fix(CSP): more Amazon domains

fix(csp): more loggly allowance
fix(csp): data, inline, some refactoring
2025-12-13 04:37:36 +01:00 · 2025-12-12 17:27:50 -06:00 · 2025-12-12 17:18:08 -06:00 · 2025-12-12 17:12:00 -06:00 · 2025-12-12 17:05:44 -06:00 · 2025-12-12 16:56:24 -06:00
7 changed files with 52 additions and 14 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "habitica",
-  "version": "5.42.1",
+  "version": "5.42.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "habitica",
-      "version": "5.42.1",
+      "version": "5.42.2",
      "hasInstallScript": true,
      "dependencies": {
        "@babel/core": "^7.22.10",
@@ -45,7 +45,7 @@
        "gulp-imagemin": "^7.1.0",
        "gulp.spritesmith": "^6.13.0",
        "habitica-markdown": "^3.0.0",
-        "helmet": "^4.6.0",
+        "helmet": "^8.1.0",
        "in-app-purchase": "^1.11.3",
        "js2xmlparser": "^5.0.0",
        "jsonwebtoken": "^9.0.2",
@@ -12450,11 +12450,11 @@
      }
    },
    "node_modules/helmet": {
-      "version": "4.6.0",
-      "resolved": "https://registry.npmjs.org/helmet/-/helmet-4.6.0.tgz",
-      "integrity": "sha512-HVqALKZlR95ROkrnesdhbbZJFi/rIVSoNq6f3jA/9u6MIbTsPh3xZwihjeI5+DO/2sOV6HMHooXcEOuwskHpTg==",
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
+      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
      "engines": {
-        "node": ">=10.0.0"
+        "node": ">=18.0.0"
      }
    },
    "node_modules/hex2dec": {
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "habitica",
  "description": "A habit tracker app which treats your goals like a Role Playing Game.",
-  "version": "5.42.1",
+  "version": "5.42.2",
  "main": "./website/server/index.js",
  "dependencies": {
    "@babel/core": "^7.22.10",
@@ -40,7 +40,7 @@
    "gulp-imagemin": "^7.1.0",
    "gulp.spritesmith": "^6.13.0",
    "habitica-markdown": "^3.0.0",
-    "helmet": "^4.6.0",
+    "helmet": "^8.1.0",
    "in-app-purchase": "^1.11.3",
    "js2xmlparser": "^5.0.0",
    "jsonwebtoken": "^9.0.2",
--- a/website/client/src/components/group-plans/billing.vue
+++ b/website/client/src/components/group-plans/billing.vue
@@ -52,7 +52,7 @@
      <div
        v-if="!group.purchased.plan.dateTerminated
          && group.purchased.plan.paymentMethod === 'Stripe'"
-        class="btn btn-primary"
+        class="btn btn-primary mb-3"
        @click="redirectToStripeEdit({groupId: group.id})"
      >
        {{ $t('subUpdateCard') }}
--- a/website/client/src/components/settings/subscription.vue
+++ b/website/client/src/components/settings/subscription.vue
@@ -189,6 +189,7 @@
            >
            </p>
            <div
+              v-if="paymentMethodLogo.icon"
              class="svg svg-icon mb-4"
              :class="paymentMethodLogo.class"
              v-html="paymentMethodLogo.icon"
@@ -205,6 +206,13 @@
                <div>{{ $t('subUpdateCard') }}</div>
              </button>
            </div>
+            <div
+              v-once
+              v-if="!hasGroupPlan"
+              class="small text-center mb-4"
+            >
+              {{ $t('subscriptionBillingFYIShort') }}
+            </div>
            <div
              v-if="purchasedPlanExtraMonthsDetails.months > 0"
              class="extra-months green-10 py-2 px-3 mb-4"
@@ -409,6 +417,7 @@
      <div class="d-flex flex-column align-items-center mt-3">
        <div
          v-once
+          v-if="!hasSubscription"
          class="small gray-100 w-50 text-center mb-5"
        >
          {{ $t('subscriptionBillingFYI') }}
--- a/website/common/locales/en/subscriber.json
+++ b/website/common/locales/en/subscriber.json
@@ -273,5 +273,6 @@
    "earn2GemsGift": "They'll earn <strong>+2 Gems</strong> every month they're subscribed",
    "maxGemCapGift": "They'll have the max <strong>Gem Cap</strong>",
    "subscribeAgainContinueHourglasses": "Subscribe again to continue receiving Mystic Hourglasses",
-    "subscriptionBillingFYI": "Subscriptions automatically renew unless you cancel at least 24 hours before the end of the current period. You can manage your subscription from the Subscription tab in settings. Your account will be charged within 24 hours of your renewal date, at the same price you initially paid."
+    "subscriptionBillingFYI": "Subscriptions automatically renew unless you cancel at least 24 hours before the end of the current period. You can manage your subscription from the Subscription tab in settings. Your account will be charged within 24 hours of your renewal date, at the same price you initially paid.",
+    "subscriptionBillingFYIShort": "Subscriptions automatically renew unless you cancel at least 24 hours before the end of the current period. Your account will be charged within 24 hours of your renewal date, at the same price you initially paid."
