feat: add CSP header (#908)

Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>

backend/internal/bootstrap/router_bootstrap.go

@@ -86,6 +86,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 
 	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
+	r.Use(middleware.NewCspMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())
 
 	err := frontend.RegisterFrontend(r)
@@ -109,6 +110,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
 	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
 	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
+	controller.NewVersionController(apiGroup, svc.versionService)
 
 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {

backend/internal/bootstrap/services_bootstrap.go

@@ -23,6 +23,7 @@ type services struct {
 	userGroupService   *service.UserGroupService
 	ldapService        *service.LdapService
 	apiKeyService      *service.ApiKeyService
+	versionService     *service.VersionService
 }
 
 // Initializes all services
@@ -62,5 +63,7 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client) (sv
 	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
 
+	svc.versionService = service.NewVersionService(httpClient)
+
 	return svc, nil
 }

backend/internal/controller/version_controller.go

@@ -0,0 +1,40 @@
+package controller
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+// NewVersionController registers version-related routes.
+func NewVersionController(group *gin.RouterGroup, versionService *service.VersionService) {
+	vc := &VersionController{versionService: versionService}
+	group.GET("/version/latest", vc.getLatestVersionHandler)
+}
+
+type VersionController struct {
+	versionService *service.VersionService
+}
+
+// getLatestVersionHandler godoc
+// @Summary Get latest available version of Pocket ID
+// @Tags Version
+// @Produce json
+// @Success 200 {object} map[string]string "Latest version information"
+// @Router /api/version/latest [get]
+func (vc *VersionController) getLatestVersionHandler(c *gin.Context) {
+	tag, err := vc.versionService.GetLatestVersion(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	utils.SetCacheControlHeader(c, 5*time.Minute, 15*time.Minute)
+
+	c.JSON(http.StatusOK, gin.H{
+		"latestVersion": tag,
+	})
+}

backend/internal/middleware/csp_middleware.go

@@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+
+	"github.com/gin-gonic/gin"
+)
+
+// CspMiddleware sets a Content Security Policy header and, when possible,
+// includes a per-request nonce for inline scripts.
+type CspMiddleware struct{}
+
+func NewCspMiddleware() *CspMiddleware { return &CspMiddleware{} }
+
+// GetCSPNonce returns the CSP nonce generated for this request, if any.
+func GetCSPNonce(c *gin.Context) string {
+	if v, ok := c.Get("csp_nonce"); ok {
+		if s, ok := v.(string); ok {
+			return s
+		}
+	}
+	return ""
+}
+
+func (m *CspMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Generate a random base64 nonce for this request
+		nonce := generateNonce()
+		c.Set("csp_nonce", nonce)
+
+		csp := "default-src 'self'; " +
+			"base-uri 'self'; " +
+			"object-src 'none'; " +
+			"frame-ancestors 'none'; " +
+			"form-action 'self'; " +
+			"img-src 'self' data: blob:; " +
+			"font-src 'self'; " +
+			"style-src 'self' 'unsafe-inline'; " +
+			"script-src 'self' 'nonce-" + nonce + "'"
+
+		c.Writer.Header().Set("Content-Security-Policy", csp)
+		c.Next()
+	}
+}
+
+func generateNonce() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return "" // if generation fails, return empty; policy will omit nonce
+	}
+	return base64.RawURLEncoding.EncodeToString(b)
+}

backend/internal/service/version_service.go

@@ -0,0 +1,74 @@
+package service
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+const (
+	versionTTL      = 15 * time.Minute
+	versionCheckURL = "https://api.github.com/repos/pocket-id/pocket-id/releases/latest"
+)
+
+type VersionService struct {
+	httpClient *http.Client
+	cache      *utils.Cache[string]
+}
+
+func NewVersionService(httpClient *http.Client) *VersionService {
+	return &VersionService{
+		httpClient: httpClient,
+		cache:      utils.New[string](versionTTL),
+	}
+}
+
+func (s *VersionService) GetLatestVersion(ctx context.Context) (string, error) {
+	version, err := s.cache.GetOrFetch(ctx, func(ctx context.Context) (string, error) {
+		reqCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+		defer cancel()
+
+		req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, versionCheckURL, nil)
+		if err != nil {
+			return "", fmt.Errorf("create GitHub request: %w", err)
+		}
+
+		resp, err := s.httpClient.Do(req)
+		if err != nil {
+			return "", fmt.Errorf("get latest tag: %w", err)
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return "", fmt.Errorf("GitHub API returned status %d", resp.StatusCode)
+		}
+
+		var payload struct {
+			TagName string `json:"tag_name"`
+		}
+		if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+			return "", fmt.Errorf("decode payload: %w", err)
+		}
+
+		if payload.TagName == "" {
+			return "", fmt.Errorf("GitHub API returned empty tag name")
+		}
+
+		return strings.TrimPrefix(payload.TagName, "v"), nil
+	})
+
+	var staleErr *utils.ErrStale
+	if errors.As(err, &staleErr) {
+		slog.Warn("Failed to fetch latest version, returning stale cache", "error", staleErr.Err)
+		return version, nil
+	}
+
+	return version, err
+}

backend/internal/utils/cache_util.go

@@ -0,0 +1,78 @@
+package utils
+
+import (
+	"context"
+	"sync/atomic"
+	"time"
+
+	"golang.org/x/sync/singleflight"
+)
+
+type CacheEntry[T any] struct {
+	Value     T
+	FetchedAt time.Time
+}
+
+type ErrStale struct {
+	Err error
+}
+
+func (e *ErrStale) Error() string { return "returned stale cache: " + e.Err.Error() }
+func (e *ErrStale) Unwrap() error { return e.Err }
+
+type Cache[T any] struct {
+	ttl   time.Duration
+	entry atomic.Pointer[CacheEntry[T]]
+	sf    singleflight.Group
+}
+
+func New[T any](ttl time.Duration) *Cache[T] {
+	return &Cache[T]{ttl: ttl}
+}
+
+// Get returns the cached value if it's still fresh.
+func (c *Cache[T]) Get() (T, bool) {
+	entry := c.entry.Load()
+	if entry == nil {
+		var zero T
+		return zero, false
+	}
+	if time.Since(entry.FetchedAt) < c.ttl {
+		return entry.Value, true
+	}
+	var zero T
+	return zero, false
+}
+
+// GetOrFetch returns the cached value if it's still fresh, otherwise calls fetch to get a new value.
+func (c *Cache[T]) GetOrFetch(ctx context.Context, fetch func(context.Context) (T, error)) (T, error) {
+	// If fresh, serve immediately
+	if v, ok := c.Get(); ok {
+		return v, nil
+	}
+
+	// Fetch with singleflight to prevent multiple concurrent fetches
+	vAny, err, _ := c.sf.Do("singleton", func() (any, error) {
+		if v2, ok := c.Get(); ok {
+			return v2, nil
+		}
+		val, fetchErr := fetch(ctx)
+		if fetchErr != nil {
+			return nil, fetchErr
+		}
+		c.entry.Store(&CacheEntry[T]{Value: val, FetchedAt: time.Now()})
+		return val, nil
+	})
+
+	if err == nil {
+		return vAny.(T), nil
+	}
+
+	// Fetch failed. Return stale if possible.
+	if e := c.entry.Load(); e != nil {
+		return e.Value, &ErrStale{Err: err}
+	}
+
+	var zero T
+	return zero, err
+}