From 75a82a2cc79fbfde33fdba74ea2dc0e2ae93efe4 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 23 Jan 2025 16:42:48 +0100 Subject: [PATCH 01/14] added endpoint to set session values in HomeController --- .../Controllers/HomeController.cs | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 26a8d8b3e..88c7804bd 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -1,3 +1,4 @@ +using System.Diagnostics; using System.Text.Json; using System.Web; using Altinn.App.Core.Configuration; @@ -7,12 +8,14 @@ using Microsoft.AspNetCore.Antiforgery; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Options; +using Newtonsoft.Json.Linq; namespace Altinn.App.Api.Controllers; /// /// Provides access to the default home view. /// +[ApiController] public class HomeController : Controller { private static readonly JsonSerializerOptions _jsonSerializerOptions = new() @@ -28,6 +31,8 @@ public class HomeController : Controller private readonly IAppMetadata _appMetadata; private readonly List _onEntryWithInstance = new List { "new-instance", "select-instance" }; + //private readonly ApplicationMetadata _applicationMetadata; + /// /// Initialize a new instance of the class. /// @@ -52,6 +57,7 @@ IAppMetadata appMetadata _appSettings = appSettings.Value; _appResources = appResources; _appMetadata = appMetadata; + // _applicationMetadata = applicationMetadata; } /// @@ -68,6 +74,20 @@ public async Task Index( [FromQuery] bool dontChooseReportee ) { + // Access all query parameters + var allQueryParams = HttpContext.Request.Query; + + foreach (var param in allQueryParams) + { + // Log each query parameter key and value + Console.WriteLine($"{param.Key}: {param.Value}"); + HttpContext.Session.SetString(param.Key, param.Value); + var value = HttpContext.Session.GetString(param.Key); + Debugger.Break(); // This acts like a breakpoint. + } + + //Debugger.Break(); // This acts like a breakpoint. + // See comments in the configuration of Antiforgery in MvcConfiguration.cs. var tokens = _antiforgery.GetAndStoreTokens(HttpContext); if (tokens.RequestToken != null) @@ -82,6 +102,8 @@ [FromQuery] bool dontChooseReportee ); } + Debugger.Break(); + if (await ShouldShowAppView()) { ViewBag.org = org; @@ -107,6 +129,80 @@ [FromQuery] bool dontChooseReportee return Redirect(redirectUrl); } + /// + /// Sets query parameters in frontend session storage + /// + /// + /// + /// + [HttpGet] + [Route("{org}/{app}/set-query-params")] + public async Task SetQueryParams(string org, string app) + { + var queryParams = HttpContext.Request.Query; + + Application application = await _appMetadata.GetApplicationMetadata(); + + List dataTypes = application.DataTypes.Select(type => type.Id).ToList(); + + List allowedQueryParams = GetAllowedQueryParams(dataTypes); + + if (allowedQueryParams.Count < 1) + { + return Content("

No query parameters found in the request.

", "text/html"); + } + + var queryDict = allowedQueryParams.ToDictionary(q => q.Key, q => q.Value.ToString()); + var queryParamsJson = System.Text.Json.JsonSerializer.Serialize(queryDict); + var htmlContent = + $@" + + + + + + Set Query Params + + + + + "; + + return Content(htmlContent, "text/html"); + } + + private List GetAllowedQueryParams(List dataTypes) + { + return dataTypes + .Select(item => + { + var prefillJson = _appResources.GetPrefillJson(item); + if (prefillJson == null) + { + return null; + } + + JObject prefillConfiguration = JObject.Parse(prefillJson); + JToken? queryParamObject = prefillConfiguration.SelectToken("QueryParams"); + + if (queryParamObject != null && queryParamObject.Type == JTokenType.Object) + { + return ((JObject)queryParamObject).Properties().Select(prop => prop.Name).ToList(); + } + + return null; + }) + .Where(result => result != null) + .SelectMany(result => result) + .Distinct() + .ToList(); + } + private async Task ShouldShowAppView() { if (User?.Identity?.IsAuthenticated == true) From 0eb977d28b2639f2e5139b71622923957485066f Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Fri, 24 Jan 2025 16:41:23 +0100 Subject: [PATCH 02/14] calculating fields and datamodel in before sessions torage --- .../Controllers/HomeController.cs | 112 +++++++----------- 1 file changed, 46 insertions(+), 66 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 88c7804bd..d1b34489e 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -74,36 +74,6 @@ public async Task Index( [FromQuery] bool dontChooseReportee ) { - // Access all query