arabica.social / arabica
Coffee journaling on ATProto (alpha) alpha.arabica.social
coffee
17
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: mobile auth fix

pdewey b6979bc1 fcffc587

+8 -7
+1 -1
default.nix
··· 4 4 pname = "arabica"; 5 5 version = "0.1.0"; 6 6 src = ./.; 7 - vendorHash = "sha256-phKYuiA0Lh7wy/JHcTOWFce9MwPrkz/yjxq4Z8bbEnQ="; 7 + vendorHash = "sha256-xwLW3d0Mb3Y4jV77M/r9PJIN/Y3Aer4DbcW+LH7SSnY="; 8 8 9 9 nativeBuildInputs = [ tailwindcss ]; 10 10
+1 -1
go.mod
··· 3 3 go 1.25.4 4 4 5 5 require ( 6 - github.com/bluesky-social/indigo v0.0.0-20260103083015-78a1c1894f36 6 + github.com/bluesky-social/indigo v0.0.0-20260106221649-6fcd9317e725 7 7 github.com/rs/zerolog v1.34.0 8 8 go.etcd.io/bbolt v1.3.8 9 9 golang.org/x/sync v0.19.0
+2 -2
go.sum
··· 1 1 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= 2 2 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= 3 - github.com/bluesky-social/indigo v0.0.0-20260103083015-78a1c1894f36 h1:0biH9kLhFMnTDdyJN+e+D+Hb4eZ7P5K66iiqWwyZzYE= 4 - github.com/bluesky-social/indigo v0.0.0-20260103083015-78a1c1894f36/go.mod h1:KIy0FgNQacp4uv2Z7xhNkV3qZiUSGuRky97s7Pa4v+o= 3 + github.com/bluesky-social/indigo v0.0.0-20260106221649-6fcd9317e725 h1:gfrLAhE6PHun4MDypO/5hpnaHPd9Dbe9+JxZL0gC4ic= 4 + github.com/bluesky-social/indigo v0.0.0-20260106221649-6fcd9317e725/go.mod h1:KIy0FgNQacp4uv2Z7xhNkV3qZiUSGuRky97s7Pa4v+o= 5 5 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= 6 6 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 7 7 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+3 -2
internal/middleware/security.go
··· 28 28 // Content Security Policy 29 29 // Allows: self for scripts/styles, inline styles (for Tailwind), jsdelivr for HTMX/Alpine 30 30 // Note: unsafe-eval required for Alpine.js standard build (CSP build has CDN MIME type issues) 31 + // Note: form-action allows https: for OAuth redirects to external authorization servers 31 32 csp := strings.Join([]string{ 32 33 "default-src 'self'", 33 34 "script-src 'self' 'unsafe-eval' https://cdn.jsdelivr.net", 34 35 "style-src 'self' 'unsafe-inline'", // unsafe-inline needed for Tailwind 35 36 "img-src 'self' https: data:", // Allow external images (avatars) and data URIs 36 37 "font-src 'self'", 37 - "connect-src 'self'", 38 + "connect-src 'self' https:", // Allow connections to external APIs (OAuth, PDS) 38 39 "frame-ancestors 'none'", 39 40 "base-uri 'self'", 40 - "form-action 'self'", 41 + "form-action 'self' https:", // Allow form submissions to external OAuth servers 41 42 }, "; ") 42 43 w.Header().Set("Content-Security-Policy", csp) 43 44
+1 -1
web/static/js/handle-autocomplete.js
··· 81 81 img.width = 32; 82 82 img.height = 32; 83 83 img.className = 'w-6 h-6 rounded-full object-cover flex-shrink-0'; 84 - img.onerror = function() { this.src = '/static/icon-placeholder.svg'; }; 84 + img.addEventListener('error', function() { this.src = '/static/icon-placeholder.svg'; }); 85 85 86 86 // Create text container 87 87 const textContainer = document.createElement('div');