feat: v5.3.1

Author: surmon-china

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodepress",
-  "version": "5.3.0",
+  "version": "5.3.1",
   "description": "RESTful API service for Surmon.me blog",
   "author": "Surmon",
   "license": "MIT",

src/modules/disqus/disqus.constant.ts

@@ -10,7 +10,7 @@ import { GUESTBOOK_POST_ID } from '@app/constants/biz.constant'
 
 export const DISQUS_OAUTH_CALLBACK_URL = isProdEnv
   ? `${APP_BIZ.URL}/disqus/oauth-callback`
-  : `http://localhost:8000/disqus/oauth-callback`
+  : `http://localhost:${APP_BIZ.PORT}/disqus/oauth-callback`
 
 // extends
 export const COMMENT_POST_ID_EXTEND_KEY = 'disqus-post-id'

src/modules/disqus/disqus.controller.ts

@@ -41,6 +41,11 @@ export class DisqusController {
     }
   }
 
+  @Get('close-window.js')
+  closeWindowScript(@Response() response: FastifyReply) {
+    response.type('application/javascript').send('window.close();')
+  }
+
   @Get('oauth-callback')
   async oauthCallback(@Query() query: CallbackCodeDTO, @Response() response: FastifyReply) {
     const accessToken = await this.disqusPublicService.getAccessToken(query.code)
@@ -57,9 +62,10 @@ export class DisqusController {
       secure: 'auto'
     })
     // Close the popup window
-    response.header('content-security-policy', "script-src 'unsafe-inline'")
     response.header('content-type', 'text/html')
-    response.send(`<script>window.close();</script>`)
+    response.send(`<!DOCTYPE html><html><script src="/disqus/close-window.js"></script></html>`)
+    // To maintain a secure `content-security-policy`, inline JavaScript is not used here.
+    // response.send(`<script>window.close();</script>`)
   }
 
   @Post('oauth-logout')