[Luzifer#46] Remove external font deps, add SRI checks (Luzifer#47)

.dockerignore

@@ -1 +1 @@
-src
+src/node_modules

.gitignore

@@ -1,7 +1,9 @@
+frontend/app.js
 frontend/app.js.LICENSE.txt
 frontend/css
 frontend/js
 frontend/locale/*.untranslated.json
 frontend/webfonts
+frontend/*.woff2
 node_modules
 ots

.repo-runner.yaml

@@ -1,13 +1,14 @@
 ---
 
-image: "reporunner/golang-alpine"
+image: "reporunner/archlinux"
 checkout_dir: /go/src/github.com/Luzifer/ots
 
 commands:
   # Dependencies for downloading libraries
-  - apk add --update curl git make tar unzip
+  - pacman -Syy --noconfirm awk curl git go make nodejs-lts-fermium npm tar unzip which zip
   - make publish
 
 environment:
-  DRAFT: "false"
   CGO_ENABLED: 0
+  DRAFT: "false"
+  GOPATH: /go

Dockerfile

@@ -1,20 +1,28 @@
-FROM golang:alpine as builder
+FROM luzifer/archlinux as builder
+
+ENV CGO_ENABLED=0 \
+    GOPATH=/go
 
 COPY . /go/src/github.com/Luzifer/ots
 WORKDIR /go/src/github.com/Luzifer/ots
 
 RUN set -ex \
- && apk add --update \
+ && pacman --noconfirm -Syy \
       curl \
       git \
+      go \
       make \
+      nodejs-lts-fermium \
+      npm \
       tar \
       unzip \
+ && make -C src -f ../Makefile generate-inner \
  && make download_libs \
  && go install \
       -ldflags "-X main.version=$(git describe --tags --always || echo dev)" \
       -mod=readonly
 
+
 FROM alpine:latest
 
 LABEL maintainer "Knut Ahlers <knut@ahlers.me>"

Dockerfile.minimal

@@ -1,16 +1,28 @@
-FROM golang:alpine as builder
+FROM luzifer/archlinux as builder
 
-ENV CGO_ENABLED=0
+ENV CGO_ENABLED=0 \
+    GOPATH=/go
 
 COPY . /go/src/github.com/Luzifer/ots
 WORKDIR /go/src/github.com/Luzifer/ots
 
 RUN set -ex \
- && apk add --update git \
+ && pacman --noconfirm -Syy \
+      curl \
+      git \
+      go \
+      make \
+      nodejs-lts-fermium \
+      npm \
+      tar \
+      unzip \
+ && make -C src -f ../Makefile generate-inner \
+ && make download_libs \
  && go install \
       -ldflags "-X main.version=$(git describe --tags --always || echo dev)" \
       -mod=readonly
 
+
 FROM scratch
 
 LABEL maintainer "Knut Ahlers <knut@ahlers.me>"

Makefile

@@ -4,10 +4,15 @@ VER_FONTAWESOME=5.14.0
 default: generate download_libs
 
 generate:
-	docker run --rm -ti -v $(CURDIR):$(CURDIR) -w $(CURDIR)/src node:14-alpine \
-		sh -exc "npx npm@lts ci && npx npm@lts run build && chown -R $(shell id -u) ../frontend node_modules"
+	docker run --rm -i -v $(CURDIR):$(CURDIR) -w $(CURDIR) node:14-alpine \
+		sh -exc "apk add make && make -C src -f ../Makefile generate-inner && chown -R $(shell id -u) frontend src/node_modules"
+
+generate-inner:
+	npx npm@lts ci
+	npx npm@lts run build
 
 publish: download_libs
+	$(MAKE) -C src -f ../Makefile generate-inner
 	curl -sSLo golang.sh https://raw.githubusercontent.com/Luzifer/github-publish/master/golang.sh
 	bash golang.sh
 

frontend/index.html

@@ -6,7 +6,22 @@
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 
-    <link rel="stylesheet" href="css/all.min.css"/>
+    {{ range (list "webfonts/fa-solid-900.woff2" "webfonts/fa-brands-400.woff2" "lato-v20-latin-ext_latin-regular.woff2" "lato-v20-latin-ext_latin-700.woff2") }}
+    <link
+      as="font"
+      crossorigin="anonymous"
+      href="{{ . }}"
+      integrity="{{ assetSRI . }}"
+      rel="preload"
+    >
+    {{ end }}
+
+    <link
+      crossorigin="anonymous"
+      href="css/all.min.css"
+      integrity="{{ assetSRI `css/all.min.css` }}"
+      rel="stylesheet"
+    >
 
     <title>OTS - One Time Secrets</title>
 
@@ -24,13 +39,21 @@
 
       // Very early load of theme definition to avoid flickering
       document.addEventListener('DOMContentLoaded', () => window.refreshTheme())
+
+      // Template variable from Golang process
+      {{- range $key, $value := .Vars }}
+      const {{ $key }} = "{{ $value }}"
+      {{- end }}
     </script>
   </head>
   <body>
     <div id="app"></div>
 
-    <script src="vars.js"></script>
-    <script src="app.js"></script>
+    <script
+      crossorigin="anonymous"
+      integrity="{{ assetSRI `app.js` }}"
+      src="app.js"
+    ></script>
   </body>
 </html>
 

