Single-File Components and CSP lockdown

Author: BenjaminMichaelis

.github/workflows/Build-Test-And-Deploy.yml

@@ -25,6 +25,13 @@ jobs:
         env:
           NUGET_AUTH_TOKEN: ${{ secrets.AZURE_DEVOPS_PAT }}
 
+      - name: Set up Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 24
+          cache: npm
+          cache-dependency-path: EssentialCSharp.Web/package-lock.json
+
       - name: Set up dependency caching for faster builds
         uses: actions/cache@v5
         id: nuget-cache

.gitignore

@@ -284,5 +284,7 @@ EssentialCSharp.Web/Markdown/
 
 EssentialCSharp.Web/Guidelines/
 
+EssentialCSharp.Web/wwwroot/dist/
+
 # DevContainer environment files with sensitive data
 .devcontainer/.env

EssentialCSharp.Web/Areas/Identity/Pages/Account/ForgotPassword.cshtml

@@ -31,26 +31,10 @@
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
     <script>
-    (function () {
-        let forgotPwWidgetId;
-        let captchaSolved = false;
-        const form = document.getElementById('forgot-password-form');
-
-        document.addEventListener('DOMContentLoaded', function () {
-            forgotPwWidgetId = hcaptcha.render('forgot-password-captcha', {
-                sitekey: '@Model.CaptchaSiteKey',
-                size: 'invisible',
-                callback: function () { captchaSolved = true; form.requestSubmit(); },
-                'expired-callback': function () { captchaSolved = false; },
-                'error-callback': function () { captchaSolved = false; }
-            });
-            form.addEventListener('submit', function (e) {
-                if (!captchaSolved) {
-                    e.preventDefault();
-                    if (!window.jQuery || $(form).valid()) { hcaptcha.execute(forgotPwWidgetId); }
-                }
-            });
+        window.EssentialCSharp.HCaptcha.initializeInvisibleForm({
+            formId: 'forgot-password-form',
+            containerId: 'forgot-password-captcha',
+            siteKey: @Json.Serialize(Model.CaptchaSiteKey)
         });
-    })();
     </script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/Login.cshtml

@@ -91,26 +91,10 @@
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
     <script>
-    (function () {
-        let loginWidgetId;
-        let captchaSolved = false;
-        const form = document.getElementById('account');
-
-        document.addEventListener('DOMContentLoaded', function () {
-            loginWidgetId = hcaptcha.render('login-captcha', {
-                sitekey: '@Model.CaptchaSiteKey',
-                size: 'invisible',
-                callback: function () { captchaSolved = true; form.requestSubmit(); },
-                'expired-callback': function () { captchaSolved = false; },
-                'error-callback': function () { captchaSolved = false; }
-            });
-            form.addEventListener('submit', function (e) {
-                if (!captchaSolved) {
-                    e.preventDefault();
-                    if (!window.jQuery || $(form).valid()) { hcaptcha.execute(loginWidgetId); }
-                }
-            });
+        window.EssentialCSharp.HCaptcha.initializeInvisibleForm({
+            formId: 'account',
+            containerId: 'login-captcha',
+            siteKey: @Json.Serialize(Model.CaptchaSiteKey)
         });
-    })();
     </script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/Manage/ChangePassword.cshtml

@@ -37,5 +37,5 @@ ViewData["ActivePage"] = ManageNavPages.ChangePassword;
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
-    <script type="module" src="~/js/password-strength.js" asp-append-version="true"></script>
+    <script type="module" src="~/dist/assets/password-strength.js" asp-append-version="true"></script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/Manage/SetPassword.cshtml

@@ -36,5 +36,5 @@ ViewData["ActivePage"] = ManageNavPages.ChangePassword;
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
-    <script type="module" src="~/js/password-strength.js" asp-append-version="true"></script>
+    <script type="module" src="~/dist/assets/password-strength.js" asp-append-version="true"></script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/Register.cshtml

