From dc2c5528e5925ea87abb29b390ae6ee6c54fa2dc Mon Sep 17 00:00:00 2001
From: Chris Smith <chris@walletconnect.com>
Date: Thu, 22 Feb 2024 14:21:22 -0500
Subject: [PATCH 1/4] fix: combine requests

---
 src/http_server/index_js.rs |  8 +++++---
 src/http_server/mod.rs      | 20 +++++++-------------
 2 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/src/http_server/index_js.rs b/src/http_server/index_js.rs
index a6cc096..797ca07 100644
--- a/src/http_server/index_js.rs
+++ b/src/http_server/index_js.rs
@@ -8,8 +8,7 @@ use {
     serde::Deserialize,
 };
 
-const TEMPLATE: &str = r#"
-const csrfToken = '{token}';
+const SCRIPT: &str = r#"
 // event subscribed by Verify Enclave
 window.addEventListener("message", (event) => {
     const attestationId = event.data
@@ -46,5 +45,8 @@ pub(super) async fn get(query: Query<Params>) -> Result<impl IntoResponse, Statu
         return Err(StatusCode::BAD_REQUEST);
     }
 
-    Ok(Html(TEMPLATE.replacen("{token}", &query.token, 1)))
+    Ok(Html(format!(
+        "const csrfToken = '{}';{}",
+        query.token, SCRIPT
+    )))
 }
diff --git a/src/http_server/mod.rs b/src/http_server/mod.rs
index f06d568..1cbd7c8 100644
--- a/src/http_server/mod.rs
+++ b/src/http_server/mod.rs
@@ -1,4 +1,5 @@
 use {
+    self::index_js::SCRIPT,
     crate::{
         ContextualCommand,
         Domain,
@@ -34,13 +35,13 @@ use {
         StatusCode,
     },
     serde::{Deserialize, Serialize},
-    std::{convert::Infallible, future::Future, iter, net::SocketAddr, sync::Arc},
+    std::{convert::Infallible, future::Future, iter, net::SocketAddr, str::Bytes, sync::Arc},
     tap::{Pipe, Tap},
     tower_http::cors::{self, CorsLayer},
     tracing::{info, instrument},
-    wc::{
-        geoip,
-        geoip::block::{middleware::GeoBlockLayer, BlockingPolicy as GeoBlockingPolicy},
+    wc::geoip::{
+        self,
+        block::{middleware::GeoBlockLayer, BlockingPolicy as GeoBlockingPolicy},
     },
 };
 
@@ -132,7 +133,7 @@ pub async fn run<S, G>(
         .layer(cors_layer)
         .route("/health", get(health::get(health_provider)))
         .route("/attestation", post(attestation::post))
-        .route("/index.js", get(index_js::get))
+        .route("/index.js", get(index_js::get)) // TODO remove in next deploy
         .route("/:project_id", get(root))
         .layer(metrics_layer)
         .with_state(Arc::new(state));
@@ -167,13 +168,6 @@ pub async fn run<S, G>(
     );
 }
 
-fn index_html(token: &str) -> String {
-    format!(
-        "<!-- index.html --><html><head><script \
-         src=\"/index.js?token={token}\"></script></head></html>"
-    )
-}
-
 const UNKNOWN_PROJECT_MSG: &str = "Project with the provided ID doesn't exist. Please, ensure \
                                    that the project is registered on cloud.walletconnect.com";
 
@@ -194,7 +188,7 @@ where
         VerifyStatus::Disabled => String::new().into_response(),
         VerifyStatus::Enabled { verified_domains } => {
             let token = s.token_manager.generate_csrf_token()?;
-            let html = index_html(&token);
+            let html = format!("<script>const csrfToken = '{token}';{SCRIPT}</script>");
             let csp = build_content_security_header(verified_domains);
             let headers = [
                 (header::CONTENT_SECURITY_POLICY, csp),

From ba49c830021606516e7e22dc565dc7e0ae5ebd09 Mon Sep 17 00:00:00 2001
From: Chris Smith <chris@walletconnect.com>
Date: Thu, 22 Feb 2024 14:24:22 -0500
Subject: [PATCH 2/4] chore: refactor

