search

justinmayer / kagi

WebAuthn security keys and TOTP multi-factor authentication for Django
BSD 2-Clause "Simplified" License
91 stars 10 forks source link

Remove inline JS for Kagi URLs in webauthn setup #65

Open MarkusH opened 1 year ago

MarkusH commented 1 year ago

The current kagi/templates/kagi/base.html contains the following content:

<script>
    window.Kagi = window.Kagi || {};
    Kagi.begin_activate = '{% url 'kagi:begin-activate' %}';
    Kagi.begin_assertion = '{% url 'kagi:begin-assertion' %}';
    Kagi.verify_credential_info = '{% url 'kagi:verify-credential-info' %}';
    Kagi.verify_assertion = '{% url 'kagi:verify-assertion' %}';
    Kagi.keys_list = '{% url 'kagi:webauthn-keys' %}';
</script>

This is not ideal, when considering adding CSPs to a site. Instead, we should probably use json_script instead:

{{ kagi_urls | json_script:"kagi-urls" }}

This would then result in:

<script id="kagi-urls" type="application/json">
{
    "begin_activate": "/kagi/api/begin-activate/",
    "begin_assertion": "/kagi/api/begin-assertion/",
    "verify_credential_info": "/kagi/api/verify-credential-info/",
    "verify_assertion": "/kagi/api/verify-assertion/"
}
</script>

That said, key_list doesn't appear to be used.