Currently apps are broken if they have exports in the JS entry point,
because they then will import from the entry point but because they do
not know about the Nextcloud cache buster they will import without cache
buster.
This results in two problem:
1. The module might be outdated (old cached)
2. The module is duplicated, so the module will be loaded twice and will
have two different - out of sync - states. This also means it will
re-run sideeffects of the entry point.
To fix this we generate an import map which basically maps the plain
entry point script to the script with cache buster added.
(Some background: Bundler will try to minimize chunks (reduce page
loading time) so they can inline modules into entry points and thus
extend the entry point exports and then this issue would be caused).
For example:
```js
// entry.mjs
console.error('called')
async function onClick() {
await import('./chunk.mjs')
}
export const name = 'foo'
// chunk.mjs
import { name } from './entry.mjs'
console.error(name)
```
When calling `onClick` without this fix the output will be:
> called
> called
> foo
With this fix:
> called
> foo
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Otherwise we only take those added through deprecated method C_Util::addHeader, not those of
OC\Template\Template::addHeader, which does nothing
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
The password confirmation dialog is always shown unless the user backend
does not allow password confirmation. A user backend may explicitly
provide that information, but even if it does not that could have been
defined in the authentication token with
"IToken::SCOPE_SKIP_PASSWORD_VALIDATION" (for example, when "user_oidc"
is only used for authentication and user provision is done by another
user backend).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Deprecated since 24, currently unused.
Sadly not all related functions were officially marked as deprecated,
but all of them were unused.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
SSO backends like SAML and OIDC tried a trick to suppress password
confirmations as they are not possible by design. At least for SAML it was
not reliable when existing user backends where used as user repositories.
Now we are setting a special scope with the token, and also make sure that
the scope is taken over when tokens are regenerated.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Add the filename restrictions to our JS config so we can create a common frontend library
function to check filename validity (de-duplicate code).
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
The `OC::$SERVERROOT` is always returned without a trailing slash, so we need to add a slash between server root and apps directory.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
