Add support for CSP nonce on GSI script & inline styles (#230)

danfsd · web-flow · commit c9238a794106 · 2023-03-18T12:16:07.000+02:00
* fix(useLoadGsiScript): assign nonce to GSI script tag

* fix(GoogleOAuthProvider): adds nonce to props

* docs: add nonce to README

* fix(useLoadGsiScript): adds nonce to dependency array

* chore: add changeset

* docs: fix typo on README
diff --git a/.changeset/old-rats-unite.md b/.changeset/old-rats-unite.md
@@ -0,0 +1,5 @@
+---
+'@react-oauth/google': patch
+---
+
+Add minor CSP support by accepting "nonce" and propagating it to GSI script & inline style
diff --git a/README.md b/README.md
@@ -193,6 +193,7 @@ const hasAccess = hasGrantedAnyScopeGoogle(
 | Required | Prop                | Type       | Description                                                                 |
 | :------: | ------------------- | ---------- | --------------------------------------------------------------------------- |
 |    ✓     | clientId            | `string`   | [**Google API client ID**](https://console.cloud.google.com/apis/dashboard) |
+|          | nonce               | `string`   | Nonce applied to GSI script tag. Propagates to GSI's inline style tag       |
 |          | onScriptLoadSuccess | `function` | Callback fires on load gsi script success                                   |
 |          | onScriptLoadError   | `function` | Callback fires on load gsi script failure                                   |
 
diff --git a/packages/@react-oauth/google/src/GoogleOAuthProvider.tsx b/packages/@react-oauth/google/src/GoogleOAuthProvider.tsx
@@ -18,11 +18,13 @@ interface GoogleOAuthProviderProps extends UseLoadGsiScriptOptions {
 
 export default function GoogleOAuthProvider({
   clientId,
+  nonce,
   onScriptLoadSuccess,
   onScriptLoadError,
   children,
 }: GoogleOAuthProviderProps) {
   const scriptLoadedSuccessfully = useLoadGsiScript({
+    nonce,
     onScriptLoadSuccess,
     onScriptLoadError,
   });
diff --git a/packages/@react-oauth/google/src/hooks/useLoadGsiScript.ts b/packages/@react-oauth/google/src/hooks/useLoadGsiScript.ts
@@ -1,6 +1,10 @@
 import { useState, useEffect, useRef } from 'react';
 
 export interface UseLoadGsiScriptOptions {
+  /**
+   * Nonce applied to GSI script tag. Propagates to GSI's inline style tag
+   */
+  nonce?: string;
   /**
    * Callback fires on load [gsi](https://accounts.google.com/gsi/client) script success
    */
@@ -14,7 +18,7 @@ export interface UseLoadGsiScriptOptions {
 export default function useLoadGsiScript(
   options: UseLoadGsiScriptOptions = {},
 ): boolean {
-  const { onScriptLoadSuccess, onScriptLoadError } = options;
+  const { nonce, onScriptLoadSuccess, onScriptLoadError } = options;
 
   const [scriptLoadedSuccessfully, setScriptLoadedSuccessfully] =
     useState(false);
@@ -30,6 +34,7 @@ export default function useLoadGsiScript(
     scriptTag.src = 'https://accounts.google.com/gsi/client';
     scriptTag.async = true;
     scriptTag.defer = true;
+    scriptTag.nonce = nonce;
     scriptTag.onload = () => {
       setScriptLoadedSuccessfully(true);
       onScriptLoadSuccessRef.current?.();
@@ -44,7 +49,7 @@ export default function useLoadGsiScript(
     return () => {
       document.body.removeChild(scriptTag);
     };
-  }, []);
+  }, [nonce]);
 
   return scriptLoadedSuccessfully;
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@react-oauth/google': patch
 +---
++
 +Add minor CSP support by accepting "nonce" and propagating it to GSI script & inline style