Skip to content

Align auth response CSP and add Strava sign-in fallback#8

Merged
a0a7 merged 9 commits into
mainfrom
copilot/fix-strava-connect-button
May 30, 2026
Merged

Align auth response CSP and add Strava sign-in fallback#8
a0a7 merged 9 commits into
mainfrom
copilot/fix-strava-connect-button

Conversation

Copilot AI commented May 30, 2026

Copy link
Copy Markdown
Contributor

The “Connect with Strava” flow fails with CSP blocking inline script execution, followed by a client-side error from missing auth navigation. This PR makes dynamic auth responses honor the same CSP as static pages and provides a reliable, keyboard-accessible sign-in fallback.

  • CSP parity for auth responses
    • Add security headers in the server hook and centralize the CSP string so auth routes receive the same policy as static assets.
  • Strava connect fallback
    • Replace the click-only button with a form submit fallback that still invokes signIn('strava') when JS is available.
<form action="/auth/signin/strava" method="get" on:submit|preventDefault={() => signIn('strava')}>
	<button type="submit" class="...">...</button>
</form>

@a0a7 a0a7 marked this pull request as ready for review May 30, 2026 02:05
Copilot AI review requested due to automatic review settings May 30, 2026 02:05
@a0a7 a0a7 merged commit 349e2b4 into main May 30, 2026
0 of 3 checks passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Strava authentication flow by applying security headers to dynamic server responses and adding a non-JavaScript form fallback for connecting with Strava.

Changes:

  • Adds a SvelteKit server hook to set security headers, including CSP, on resolved responses.
  • Composes the new security-header hook with the existing Auth.js handler.
  • Replaces the click-only Strava button with a form-backed submit button that still calls signIn('strava') when JavaScript is available.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/hooks.server.ts Adds CSP and other security headers to dynamic responses while preserving auth handling.
src/lib/components/sidebar/ConnectPanel.svelte Adds a form-based Strava sign-in fallback around the existing client-side sign-in behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/hooks.server.ts
Comment on lines +5 to +12
const contentSecurityPolicy = [
"default-src 'self' blob: data: https://*.basemaps.cartocdn.com",
"font-src 'self'",
"img-src 'self' https://*.basemaps.cartocdn.com data: blob:",
"object-src 'none'",
"script-src 'self' 'unsafe-inline' https://static.cloudflareinsights.com blob: data:",
"style-src 'self' 'unsafe-inline'"
].join('; ');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants