Remove inline script from API doc, add CSP policy section

Security: - Move env switcher logic to assets/modules/api-env-switcher.js (no inline script) - Register in app.js via initApiEnvSwitcher() - Compliant with CSP script-src (no unsafe-inline needed for this page) API doc: - Add CSP policy section showing all authorized origins per directive - Table: script-src, connect-src, style-src, img-src, font-src, frame-src, form-action, object-src, worker-src - Note: inline scripts not allowed, must use nonce or external file Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 19:02:28 +01:00
parent 419c7f0a19
commit 10d9051880
3 changed files with 108 additions and 39 deletions
--- a/assets/app.js
+++ b/assets/app.js
@@ -11,6 +11,7 @@ import { initCommissionCalculator } from "./modules/commission-calculator.js"
 import { initCart } from "./modules/cart.js"
 import { initStripePayment } from "./modules/stripe-payment.js"
 import { initShare } from "./modules/share.js"
+import { initApiEnvSwitcher } from "./modules/api-env-switcher.js"

 document.addEventListener('DOMContentLoaded', () => {
    initMobileMenu()
@@ -25,6 +26,7 @@ document.addEventListener('DOMContentLoaded', () => {
    initCart()
    initStripePayment()
    initShare()
+    initApiEnvSwitcher()

    document.querySelectorAll('[data-confirm]').forEach(form => {
        form.addEventListener('submit', (e) => {
--- a/assets/modules/api-env-switcher.js
+++ b/assets/modules/api-env-switcher.js
@@ -0,0 +1,48 @@
+const ENVS = {
+    sandbox: {
+        prefix: '/api/sandbox',
+        baseUrl: 'https://ticket.e-cosplay.fr/api/sandbox',
+        color: 'text-orange-400',
+        btnBg: 'bg-orange-500',
+        desc: 'Environnement de test. Les donnees ne sont pas modifiees.',
+    },
+    live: {
+        prefix: '/api/live',
+        baseUrl: 'https://ticket.e-cosplay.fr/api/live',
+        color: 'text-green-400',
+        btnBg: 'bg-green-600',
+        desc: 'Environnement de production. Les donnees sont reelles.',
+    },
+}
+
+const BTN_BASE = 'env-btn px-5 py-2 font-black uppercase text-xs tracking-widest transition-all cursor-pointer '
+
+function switchEnv(env) {
+    const config = ENVS[env]
+    if (!config) return
+
+    document.querySelectorAll('.env-btn').forEach(btn => {
+        const isActive = btn.dataset.env === env
+        btn.className = BTN_BASE + (isActive ? config.btnBg + ' text-white' : 'bg-gray-800 text-gray-400 hover:text-white')
+    })
+
+    const baseUrlEl = document.getElementById('env-base-url')
+    if (baseUrlEl) baseUrlEl.textContent = config.baseUrl
+
+    const descEl = document.getElementById('env-description')
+    if (descEl) descEl.textContent = config.desc
+
+    document.querySelectorAll('.api-env-prefix').forEach(el => {
+        el.textContent = config.prefix
+        el.className = 'api-env-prefix ' + config.color
+    })
+}
+
+export function initApiEnvSwitcher() {
+    const switcher = document.getElementById('env-switcher')
+    if (!switcher) return
+
+    document.querySelectorAll('.env-btn').forEach(btn => {
+        btn.addEventListener('click', () => switchEnv(btn.dataset.env))
+    })
+}