aboutsummaryrefslogtreecommitdiff
path: root/src/lib/Utility
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/Utility')
-rw-r--r--src/lib/Utility/anilistOauth.ts27
-rw-r--r--src/lib/Utility/feedToken.test.ts44
-rw-r--r--src/lib/Utility/feedToken.ts96
-rw-r--r--src/lib/Utility/sanitizeCss.test.ts76
-rw-r--r--src/lib/Utility/sanitizeCss.ts57
5 files changed, 300 insertions, 0 deletions
diff --git a/src/lib/Utility/anilistOauth.ts b/src/lib/Utility/anilistOauth.ts
new file mode 100644
index 00000000..9bb570fb
--- /dev/null
+++ b/src/lib/Utility/anilistOauth.ts
@@ -0,0 +1,27 @@
+import { env } from "$env/dynamic/private";
+import { env as publicEnv } from "$env/dynamic/public";
+
+// Exchange a refresh token for a fresh access token WITHOUT touching the auth
+// cookie — used by the RSS feed, which is polled by an unattended reader that
+// has no session, so there is no cookie to re-set.
+export const refreshAniListToken = async (
+ refreshToken: string,
+): Promise<string | null> => {
+ const formData = new FormData();
+
+ formData.append("grant_type", "refresh_token");
+ formData.append("client_id", publicEnv.PUBLIC_ANILIST_CLIENT_ID as string);
+ formData.append("client_secret", env.ANILIST_CLIENT_SECRET as string);
+ formData.append("refresh_token", refreshToken);
+
+ const response = await fetch("https://anilist.co/api/v2/oauth/token", {
+ method: "POST",
+ body: formData,
+ });
+
+ if (!response.ok) return null;
+
+ const payload = (await response.json()) as { access_token?: string };
+
+ return payload.access_token ?? null;
+};
diff --git a/src/lib/Utility/feedToken.test.ts b/src/lib/Utility/feedToken.test.ts
new file mode 100644
index 00000000..ffcb5fd7
--- /dev/null
+++ b/src/lib/Utility/feedToken.test.ts
@@ -0,0 +1,44 @@
+import { describe, expect, it } from "vitest";
+import { decryptFeedToken, encryptFeedToken } from "./feedToken";
+
+// Fixed 32-byte keys so the cipher is exercised without the FEED_TOKEN_KEY env
+// var (production omits the key argument and reads it from env).
+const key = new Uint8Array(32).fill(7);
+const otherKey = new Uint8Array(32).fill(9);
+
+describe("feed token", () => {
+ // Behaviour gate: the feed must still resolve to the same refresh token it
+ // was minted from, and the cleartext must never appear in the URL blob.
+ it("round-trips the refresh token without leaking it", async () => {
+ const refreshToken = "anilist-refresh-token-abc123";
+ const sealed = await encryptFeedToken(refreshToken, key);
+
+ expect(sealed).not.toContain(refreshToken);
+ expect(await decryptFeedToken(sealed, key)).toBe(refreshToken);
+ });
+
+ it("produces a fresh ciphertext each time (random IV)", async () => {
+ expect(await encryptFeedToken("same-token", key)).not.toBe(
+ await encryptFeedToken("same-token", key),
+ );
+ });
+
+ it("rejects a token sealed with a different key", async () => {
+ const sealed = await encryptFeedToken("secret", otherKey);
+
+ expect(await decryptFeedToken(sealed, key)).toBeNull();
+ });
+
+ it("rejects a tampered ciphertext", async () => {
+ const sealed = await encryptFeedToken("secret", key);
+ const tampered = `${sealed[0] === "A" ? "B" : "A"}${sealed.slice(1)}`;
+
+ expect(await decryptFeedToken(tampered, key)).toBeNull();
+ });
+
+ it("rejects malformed input", async () => {
+ expect(await decryptFeedToken("", key)).toBeNull();
+ expect(await decryptFeedToken("short", key)).toBeNull();
+ expect(await decryptFeedToken("not valid base64url!!", key)).toBeNull();
+ });
+});
diff --git a/src/lib/Utility/feedToken.ts b/src/lib/Utility/feedToken.ts
new file mode 100644
index 00000000..1d26a443
--- /dev/null
+++ b/src/lib/Utility/feedToken.ts
@@ -0,0 +1,96 @@
+import { env } from "$env/dynamic/private";
+
+// Authenticated encryption (AES-256-GCM) for the RSS feed token. The plaintext
+// is the user's long-lived AniList refresh token; the ciphertext is what travels
+// in the public feed URL (?feed=). Without FEED_TOKEN_KEY (server-only) the blob
+// is opaque and tamper-evident, so a leaked feed URL exposes no usable
+// credential — unlike the old ?token=&refresh= form that carried them in clear.