---
 src/http_server/index_js.rs | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/http_server/index_js.rs b/src/http_server/index_js.rs
index 797ca07..09f570d 100644
--- a/src/http_server/index_js.rs
+++ b/src/http_server/index_js.rs
@@ -41,12 +41,10 @@ pub(super) struct Params {
 }
 
 pub(super) async fn get(query: Query<Params>) -> Result<impl IntoResponse, StatusCode> {
-    if !CsrfToken::validate_format(&query.token) {
+    let token = query.token;
+    if !CsrfToken::validate_format(&token) {
         return Err(StatusCode::BAD_REQUEST);
     }
 
-    Ok(Html(format!(
-        "const csrfToken = '{}';{}",
-        query.token, SCRIPT
-    )))
+    Ok(Html(format!("const csrfToken = '{token}';{SCRIPT}")))
 }

From e856f0ca6c5bb5af56d5e0883dccbcf5911ce173 Mon Sep 17 00:00:00 2001
From: Chris Smith <chris@walletconnect.com>
Date: Thu, 22 Feb 2024 14:26:26 -0500
Subject: [PATCH 3/4] chore: revert refactor

---
 src/http_server/mod.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/http_server/mod.rs b/src/http_server/mod.rs
index 1cbd7c8..65b31bb 100644
--- a/src/http_server/mod.rs
+++ b/src/http_server/mod.rs
@@ -168,6 +168,10 @@ pub async fn run<S, G>(
     );
 }
 
+fn index_html(token: &str) -> String {
+    format!("<script>const csrfToken = '{token}';{SCRIPT}</script>")
+}
+
 const UNKNOWN_PROJECT_MSG: &str = "Project with the provided ID doesn't exist. Please, ensure \
                                    that the project is registered on cloud.walletconnect.com";
 
@@ -188,7 +192,7 @@ where
         VerifyStatus::Disabled => String::new().into_response(),
         VerifyStatus::Enabled { verified_domains } => {
             let token = s.token_manager.generate_csrf_token()?;
-            let html = format!("<script>const csrfToken = '{token}';{SCRIPT}</script>");
+            let html = index_html(&token);
             let csp = build_content_security_header(verified_domains);
             let headers = [
                 (header::CONTENT_SECURITY_POLICY, csp),

From 1f3d0f30c98df1641902f4110645043ef3312047 Mon Sep 17 00:00:00 2001
From: Chris Smith <chris@walletconnect.com>
Date: Thu, 22 Feb 2024 14:35:40 -0500
Subject: [PATCH 4/4] fix: build errors

---
 src/http_server/index_js.rs | 6 +++---
 src/http_server/mod.rs      | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/http_server/index_js.rs b/src/http_server/index_js.rs
index 09f570d..b505977 100644
--- a/src/http_server/index_js.rs
+++ b/src/http_server/index_js.rs
@@ -8,7 +8,7 @@ use {
     serde::Deserialize,
 };
 
-const SCRIPT: &str = r#"
+pub const SCRIPT: &str = r#"
 // event subscribed by Verify Enclave
 window.addEventListener("message", (event) => {
     const attestationId = event.data
@@ -41,8 +41,8 @@ pub(super) struct Params {
 }
 
 pub(super) async fn get(query: Query<Params>) -> Result<impl IntoResponse, StatusCode> {
-    let token = query.token;
-    if !CsrfToken::validate_format(&token) {
+    let token = &query.token;
+    if !CsrfToken::validate_format(token) {
         return Err(StatusCode::BAD_REQUEST);
     }
 
diff --git a/src/http_server/mod.rs b/src/http_server/mod.rs
index 65b31bb..b1bb76e 100644
--- a/src/http_server/mod.rs
+++ b/src/http_server/mod.rs
@@ -35,7 +35,7 @@ use {
         StatusCode,
     },
     serde::{Deserialize, Serialize},
-    std::{convert::Infallible, future::Future, iter, net::SocketAddr, str::Bytes, sync::Arc},
+    std::{convert::Infallible, future::Future, iter, net::SocketAddr, sync::Arc},
     tap::{Pipe, Tap},
     tower_http::cors::{self, CorsLayer},
     tracing::{info, instrument},