 }
--- a/website/common/script/content/constants/events.js
+++ b/website/common/script/content/constants/events.js
@@ -109,8 +109,8 @@ export const REPEATING_EVENTS = {
    foodSeason: 'Pie',
  },
  giftOneGetOne: {
-    start: new Date('1970-12-18T04:00-05:00'),
-    end: new Date('1970-01-05T23:59-05:00'),
+    start: new Date('1970-12-16T04:00-05:00'),
+    end: new Date('1970-01-09T23:59-05:00'),
    promo: 'g1g1',
  },
 };
--- a/website/server/middlewares/index.js
+++ b/website/server/middlewares/index.js
@@ -66,7 +66,35 @@ export default function attachMiddlewares (app, server) {
  // See https://helmetjs.github.io/ for the list of headers enabled by default
  app.use(helmet({
    // New middlewares added by default in Helmet 4 are disabled
-    contentSecurityPolicy: false, // @TODO implement
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: [
+          '*.habitica.com',
+          '*.amazon.com',
+          '*.amazonaws.com',
+          '*.loggly.com',
+          '*.payments-amazon.com',
+          '*.stripe.com',
+          '*.stripe.network',
+        ],
+        imgSrc: [
+          '*',
+          'data:',
+        ],
+        scriptSrc: [
+          '\'unsafe-eval\'',
+          '\'unsafe-inline\'',
+          '*.habitica.com',
+          '*.amazon.com',
+          '*.amazonaws.com',
+          '*.loggly.com',
+          '*.payments-amazon.com',
+          '*.stripe.com',
+          '*.stripe.network',
+        ],
+        upgradeInsecureRequests: IS_PROD ? [] : null,
+      },
+    },
    expectCt: false,
    permittedCrossDomainPolicies: false,
    referrerPolicy: false,
Author	SHA1	Message	Date
Kalista Payne	cc6a35e61d	fix(CSP): more Amazon domains	2025-12-12 17:27:50 -06:00
Kalista Payne	985b86c29a	fix(csp): more loggly allowance	2025-12-12 17:18:08 -06:00
Kalista Payne	166bd31527	fix(csp): data, inline, some refactoring	2025-12-12 17:12:00 -06:00
Kalista Payne	1a0a6c1806	fix(CSP): override default script-src	2025-12-12 17:05:44 -06:00
Kalista Payne	023d9886c8	fix(CSP): unsafe-eval in default-src	2025-12-12 16:56:24 -06:00
Kalista Payne	f51f0a0c93	fix(CSP): move trusted list to default-src	2025-12-12 16:52:14 -06:00
Kalista Payne	83b2ba7688	fix(CSP): explicit habitica/aws in script-src	2025-12-12 16:38:05 -06:00
Kalista Payne	d5ca5172d5	fix(CSP): need escaped single quotes	2025-12-12 16:31:38 -06:00
Kalista Payne	c677a1ffef	fix(CSP): unsafe-eval	2025-12-12 16:27:46 -06:00
Kalista Payne	6ef35c3f72	fix(CSP): might need to skip entirely in dev but try no 'self'	2025-12-12 16:15:07 -06:00
Kalista Payne	5759fb37d8	fix(csp): permit AWS in default-src	2025-12-12 15:51:26 -06:00
Kalista Payne	9f238abf93	fix(csp): update helmet version to latest	2025-12-10 16:41:29 -06:00
Kalista Payne	9462e90f4f	feat(security): implement CSP	2025-12-10 16:41:29 -06:00
Kalista Payne	72539f9ba3	5.42.2	2025-12-10 14:16:53 -06:00
Kalista Payne	dabd466719	Revert "Chat optimization (#15545 )" This reverts commit `2917955ef0`.	2025-12-10 14:16:48 -06:00
Kalista Payne	8bf2304330	chore(event): G1G1 date tweaks	2025-12-10 14:15:48 -06:00
Kalista Payne	6937dc4e4e	fix(subscription): couple more layout tweaks	2025-12-08 16:37:04 -06:00
Fiz	2917955ef0	Chat optimization (#15545 ) * fix(content): textual tweaks and updates * fix(link): direct to FAQ instead of wiki * fix(faq): correct Markdown * Show orb of rebirth confirmation modal after use (window refresh) * Set and check rebirth confirmation modal from localstorage Set and check rebirth confirmation modal from localstorage after window reload * Don't show orb of rebirth confirmation modal until page reloads * message effective limit optimization * Keep max limit for web (400 recent messages) * Fix amount of messages initially being shown * PM_PER_PAGE set to 50 * Increases number of messages in inbox test * Increases number of messages for inbox pagination test * Set and check rebirth confirmation modal from localstorage Set and check rebirth confirmation modal from localstorage after window reload * Don't show orb of rebirth confirmation modal until page reloads * message effective limit optimization * Keep max limit for web (400 recent messages) * Add UUID validation for 'before' query parameter * add party message stress test tool in admin panel * lint * add MAX_PM_COUNT of 400, admin tool for stress testing messages * comment * update stress test inbox message tool to use logged in user * comment --------- Co-authored-by: Kalista Payne <kalista@habitica.com>	2025-12-05 16:12:23 -06:00
Kalista Payne	55d13e44d4	fix(subs): strings and alignments	2025-12-03 17:12:08 -06:00