+//
+// WebCrypto (not node:crypto) so the byte types stay Uint8Array — the repo's
+// bun-types make node's Buffer structurally incompatible with crypto params.
+
+const IV_BYTES = 12;
+const TAG_BYTES = 16;
+const KEY_BYTES = 32;
+
+// WebCrypto's BufferSource requires the non-shared ArrayBuffer variant; the bare
+// Uint8Array generic defaults to ArrayBufferLike, which the crypto types reject.
+type KeyBytes = Uint8Array<ArrayBuffer>;
+
+const bytesFromBase64 = (text: string) =>
+ Uint8Array.from(atob(text), (character) => character.charCodeAt(0));
+
+const base64UrlFromBytes = (bytes: Uint8Array): string =>
+ btoa(String.fromCharCode(...bytes))
+ .replaceAll("+", "-")
+ .replaceAll("/", "_")
+ .replaceAll("=", "");
+
+const bytesFromBase64Url = (text: string) =>
+ bytesFromBase64(text.replaceAll("-", "+").replaceAll("_", "/"));
+
+const requireKeyBytes = (): KeyBytes => {
+ const encoded = env.FEED_TOKEN_KEY;
+
+ if (!encoded) throw new Error("FEED_TOKEN_KEY is not set");
+
+ const bytes = bytesFromBase64(encoded);
+
+ if (bytes.length !== KEY_BYTES)
+ throw new Error(`FEED_TOKEN_KEY must decode to ${KEY_BYTES} bytes`);
+
+ return bytes;
+};
+
+const importKey = (keyBytes: KeyBytes): Promise<CryptoKey> =>
+ crypto.subtle.importKey("raw", keyBytes, "AES-GCM", false, [
+ "encrypt",
+ "decrypt",
+ ]);
+
+// The optional keyBytes parameter lets the unit test exercise the cipher with a
+// fixed key; production callers omit it and the env key is loaded.
+export const encryptFeedToken = async (
+ refreshToken: string,
+ keyBytes: KeyBytes = requireKeyBytes(),
+): Promise<string> => {
+ const key = await importKey(keyBytes);
+ const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
+ const ciphertext = new Uint8Array(
+ await crypto.subtle.encrypt(
+ { name: "AES-GCM", iv },
+ key,
+ new TextEncoder().encode(refreshToken),
+ ),
+ );
+ const framed = new Uint8Array(iv.length + ciphertext.length);
+
+ framed.set(iv, 0);
+ framed.set(ciphertext, iv.length);
+
+ return base64UrlFromBytes(framed);
+};
+
+export const decryptFeedToken = async (
+ blob: string,
+ keyBytes: KeyBytes = requireKeyBytes(),
+): Promise<string | null> => {
+ try {
+ const framed = bytesFromBase64Url(blob);
+
+ if (framed.length < IV_BYTES + TAG_BYTES) return null;
+
+ const key = await importKey(keyBytes);
+ const iv = framed.subarray(0, IV_BYTES);
+ const ciphertext = framed.subarray(IV_BYTES);
+ const plaintext = await crypto.subtle.decrypt(
+ { name: "AES-GCM", iv },
+ key,
+ ciphertext,
+ );
+
+ return new TextDecoder().decode(plaintext);
+ } catch {
+ return null;
+ }
+};
diff --git a/src/lib/Utility/sanitizeCss.test.ts b/src/lib/Utility/sanitizeCss.test.ts
new file mode 100644
index 00000000..f6c22364
--- /dev/null
+++ b/src/lib/Utility/sanitizeCss.test.ts
@@ -0,0 +1,76 @@
+import { describe, expect, it } from "vitest";
+import { sanitizeBadgeWallCss } from "./sanitizeCss";
+
+describe("sanitizeBadgeWallCss", () => {
+ // Behaviour gate: the CSS people actually write for their badge wall survives.
+ it("preserves ordinary rules, declarations and values", () => {
+ const out = sanitizeBadgeWallCss(
+ ".badge { color: red; opacity: 0.5; border-radius: 8px; }",
+ );
+
+ expect(out).toContain("color");
+ expect(out).toContain("red");
+ expect(out).toContain("border-radius");
+ });
+
+ it("preserves backdrop-filter, content, url() and at-rules", () => {
+ expect(
+ sanitizeBadgeWallCss(".x { backdrop-filter: blur(4px); }"),
+ ).toContain("backdrop-filter");
+ expect(sanitizeBadgeWallCss('.x::before { content: "★"; }')).toContain(
+ "content",
+ );
+ expect(
+ sanitizeBadgeWallCss(
+ ".x { background: url(https://cdn.due.moe/a.png); }",
+ ),
+ ).toContain("url(https://cdn.due.moe/a.png)");
+ expect(
+ sanitizeBadgeWallCss("@media (min-width: 1px) { .x { color: blue; } }"),
+ ).toContain("@media");
+ expect(
+ sanitizeBadgeWallCss(
+ "@keyframes spin { from { transform: rotate(0); } to { transform: rotate(360deg); } }",
+ ),
+ ).toContain("@keyframes");
+ });
+
+ it("returns empty string for nullish input", () => {
+ expect(sanitizeBadgeWallCss("")).toBe("");
+ // @ts-expect-error exercising defensive nullish handling
+ expect(sanitizeBadgeWallCss(undefined)).toBe("");
+ });
+
+ // The fix: dangerous constructs are removed while surrounding CSS is kept.
+ it("strips @import, behavior, -moz-binding, expression and js: urls", () => {
+ const imported = sanitizeBadgeWallCss(
+ "@import url(https://evil.example.com/x.css); .x { color: red; }",
+ );
+ expect(imported).not.toContain("@import");
+ expect(imported).toContain("color");
+
+ expect(
+ sanitizeBadgeWallCss(".x { behavior: url(evil.htc); color: red; }"),
+ ).not.toContain("behavior");
+ expect(
+ sanitizeBadgeWallCss(".x { -moz-binding: url(evil.xml#x); }"),
+ ).not.toContain("-moz-binding");
+ expect(
+ sanitizeBadgeWallCss(".x { width: expression(alert(1)); }"),
+ ).not.toContain("expression");
+ expect(
+ sanitizeBadgeWallCss(".x { background: url(javascript:alert(1)); }"),
+ ).not.toContain("javascript:");
+ });
+
+ it("drops <style> break-out attempts entirely", () => {
+ const out = sanitizeBadgeWallCss(
+ ".a { color: red; } </style><script>window.x=1</script> .b { color: blue; }",
+ );
+
+ expect(out).not.toContain("<script");
+ expect(out).not.toContain("</style");
+ expect(out).not.toContain("window.x");
+ expect(out).toContain("color");
+ });
+});
diff --git a/src/lib/Utility/sanitizeCss.ts b/src/lib/Utility/sanitizeCss.ts
new file mode 100644
index 00000000..976fa6a1
--- /dev/null
+++ b/src/lib/Utility/sanitizeCss.ts
@@ -0,0 +1,57 @@
+import * as csstree from "css-tree";
+
+const blockedProperties = new Set(["behavior", "-moz-binding"]);
+const dangerousValue = /expression\s*\(|javascript:|vbscript:/i;
+
+/**
+ * Sanitise user-supplied badge-wall CSS at the trust boundary (write time), so
+ * the stored value is safe regardless of how it is later rendered. Parsing with
+ * css-tree (leniently, like a browser) drops anything that isn't valid CSS —
+ * including `</style>` break-out attempts — and we additionally remove the few
+ * constructs that can load resources or (in legacy engines) run code:
+ * `@import`, `behavior`/`-moz-binding`, and `expression()`/`javascript:` values.
+ *
+ * This is defence in depth: rendering goes through `textContent` (no HTML
+ * parsing, so no break-out) and the CSP blocks inline script regardless.
+ */
+export const sanitizeBadgeWallCss = (css: string): string => {
+ if (!css) return "";
+
+ let ast: csstree.CssNode;
+
+ try {
+ ast = csstree.parse(css, { onParseError: () => {} });
+ } catch {
+ return "";
+ }
+
+ csstree.walk(ast, (node, item, list) => {
+ if (!list || !item) return;
+
+ if (node.type === "Atrule" && node.name.toLowerCase() === "import") {
+ list.remove(item);
+ } else if (
+ node.type === "Rule" &&
+ csstree.generate(node.prelude).includes("<")
+ ) {
+ // css-tree keeps an unparseable selector as a Raw prelude, so a
+ // `</style><script>…` break-out shows up as a rule whose selector
+ // contains `<` (never valid in a real selector). Drop the rule.
+ list.remove(item);
+ } else if (node.type === "Raw" && /[<>]/.test(node.value)) {
+ list.remove(item);
+ } else if (
+ node.type === "Declaration" &&
+ (blockedProperties.has(node.property.toLowerCase()) ||
+ dangerousValue.test(csstree.generate(node.value)))
+ ) {
+ list.remove(item);
+ }
+ });
+
+ try {
+ return csstree.generate(ast);
+ } catch {
+ return "";
+ }
+};
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-03 07:39:35 +0000