parameters - var allQueryParams = HttpContext.Request.Query; - - foreach (var param in allQueryParams) - { - // Log each query parameter key and value - Console.WriteLine($"{param.Key}: {param.Value}"); - HttpContext.Session.SetString(param.Key, param.Value); - var value = HttpContext.Session.GetString(param.Key); - Debugger.Break(); // This acts like a breakpoint. - } - - //Debugger.Break(); // This acts like a breakpoint. - - // See comments in the configuration of Antiforgery in MvcConfiguration.cs. - var tokens = _antiforgery.GetAndStoreTokens(HttpContext); - if (tokens.RequestToken != null) - { - HttpContext.Response.Cookies.Append( - "XSRF-TOKEN", - tokens.RequestToken, - new CookieOptions - { - HttpOnly = false, // Make this cookie readable by Javascript. - } - ); - } - - Debugger.Break(); - if (await ShouldShowAppView()) { ViewBag.org = org; @@ -141,19 +111,56 @@ public async Task SetQueryParams(string org, string app) { var queryParams = HttpContext.Request.Query; + // Get application metadata Application application = await _appMetadata.GetApplicationMetadata(); + // Get the data types from the application List dataTypes = application.DataTypes.Select(type => type.Id).ToList(); - List allowedQueryParams = GetAllowedQueryParams(dataTypes); + // Build the modelPrefill dictionary + var modelPrefill = dataTypes + .Select(item => + { + var prefillJson = _appResources.GetPrefillJson(item); + if (string.IsNullOrEmpty(prefillJson)) + { + return null; + } - if (allowedQueryParams.Count < 1) - { - return Content("

No query parameters found in the request.

", "text/html"); - } + return new { DataModelName = item, PrefillConfiguration = JObject.Parse(prefillJson) }; + }) + .Where(item => item != null) + .ToList(); + + // Prepare the result grouped by dataModelName + var result = modelPrefill + .Select(entry => + { + var queryParamsConfig = entry.PrefillConfiguration["QueryParams"]; + if (queryParamsConfig == null || queryParamsConfig.Type != JTokenType.Object) + { + return null; + } + + // Filter allowed query parameters + var allowedQueryParams = ((JObject)queryParamsConfig) + .Properties() + .Where(prop => queryParams.ContainsKey(prop.Name)) + .Select(prop => new Dictionary + { + { prop.Value.ToString(), queryParams[prop.Name].ToString() }, + }) + .ToList(); + + return new { DataModelName = entry.DataModelName, PrefillFields = allowedQueryParams }; + }) + .Where(entry => entry != null && entry.PrefillFields.Count > 0) + .ToList(); - var queryDict = allowedQueryParams.ToDictionary(q => q.Key, q => q.Value.ToString()); - var queryParamsJson = System.Text.Json.JsonSerializer.Serialize(queryDict); + // Serialize the result to JSON + var resultJson = System.Text.Json.JsonSerializer.Serialize(result); + + // Generate HTML to set sessionStorage var htmlContent = $@" @@ -165,8 +172,8 @@ public async Task SetQueryParams(string org, string app) @@ -176,33 +183,6 @@ public async Task SetQueryParams(string org, string app) return Content(htmlContent, "text/html"); } - private List GetAllowedQueryParams(List dataTypes) - { - return dataTypes - .Select(item => - { - var prefillJson = _appResources.GetPrefillJson(item); - if (prefillJson == null) - { - return null; - } - - JObject prefillConfiguration = JObject.Parse(prefillJson); - JToken? queryParamObject = prefillConfiguration.SelectToken("QueryParams"); - - if (queryParamObject != null && queryParamObject.Type == JTokenType.Object) - { - return ((JObject)queryParamObject).Properties().Select(prop => prop.Name).ToList(); - } - - return null; - }) - .Where(result => result != null) - .SelectMany(result => result) - .Distinct() - .ToList(); - } - private async Task ShouldShowAppView() { if (User?.Identity?.IsAuthenticated == true) From 030a76bafc56a17ebbad1154f9b62d4500214dc8 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Tue, 28 Jan 2025 08:24:06 +0100 Subject: [PATCH 03/14] wip --- src/Altinn.App.Api/Controllers/HomeController.cs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index d1b34489e..33cd738c7 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -74,6 +74,20 @@ public async Task Index( [FromQuery] bool dontChooseReportee ) { + // See comments in the configuration of Antiforgery in MvcConfiguration.cs. + var tokens = _antiforgery.GetAndStoreTokens(HttpContext); + if (tokens.RequestToken != null) + { + HttpContext.Response.Cookies.Append( + "XSRF-TOKEN", + tokens.RequestToken, + new CookieOptions + { + HttpOnly = false, // Make this cookie readable by Javascript. + } + ); + } + if (await ShouldShowAppView()) { ViewBag.org = org; From 066cd97e099fa493e2db3e33a105a7d1a4fecf97 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Tue, 28 Jan 2025 15:26:07 +0100 Subject: [PATCH 04/14] clean --- src/Altinn.App.Api/Controllers/HomeController.cs | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 33cd738c7..1a55d7d0d 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -15,7 +15,6 @@ namespace Altinn.App.Api.Controllers; /// /// Provides access to the default home view. /// -[ApiController] public class HomeController : Controller { private static readonly JsonSerializerOptions _jsonSerializerOptions = new() @@ -31,8 +30,6 @@ public class HomeController : Controller private readonly IAppMetadata _appMetadata; private readonly List _onEntryWithInstance = new List { "new-instance", "select-instance" }; - //private readonly ApplicationMetadata _applicationMetadata; - /// /// Initialize a new instance of the class. /// @@ -57,7 +54,6 @@ IAppMetadata appMetadata _appSettings = appSettings.Value; _appResources = appResources; _appMetadata = appMetadata; - // _applicationMetadata = applicationMetadata; } /// @@ -125,10 +121,8 @@ public async Task SetQueryParams(string org, string app) { var queryParams = HttpContext.Request.Query; - // Get application metadata Application application = await _appMetadata.GetApplicationMetadata(); - // Get the data types from the application List dataTypes = application.DataTypes.Select(type => type.Id).ToList(); // Build the modelPrefill dictionary From c2729830a9e64897bcb1e13462129c1b8bf8d931 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Tue, 28 Jan 2025 16:49:27 +0100 Subject: [PATCH 05/14] added null checks --- src/Altinn.App.Api/Controllers/HomeController.cs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 1a55d7d0d..274a34217 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -140,10 +140,14 @@ public async Task SetQueryParams(string org, string app) .Where(item => item != null) .ToList(); - // Prepare the result grouped by dataModelName var result = modelPrefill .Select(entry => { + if (entry.PrefillConfiguration == null) // Check if PrefillConfiguration is null + { + return null; + } + var queryParamsConfig = entry.PrefillConfiguration["QueryParams"]; if (queryParamsConfig == null || queryParamsConfig.Type != JTokenType.Object) { @@ -165,10 +169,8 @@ public async Task SetQueryParams(string org, string app) .Where(entry => entry != null && entry.PrefillFields.Count > 0) .ToList(); - // Serialize the result to JSON var resultJson = System.Text.Json.JsonSerializer.Serialize(result); - // Generate HTML to set sessionStorage var htmlContent = $@" From d0128e4d62d2f104be6d43f0743bc1ba330fa239 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Tue, 28 Jan 2025 17:10:17 +0100 Subject: [PATCH 06/14] wip --- src/Altinn.App.Api/Controllers/HomeController.cs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 274a34217..c8126a30e 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -1,4 +1,3 @@ -using System.Diagnostics; using System.Text.Json; using System.Web; using Altinn.App.Core.Configuration; @@ -143,18 +142,20 @@ public async Task SetQueryParams(string org, string app) var result = modelPrefill .Select(entry => { - if (entry.PrefillConfiguration == null) // Check if PrefillConfiguration is null + var prefillConfig = entry!.PrefillConfiguration; + if (prefillConfig == null) { return null; } - var queryParamsConfig = entry.PrefillConfiguration["QueryParams"]; + var queryParamsConfig = prefillConfig["QueryParams"]; if (queryParamsConfig == null || queryParamsConfig.Type != JTokenType.Object) { return null; } - // Filter allowed query parameters + // Filter allowed query parameters. We only allow query params that are configured in + // .prefill.json var allowedQueryParams = ((JObject)queryParamsConfig) .Properties() .Where(prop => queryParams.ContainsKey(prop.Name)) @@ -166,7 +167,7 @@ public async Task SetQueryParams(string org, string app) return new { DataModelName = entry.DataModelName, PrefillFields = allowedQueryParams }; }) - .Where(entry => entry != null && entry.PrefillFields.Count > 0) + .Where(entry => entry != null && entry.PrefillFields!.Count > 0) .ToList(); var resultJson = System.Text.Json.JsonSerializer.Serialize(result); From 0e807361f9fbc1b218ce2704aadb57a17bd9e455 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 