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/Luzifer/rconfig/v2 v2.2.1
 	github.com/gofrs/uuid/v3 v3.1.2
 	github.com/gorilla/mux v1.7.3
+	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.4.2
 	github.com/xuyu/goredis v0.0.0-20160929021245-89fbe9474b37
 )

go.sum

@@ -13,6 +13,8 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/leekchan/gtf v0.0.0-20190214083521-5fba33c5b00b/go.mod h1:thNruaSwydMhkQ8dXzapABF9Sc1Tz08ZBcDdgott9RA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=

main.go

@@ -8,8 +8,10 @@ import (
 	"os"
 	"path"
 	"strings"
+	"text/template"
 
 	"github.com/gorilla/mux"
+	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 
 	http_helpers "github.com/Luzifer/go_helpers/v2/http"
@@ -56,66 +58,58 @@ func main() {
 	api := newAPI(store)
 
 	r := mux.NewRouter()
+	r.Use(http_helpers.GzipHandler)
+
 	api.Register(r.PathPrefix("/api").Subrouter())
-	r.HandleFunc("/vars.js", handleVars)
-	r.PathPrefix("/").HandlerFunc(http_helpers.GzipFunc(assetDelivery))
+
+	r.HandleFunc("/", handleIndex)
+	r.PathPrefix("/").HandlerFunc(assetDelivery)
 
 	log.Fatalf("HTTP server quit: %s", http.ListenAndServe(cfg.Listen, http_helpers.NewHTTPLogHandler(r)))
 }
 
-func assetDelivery(res http.ResponseWriter, r *http.Request) {
+func assetDelivery(w http.ResponseWriter, r *http.Request) {
 	assetName := r.URL.Path
-	if assetName == "/" {
-		assetName = "/index.html"
-	}
 
 	dot := strings.LastIndex(assetName, ".")
 	if dot < 0 {
 		// There are no assets with no dot in it
-		http.Error(res, "404 not found", http.StatusNotFound)
+		http.Error(w, "404 not found", http.StatusNotFound)
 		return
 	}
 
 	ext := assetName[dot:]
 	assetData, err := assets.ReadFile(path.Join("frontend", assetName))
 	if err != nil {
-		http.Error(res, "404 not found", http.StatusNotFound)
+		http.Error(w, "404 not found", http.StatusNotFound)
 		return
 	}
 
-	res.Header().Set("Content-Type", mime.TypeByExtension(ext))
-	res.Write(assetData)
+	w.Header().Set("Content-Type", mime.TypeByExtension(ext))
+	w.Write(assetData)
 }
 
-func handleVars(w http.ResponseWriter, r *http.Request) {
-	cookie, _ := r.Cookie("lang")
-
-	cookieLang := ""
-	if cookie != nil {
-		cookieLang = cookie.Value
-	}
-	acceptLang := r.Header.Get("Accept-Language")
-	defaultLang := "en" // known valid language
-
-	vars := map[string]string{
-		"version": version,
+func handleIndex(w http.ResponseWriter, r *http.Request) {
+	indexTpl, err := assets.ReadFile("frontend/index.html")
+	if err != nil {
+		http.Error(w, "404 not found", http.StatusNotFound)
+		return
 	}
 
-	switch {
-	case cookieLang != "":
-		vars["locale"] = normalizeLang(cookieLang)
-	case acceptLang != "":
-		vars["locale"] = normalizeLang(strings.Split(acceptLang, ",")[0])
-	default:
-		vars["locale"] = defaultLang
+	tpl, err := template.New("index.html").Funcs(tplFuncs).Parse(string(indexTpl))
+	if err != nil {
+		http.Error(w, errors.Wrap(err, "parsing template").Error(), http.StatusInternalServerError)
+		return
 	}
 
-	w.Header().Set("Content-Type", "application/javascript")
-	for k, v := range vars {
-		fmt.Fprintf(w, "var %s = %q\n", k, v)
+	if err = tpl.Execute(w, struct {
+		Vars map[string]string
+	}{
+		Vars: map[string]string{
+			"version": version,
+		},
+	}); err != nil {
+		http.Error(w, errors.Wrap(err, "parsing template").Error(), http.StatusInternalServerError)
+		return
 	}
 }
-
-func normalizeLang(lang string) string {
-	return strings.ToLower(strings.Split(lang, "-")[0])
-}

src/lato.scss

@@ -0,0 +1,21 @@
+/* lato-regular - latin-ext_latin */
+@font-face {
+  font-family: 'Lato';
+  font-style: normal;
+  font-weight: 400;
+  src: url('latofont/lato-v20-latin-ext_latin-regular.woff2') format('woff2'); /* Chrome 26+, Opera 23+, Firefox 39+ */
+}
+/* lato-italic - latin-ext_latin */
+@font-face {
+  font-family: 'Lato';
+  font-style: italic;
+  font-weight: 400;
+  src: url('latofont/lato-v20-latin-ext_latin-italic.woff2') format('woff2'); /* Chrome 26+, Opera 23+, Firefox 39+ */
+}
+/* lato-700 - latin-ext_latin */
+@font-face {
+  font-family: 'Lato';
+  font-style: normal;
+  font-weight: 700;
+  src: url('latofont/lato-v20-latin-ext_latin-700.woff2') format('woff2'); /* Chrome 26+, Opera 23+, Firefox 39+ */
+}

src/latofont/OFL.txt

@@ -0,0 +1,94 @@
+Copyright (c) 2010-2015, Łukasz Dziedzic (dziedzic@typoland.com),
+with Reserved Font Name Lato.
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+http://scripts.sil.org/OFL
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.