lashman/echoboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

allow embed assets to load in iframes, use unicode domain for invite links

Browse Source
This commit is contained in:
lashman
2026-03-22 18:02:49 +02:00
parent 9c02623655
commit d88fd52fbe
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/api/src/middleware/security.ts
View File

@@ -4,8 +4,9 @@ import fp from "fastify-plugin";
async function securityPlugin(app: FastifyInstance) {
app.addHook("onSend", async (req, reply) => {
const isEmbed = req.url.startsWith("/api/v1/embed/") || req.url.startsWith("/embed/");
const isAsset = req.url.startsWith("/assets/") || req.url.startsWith("/favicon") || req.url.startsWith("/icon-") || req.url.endsWith(".js") || req.url.endsWith(".css");
if (isEmbed) {
if (isEmbed || isAsset) {
// embed routes need to be frameable by third-party sites
reply.header("Content-Security-Policy", [
"default-src 'self'",

4
packages/api/src/routes/admin/team.ts
View File

@@ -103,7 +103,9 @@ export default async function adminTeamRoutes(app: FastifyInstance) {
},
});
const inviteUrl = `${config.WEBAUTHN_ORIGIN}/admin/join/${token}`;
const protocol = config.WEBAUTHN_ORIGIN.startsWith("https") ? "https" : "http";
const prettyHost = config.WEBAUTHN_RP_ID || new URL(config.WEBAUTHN_ORIGIN).hostname;
const inviteUrl = `${protocol}://${prettyHost}/admin/join/${token}`;
reply.status(201).send({ inviteUrl, token, recoveryPhrase, expiresAt });
}
);