12:57:16 +0100 Subject: [PATCH 07/14] added null checks --- src/Altinn.App.Api/Controllers/HomeController.cs | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index c8126a30e..bc3b34fb1 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -113,7 +113,7 @@ [FromQuery] bool dontChooseReportee /// /// /// - /// + /// An HTML file with a small javascript that will set session variables in frontend and redirect to the app. [HttpGet] [Route("{org}/{app}/set-query-params")] public async Task SetQueryParams(string org, string app) @@ -142,7 +142,13 @@ public async Task SetQueryParams(string org, string app) var result = modelPrefill .Select(entry => { - var prefillConfig = entry!.PrefillConfiguration; + if (entry == null || entry.PrefillConfiguration == null) + { + return null; + } + + var prefillConfig = entry.PrefillConfiguration; + if (prefillConfig == null) { return null; @@ -167,7 +173,7 @@ public async Task SetQueryParams(string org, string app) return new { DataModelName = entry.DataModelName, PrefillFields = allowedQueryParams }; }) - .Where(entry => entry != null && entry.PrefillFields!.Count > 0) + .Where(entry => entry != null && entry.PrefillFields != null && entry.PrefillFields.Count > 0) .ToList(); var resultJson = System.Text.Json.JsonSerializer.Serialize(result); From 44a457a853f8a9c2946a848cb2414e905850a66a Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 13:08:22 +0100 Subject: [PATCH 08/14] updated swagger --- .../Controllers/HomeController.cs | 1 + .../Altinn.App.Api.Tests/OpenApi/swagger.json | 33 +++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index bc3b34fb1..e56634d5b 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -115,6 +115,7 @@ [FromQuery] bool dontChooseReportee /// /// An HTML file with a small javascript that will set session variables in frontend and redirect to the app. [HttpGet] + [Produces("text/html")] [Route("{org}/{app}/set-query-params")] public async Task SetQueryParams(string org, string app) { diff --git a/test/Altinn.App.Api.Tests/OpenApi/swagger.json b/test/Altinn.App.Api.Tests/OpenApi/swagger.json index c52af90c8..b1bfc0df8 100644 --- a/test/Altinn.App.Api.Tests/OpenApi/swagger.json +++ b/test/Altinn.App.Api.Tests/OpenApi/swagger.json @@ -2265,6 +2265,39 @@ } } }, + "/{org}/{app}/set-query-params": { + "get": { + "tags": [ + "Home" + ], + "summary": "Sets query parameters in frontend session storage", + "parameters": [ + { + "name": "org", + "in": "path", + "description": "", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "app", + "in": "path", + "description": "", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, "/{org}/{app}/instances/{instanceOwnerPartyId}/{instanceGuid}": { "get": { "tags": [ From c93771433a3637fc8c82e779fd614b0daa095080 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 13:13:35 +0100 Subject: [PATCH 09/14] not including query param route in swagger spec as it broke swagger test --- .../Controllers/HomeController.cs | 2 +- .../Altinn.App.Api.Tests/OpenApi/swagger.json | 33 ------------------- 2 files changed, 1 insertion(+), 34 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index e56634d5b..7057e0b8a 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -115,7 +115,7 @@ [FromQuery] bool dontChooseReportee /// /// An HTML file with a small javascript that will set session variables in frontend and redirect to the app. [HttpGet] - [Produces("text/html")] + [ApiExplorerSettings(IgnoreApi = true)] [Route("{org}/{app}/set-query-params")] public async Task SetQueryParams(string org, string app) { diff --git a/test/Altinn.App.Api.Tests/OpenApi/swagger.json b/test/Altinn.App.Api.Tests/OpenApi/swagger.json index b1bfc0df8..c52af90c8 100644 --- a/test/Altinn.App.Api.Tests/OpenApi/swagger.json +++ b/test/Altinn.App.Api.Tests/OpenApi/swagger.json @@ -2265,39 +2265,6 @@ } } }, - "/{org}/{app}/set-query-params": { - "get": { - "tags": [ - "Home" - ], - "summary": "Sets query parameters in frontend session storage", - "parameters": [ - { - "name": "org", - "in": "path", - "description": "", - "required": true, - "schema": { - "type": "string" - } - }, - { - "name": "app", - "in": "path", - "description": "", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, "/{org}/{app}/instances/{instanceOwnerPartyId}/{instanceGuid}": { "get": { "tags": [ From 35c31f97696b29d82fc9e5f1d684e25396809fa7 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 13:55:04 +0100 Subject: [PATCH 10/14] url encoding