@@ -91,5 +91,5 @@
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
-    <script type="module" src="~/js/password-strength.js" asp-append-version="true"></script>
+    <script type="module" src="~/dist/assets/password-strength.js" asp-append-version="true"></script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml

@@ -31,26 +31,10 @@
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
     <script>
-    (function () {
-        let resendEmailWidgetId;
-        let captchaSolved = false;
-        const form = document.getElementById('resend-email-form');
-
-        document.addEventListener('DOMContentLoaded', function () {
-            resendEmailWidgetId = hcaptcha.render('resend-email-captcha', {
-                sitekey: '@Model.CaptchaSiteKey',
-                size: 'invisible',
-                callback: function () { captchaSolved = true; form.requestSubmit(); },
-                'expired-callback': function () { captchaSolved = false; },
-                'error-callback': function () { captchaSolved = false; }
-            });
-            form.addEventListener('submit', function (e) {
-                if (!captchaSolved) {
-                    e.preventDefault();
-                    if (!window.jQuery || $(form).valid()) { hcaptcha.execute(resendEmailWidgetId); }
-                }
-            });
+        window.EssentialCSharp.HCaptcha.initializeInvisibleForm({
+            formId: 'resend-email-form',
+            containerId: 'resend-email-captcha',
+            siteKey: @Json.Serialize(Model.CaptchaSiteKey)
         });
-    })();
     </script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/Account/ResetPassword.cshtml

@@ -43,28 +43,12 @@
 
 @section Scripts {
     <partial name="_ValidationScriptsPartial" />
-    <script type="module" src="~/js/password-strength.js" asp-append-version="true"></script>
+    <script type="module" src="~/dist/assets/password-strength.js" asp-append-version="true"></script>
     <script>
-    (function () {
-        let resetPwWidgetId;
-        let captchaSolved = false;
-        const form = document.getElementById('reset-password-form');
-
-        document.addEventListener('DOMContentLoaded', function () {
-            resetPwWidgetId = hcaptcha.render('reset-password-captcha', {
-                sitekey: '@Model.CaptchaSiteKey',
-                size: 'invisible',
-                callback: function () { captchaSolved = true; form.requestSubmit(); },
-                'expired-callback': function () { captchaSolved = false; },
-                'error-callback': function () { captchaSolved = false; }
-            });
-            form.addEventListener('submit', function (e) {
-                if (!captchaSolved) {
-                    e.preventDefault();
-                    if (!window.jQuery || $(form).valid()) { hcaptcha.execute(resetPwWidgetId); }
-                }
-            });
+        window.EssentialCSharp.HCaptcha.initializeInvisibleForm({
+            formId: 'reset-password-form',
+            containerId: 'reset-password-captcha',
+            siteKey: @Json.Serialize(Model.CaptchaSiteKey)
         });
-    })();
     </script>
 }

EssentialCSharp.Web/Areas/Identity/Pages/_ValidationScriptsPartial.cshtml

@@ -1,14 +1 @@
-<environment exclude="Development">
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.17.0/jquery.validate.min.js"
-            asp-fallback-src="/lib/jquery-validation/jquery.validate.min.js"
-            asp-fallback-test="window.jQuery && window.jQuery.validator"
-            crossorigin="anonymous"
-            integrity="sha384-rZfj/ogBloos6wzLGpPkkOr/gpkBNLZ6b6yLy4o+ok+t/SAKlL5mvXLr0OXNi1Hp">
-    </script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validation-unobtrusive/3.2.11/jquery.validate.unobtrusive.min.js"
-            asp-fallback-src="/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js"
-            asp-fallback-test="window.jQuery && window.jQuery.validator && window.jQuery.validator.unobtrusive"
-            crossorigin="anonymous"
-            integrity="sha384-R3vNCHsZ+A2Lo3d5A6XNP7fdQkeswQWTIPfiYwSpEP3YV079R+93YzTeZRah7f/F">
-    </script>
-</environment>
+<partial name="~/Views/Shared/_ValidationScriptsPartial.cshtml" />