generated from eblume/project-template
Erich Blume
1f81a2e6d9
All checks were successful
Build / validate (pull_request) Successful in 6m31s
Replace the manual bearer-token paste with a proper browser OIDC sign-in.
- Hub: unauthenticated GET /config -> {issuer, client_id} (added after the auth
layer), sourced from the verifier's new TokenVerifier::oidc_config(). Lets the
PWA self-configure when served from the hub. Tests in web_serve.rs.
- PWA: src/oauth.js implements PKCE (S256), the authorize redirect, the callback
token exchange, and silent refresh (offline_access). Settings gains a "Login
with Authentik" button (manual token kept under a fallback disclosure); rpc.js
retries once on 401 via a refresh hook; app.js completes the callback / refreshes
on load; sw.js skips caching the callback URL and ships oauth.js in the shell.
Requires the PWA origin registered as a redirect URI on the Authentik provider.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
56 lines
1.6 KiB
JavaScript
56 lines
1.6 KiB
JavaScript
// Service worker: cache the app shell so heph launches offline. Data is never
|
|
// cached — every /rpc call must hit the live hub (and POSTs aren't cacheable
|
|
// anyway). Bump CACHE when shell assets change to evict the old set.
|
|
const CACHE = "heph-pwa-v4";
|
|
const SHELL = [
|
|
"./",
|
|
"./index.html",
|
|
"./styles.css",
|
|
"./manifest.webmanifest",
|
|
"./src/app.js",
|
|
"./src/rpc.js",
|
|
"./src/oauth.js",
|
|
"./src/quickadd.js",
|
|
"./src/datespec.js",
|
|
"./src/fmt.js",
|
|
"./icons/icon.svg",
|
|
];
|
|
|
|
self.addEventListener("install", (e) => {
|
|
e.waitUntil(caches.open(CACHE).then((c) => c.addAll(SHELL)).then(() => self.skipWaiting()));
|
|
});
|
|
|
|
self.addEventListener("activate", (e) => {
|
|
e.waitUntil(
|
|
caches
|
|
.keys()
|
|
.then((keys) => Promise.all(keys.filter((k) => k !== CACHE).map((k) => caches.delete(k))))
|
|
.then(() => self.clients.claim()),
|
|
);
|
|
});
|
|
|
|
self.addEventListener("fetch", (e) => {
|
|
const req = e.request;
|
|
// Only cache same-origin GETs (the shell). Everything else (RPC, cross-origin)
|
|
// goes straight to the network. Skip URLs with a query string too, so the OAuth
|
|
// redirect callback (`/?code=…&state=…`) is never cached or served from cache.
|
|
const u = new URL(req.url);
|
|
if (req.method !== "GET" || u.origin !== self.location.origin || u.search) {
|
|
return;
|
|
}
|
|
e.respondWith(
|
|
caches.match(req).then(
|
|
(hit) =>
|
|
hit ||
|
|
fetch(req)
|
|
.then((resp) => {
|
|
if (resp.ok) {
|
|
const copy = resp.clone();
|
|
caches.open(CACHE).then((c) => c.put(req, copy));
|
|
}
|
|
return resp;
|
|
})
|
|
.catch(() => caches.match("./index.html")),
|
|
),
|
|
);
|
|
});
|