fix(auth-service): make cspNonce required on renderChooseHandlePage

aspiers · claude · aspiers · commit e47c2aee3582 · 2026-04-22T11:25:56.000Z
- renderChooseHandlePage: promote cspNonce to a required parameter and
  always stamp nonce="..." on the inline &lt;script&gt;. All 5 call sites
  already pass res.locals.cspNonce, so the previous `cspNonce?` +
  conditional fallback only served to mask a future wiring bug where
  a caller forgot the nonce — the CSP is now nonce-based, so missing
  nonce means broken page, not graceful degradation.
- preview-ui: reword renderPreviewIndexPage cspNonce docstring. pds-core
  does serve at least one preview page (/preview/consent) under a CSP
  with 'unsafe-inline', so "omit when the service doesn't set a CSP"
  was misleading; frame the rule around the page's CSP rather than
  the service.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/packages/auth-service/src/routes/choose-handle.ts b/packages/auth-service/src/routes/choose-handle.ts
@@ -438,11 +438,11 @@ export function createChooseHandleRouter(
 
 export function renderChooseHandlePage(
   handleDomain: string,
-  error?: string,
-  csrfToken?: string,
-  showRandomButton?: boolean,
-  customCss?: string | null,
-  cspNonce?: string,
+  error: string | undefined,
+  csrfToken: string | undefined,
+  showRandomButton: boolean,
+  customCss: string | null,
+  cspNonce: string,
 ): string {
   const errorHtml = error
     ? `<div class="error" id="error-msg">${escapeHtml(error)}</div>`
@@ -518,7 +518,7 @@ export function renderChooseHandlePage(
     </form>
   </div>
 
-  <script${cspNonce ? ` nonce="${escapeHtml(cspNonce)}"` : ''}>
+  <script nonce="${escapeHtml(cspNonce)}">
     (function() {
       var input = document.getElementById('handle-input');
       var statusEl = document.getElementById('handle-status');
diff --git a/packages/shared/src/preview-ui.ts b/packages/shared/src/preview-ui.ts
@@ -181,9 +181,11 @@ export function renderPreviewIndexPage(opts: {
   authPublicUrl: string
   pdsPublicUrl: string
   /**
-   * CSP nonce to stamp on the inline <script>. Required on services that
-   * emit a `script-src 'nonce-...'` CSP (auth-service); omit on services
-   * that don't set a CSP (pds-core).
+   * CSP nonce to stamp on the inline <script>. Required when this preview
+   * index is served with a `script-src 'nonce-...'` CSP (e.g. auth-service);
+   * omit when it's served with a policy that permits inline scripts
+   * without a nonce (e.g. pds-core's `/preview` index, which doesn't set
+   * a CSP at all, or any page served with `script-src ... 'unsafe-inline'`).
    */
   cspNonce?: string
 }): string {