app and org in js --- src/Altinn.App.Api/Controllers/HomeController.cs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 7057e0b8a..492fc6887 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -179,6 +179,9 @@ public async Task SetQueryParams(string org, string app) var resultJson = System.Text.Json.JsonSerializer.Serialize(result); + var encodedOrg = Uri.EscapeDataString(application.Org); + var encodedAppId = Uri.EscapeDataString(application.Id); + var htmlContent = $@" @@ -192,7 +195,10 @@ public async Task SetQueryParams(string org, string app) From 0cbb37ed625778c836380f7728484827e723c03e Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 13:56:49 +0100 Subject: [PATCH 11/14] clean --- src/Altinn.App.Api/Controllers/HomeController.cs | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 492fc6887..8ecd98253 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -196,9 +196,6 @@ public async Task SetQueryParams(string org, string app) const prefillData = {resultJson}; sessionStorage.setItem('queryParams', JSON.stringify(prefillData)); const redirectUrl = `${{window.location.origin}}/{encodedOrg}/{encodedAppId}`; - - - window.location.href = redirectUrl; From 6b7696a90594c15edad59bd24d1efdbe73f06bc0 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 14:56:29 +0100 Subject: [PATCH 12/14] Added url encoding and CSP with nonce for inline scripts --- .../Controllers/HomeController.cs | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 8ecd98253..62ee6a67d 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -28,6 +28,10 @@ public class HomeController : Controller private readonly IAppResources _appResources; private readonly IAppMetadata _appMetadata; private readonly List _onEntryWithInstance = new List { "new-instance", "select-instance" }; + private static readonly System.Text.Json.JsonSerializerOptions _jsonOptions = new() + { + Encoder = System.Text.Encodings.Web.JavaScriptEncoder.UnsafeRelaxedJsonEscaping, + }; /// /// Initialize a new instance of the class. @@ -177,11 +181,11 @@ public async Task SetQueryParams(string org, string app) .Where(entry => entry != null && entry.PrefillFields != null && entry.PrefillFields.Count > 0) .ToList(); - var resultJson = System.Text.Json.JsonSerializer.Serialize(result); - - var encodedOrg = Uri.EscapeDataString(application.Org); + var safeResultJson = System.Text.Json.JsonSerializer.Serialize(result, _jsonOptions); var encodedAppId = Uri.EscapeDataString(application.Id); + string nonce = Convert.ToBase64String(System.Security.Cryptography.RandomNumberGenerator.GetBytes(16)); + var htmlContent = $@" @@ -192,15 +196,17 @@ public async Task SetQueryParams(string org, string app) Set Query Params - "; + Response.Headers["Content-Security-Policy"] = $"default-src 'self'; script-src 'nonce-{nonce}';"; + return Content(htmlContent, "text/html"); } From b8f75a2e87232a359e90e072e1bdd8c9f5a683c5 Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Thu, 30 Jan 2025 16:16:30 +0100 Subject: [PATCH 13/14] added appId to know mix prefill data from different apps from same service provider --- src/Altinn.App.Api/Controllers/HomeController.cs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 62ee6a67d..5593683c8 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -176,9 +176,14 @@ public async Task SetQueryParams(string org, string app) }) .ToList(); - return new { DataModelName = entry.DataModelName, PrefillFields = allowedQueryParams }; + return new + { + dataModelName = entry.DataModelName, + appId = application.Id, + prefillFields = allowedQueryParams, + }; }) - .Where(entry => entry != null && entry.PrefillFields != null && entry.PrefillFields.Count > 0) + .Where(entry => entry != null && entry.prefillFields != null && entry.prefillFields.Count > 0) .ToList(); var safeResultJson = System.Text.Json.JsonSerializer.Serialize(result, _jsonOptions); From e45a2a7e6900a942644fd1134ef24fbc1118d27c Mon Sep 17 00:00:00 2001 From: Adam Haeger Date: Fri, 31 Jan 2025 09:53:35 +0100 Subject: [PATCH 14/14] Added expiry --- src/Altinn.App.Api/Controllers/HomeController.cs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Altinn.App.Api/Controllers/HomeController.cs b/src/Altinn.App.Api/Controllers/HomeController.cs index 5593683c8..53049c75a 100644 --- a/src/Altinn.App.Api/Controllers/HomeController.cs +++ b/src/Altinn.App.Api/Controllers/HomeController.cs @@ -202,7 +202,11 @@ public async Task SetQueryParams(string org, string app)