The /style.css route 500'd in production because style.css is
gitignored and the Dockerfile never produced it: only main.py and
templates/ were copied into the image.
Mirror the myice Dockerfile by building the CSS in the builder stage:
copy the tailwind input files, download the standalone Tailwind CLI
(arch-aware for x64/arm64), and compile style.css. The artifact is
then copied into the runtime stage.
build-css.sh is kept for local dev but not used in Docker because its
#!/bin/bash shebang and pipefail are incompatible with alpine's sh.
Swap the Bootstrap CDN for a self-hosted Tailwind CSS build, mirroring
the myice setup: standalone Tailwind CLI v3.4.17, a one-off build-css.sh
script, and a gitignored generated style.css.
- Add tailwind.config.js, style-input.css, build-css.sh at repo root
- Rewrite templates/index.html: drop Bootstrap link/script, link
/style.css, convert all classes to Tailwind utilities; showAlert now
uses a class lookup so the JIT scanner detects dynamic classes
- Add /style.css FileResponse route in main.py; drop cdn.jsdelivr.net
from script-src/style-src in the CSP
- Flip test assertion to assert cdn.jsdelivr.net is absent from CSP
The generated style.css and tailwindcss binary are gitignored; run
./build-css.sh to regenerate (or --watch for dev).
The OIDC implicit-flow authorize request carried no state parameter and
the nonce was generated with weak Math.random() and never validated
client- or server-side, enabling login CSRF / forced authentication /
replay (AUTHZ-VULN-05).
Generate state and nonce with the Web Crypto CSPRNG, send state in the
authorize request, and validate both state and the id_token nonce claim
in the callback before storing tokens. Forward the nonce to /validate-
token so the backend also binds the id_token to the login flow.
Fixes the forged-callback fragment attack where a planted id_token with
a mismatched nonce was accepted, stored, and used by the SPA.
This commit adds detailed instructions on how to create an OAuth application with Infomaniak to obtain the required Client ID and Client Secret.
Fixes#1
- Enhance .gitignore with comprehensive Python patterns
- Improve README with better setup and testing instructions
- Add test infrastructure:
* Test requirements file
* Environment setup script
* Test runner script
* Comprehensive test suite
* Coverage configuration
- Add detailed README.md with project overview, setup instructions, and usage guide
- Add MIT LICENSE file for open-source distribution
- Include .gitignore file for Python and Docker artifacts