From d88fd52fbe65c90a714a8ba93634781b7451eda5 Mon Sep 17 00:00:00 2001 From: lashman Date: Sun, 22 Mar 2026 18:02:49 +0200 Subject: [PATCH] allow embed assets to load in iframes, use unicode domain for invite links --- packages/api/src/middleware/security.ts | 3 ++- packages/api/src/routes/admin/team.ts | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/packages/api/src/middleware/security.ts b/packages/api/src/middleware/security.ts index 378ef9e..0d5d5cb 100644 --- a/packages/api/src/middleware/security.ts +++ b/packages/api/src/middleware/security.ts @@ -4,8 +4,9 @@ import fp from "fastify-plugin"; async function securityPlugin(app: FastifyInstance) { app.addHook("onSend", async (req, reply) => { const isEmbed = req.url.startsWith("/api/v1/embed/") || req.url.startsWith("/embed/"); + const isAsset = req.url.startsWith("/assets/") || req.url.startsWith("/favicon") || req.url.startsWith("/icon-") || req.url.endsWith(".js") || req.url.endsWith(".css"); - if (isEmbed) { + if (isEmbed || isAsset) { // embed routes need to be frameable by third-party sites reply.header("Content-Security-Policy", [ "default-src 'self'", diff --git a/packages/api/src/routes/admin/team.ts b/packages/api/src/routes/admin/team.ts index 9d30fb9..2ceaca6 100644 --- a/packages/api/src/routes/admin/team.ts +++ b/packages/api/src/routes/admin/team.ts @@ -103,7 +103,9 @@ export default async function adminTeamRoutes(app: FastifyInstance) { }, }); - const inviteUrl = `${config.WEBAUTHN_ORIGIN}/admin/join/${token}`; + const protocol = config.WEBAUTHN_ORIGIN.startsWith("https") ? "https" : "http"; + const prettyHost = config.WEBAUTHN_RP_ID || new URL(config.WEBAUTHN_ORIGIN).hostname; + const inviteUrl = `${protocol}://${prettyHost}/admin/join/${token}`; reply.status(201).send({ inviteUrl, token, recoveryPhrase, expiresAt }); } );