpgettext("static_pages", "mfa recover use 2fa code link", "Enter a two-factor code") %> - diff --git a/lib/pleroma/web/templates/o_auth/mfa/totp.html.eex b/lib/pleroma/web/templates/o_auth/mfa/totp.html.eex index 50e6c04b6..734e62112 100644 --- a/lib/pleroma/web/templates/o_auth/mfa/totp.html.eex +++ b/lib/pleroma/web/templates/o_auth/mfa/totp.html.eex @@ -1,24 +1,28 @@ -<%= if get_flash(@conn, :info) do %> - -<% end %> -<%= if get_flash(@conn, :error) do %> - -<% end %> +
+ <%= if get_flash(@conn, :info) do %> + + <% end %> + <%= if get_flash(@conn, :error) do %> + + <% end %> +
+ <%= Gettext.dpgettext("static_pages", "mfa auth page title", "Two-factor authentication") %> +
+
+ <%= form_for @conn, Routes.mfa_verify_path(@conn, :verify), [as: "mfa"], fn f -> %> +
+ <%= label f, :code, Gettext.dpgettext("static_pages", "mfa auth code prompt", "Authentication code") %> + <%= text_input f, :code, [autocomplete: "one-time-code", autocorrect: "off", autocapitalize: "off", autofocus: true, pattern: "[0-9]*", spellcheck: false] %> + <%= hidden_input f, :mfa_token, value: @mfa_token %> + <%= hidden_input f, :state, value: @state %> + <%= hidden_input f, :redirect_uri, value: @redirect_uri %> + <%= hidden_input f, :challenge_type, value: "totp" %> +
-

<%= Gettext.dpgettext("static_pages", "mfa auth page title", "Two-factor authentication") %>

- -<%= form_for @conn, Routes.mfa_verify_path(@conn, :verify), [as: "mfa"], fn f -> %> -
- <%= label f, :code, Gettext.dpgettext("static_pages", "mfa auth code prompt", "Authentication code") %> - <%= text_input f, :code, [autocomplete: "one-time-code", autocorrect: "off", autocapitalize: "off", autofocus: true, pattern: "[0-9]*", spellcheck: false] %> - <%= hidden_input f, :mfa_token, value: @mfa_token %> - <%= hidden_input f, :state, value: @state %> - <%= hidden_input f, :redirect_uri, value: @redirect_uri %> - <%= hidden_input f, :challenge_type, value: "totp" %> + <%= submit Gettext.dpgettext("static_pages", "mfa auth verify code button", "Verify") %> + <% end %> + "> + <%= Gettext.dpgettext("static_pages", "mfa auth page use recovery code link", "Enter a two-factor recovery code") %> + +
- -<%= submit Gettext.dpgettext("static_pages", "mfa auth verify code button", "Verify") %> -<% end %> -"> - <%= Gettext.dpgettext("static_pages", "mfa auth page use recovery code link", "Enter a two-factor recovery code") %> - diff --git a/lib/pleroma/web/templates/o_auth/o_auth/oob_token_exists.html.eex b/lib/pleroma/web/templates/o_auth/o_auth/oob_token_exists.html.eex index 754bf2eb0..11671fa1c 100644 --- a/lib/pleroma/web/templates/o_auth/o_auth/oob_token_exists.html.eex +++ b/lib/pleroma/web/templates/o_auth/o_auth/oob_token_exists.html.eex @@ -1,2 +1,8 @@ -

<%= Gettext.dpgettext("static_pages", "oauth authorization exists page title", "Authorization exists") %>

-

<%= raw Gettext.dpgettext("static_pages", "oauth token code message", "Token code is
%{token}", token: safe_to_string(html_escape(@token.token))) %>

+
+
+ <%= Gettext.dpgettext("static_pages", "oauth authorization exists page title", "Authorization exists") %> +
+
+ <%= raw Gettext.dpgettext("static_pages", "oauth token code message", "Token code is
%{token}", token: safe_to_string(html_escape(@token.token))) %> +
+
diff --git a/lib/pleroma/web/templates/o_auth/o_auth/show.html.eex b/lib/pleroma/web/templates/o_auth/o_auth/show.html.eex index 48c3c5eb9..986e6ffce 100644 --- a/lib/pleroma/web/templates/o_auth/o_auth/show.html.eex +++ b/lib/pleroma/web/templates/o_auth/o_auth/show.html.eex @@ -10,11 +10,13 @@ <%= if @user do %>