TECH-156 - Update the Civic frontend canister

.gitignore

@@ -1,4 +1,25 @@
-node_modules
-target
-dist
-.dfx
+# Various IDEs and Editors
+.vscode/
+.idea/
+**/*~
+
+# Mac OSX temporary files
+.DS_Store
+**/.DS_Store
+
+# dfx temporary files
+.dfx/
+
+# generated files
+**/declarations/
+
+# rust
+target/
+
+# frontend code
+node_modules/
+dist/
+.svelte-kit/
+
+# environment variables
+.env

dfx.json

@@ -3,17 +3,15 @@
   "__1": "We use '__X' fields (unknown fields are ignored by dfx) to leave comments.",
   "canisters": {
     "internet_identity": {
-      "__0": "The development build of Internet Identity. For more information, see https://github.com/dfinity/internet-identity#build-features-and-flavors",
-      "type": "custom",
       "candid": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity.did",
-      "wasm": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz",
-
-      "__2": "The remote block indicates that this canister is only used locally and should not be deployed on the IC.",
+      "frontend": {},
       "remote": {
         "id": {
           "ic": "rdmx6-jaaaa-aaaaa-aaadq-cai"
         }
-      }
+      },
+      "type": "custom",
+      "wasm": "https://github.com/dfinity/internet-identity/releases/latest/download/internet_identity_dev.wasm.gz"
     },
 
     "civic_canister_backend": {
@@ -22,38 +20,11 @@
       "type": "rust"
     },
 
-
-
-    "civic_canister_frontend": {
-      "__0": "Canisters of type 'assets' are like buckets. When deployed, dfx creates a canister that is just one big empty map.",
-      "__1": "After the canister itself is created, dfx uploads all the files specified in the 'source' field.",
-      "__2": "Those files are then stored in the canister's map and served with http_request.",
-
-      "__3": "NOTE: dfx will run 'npm run build' when the canister is to be built (dfx build or dfx deploy)",
-      "__4": "(which in this case populates 'dist/', see package.json).",
-      "__5": "source must be a directory, otherwise we get a cryptic error.",
-      "frontend": {
-        "entrypoint": "src/civic_canister_frontend/dist/index.html"
-
-      },
-      "source": [
-        "src/civic_canister_frontend/dist"
-
-      ],
+    "civic-canister-frontend": {
+      "source": ["src/civic-canister-frontend/dist"],
       "type": "assets",
-      "__6": "NOTE: the 'frontend' signals dfx that it is useful to print out the front-end URL of this canister when deploying. It is not strictly required."
-    },
-
-    "relying_canister_frontend": {
-      "frontend": {
-        "entrypoint": "src/relying_canister_frontend/src/index.html"
-      },
-      "source": [
-        "src/relying_canister_frontend/dist"
-      ],
-      "type": "assets"
+      "workspace": "civic-canister-frontend"
     }
-
   },
   "defaults": {
     "build": {

package.json

@@ -0,0 +1,21 @@
+{
+  "engines": {
+    "node": ">=16.0.0",
+    "npm": ">=7.0.0"
+  },
+  "name": "icp-civic-canister",
+  "scripts": {
+    "build": "npm run build --workspaces --if-present",
+    "prebuild": "npm run prebuild --workspaces --if-present",
+    "pretest": "npm run prebuild --workspaces --if-present",
+    "start": "npm start --workspaces --if-present",
+    "test": "npm test --workspaces --if-present"
+  },
+  "dependencies": {
+    "@dfinity/agent": "^1.3.0"
+  },
+  "type": "module",
+  "workspaces": [
+    "src/civic-canister-frontend"
+  ]
+}

src/civic-canister-frontend/.env.local

@@ -0,0 +1,4 @@
+VITE_LOCAL_INTERNET_IDENTITY_CANISTER_ID=be2us-64aaa-aaaaa-qaabq-cai
+VITE_LOCAL_CIVIC_FRONTEND_CANISTER_ID=bd3sg-teaaa-aaaaa-qaaba-cai
+VITE_LOCAL_CIVIC_BACKEND_CANISTER_ID=bkyz2-fmaaa-aaaaa-qaaaq-cai
+VITE_LOCAL_HOST=localhost:4943

src/civic-canister-frontend/.env.production

@@ -0,0 +1,4 @@
+VITE_PROD_INTERNET_IDENTITY_CANISTER_ID=
+VITE_PROD_CIVIC_FRONTEND_CANISTER_ID=
+VITE_PROD_CIVIC_BACKEND_CANISTER_ID=
+VITE_PROD_HOST=

src/civic-canister-frontend/index.html

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width" />
+  <title>IC Hello Starter</title>
+  <base href="/" />
+  <link rel="icon" href="/favicon.ico" />
+</head>
+
+<body>
+  <div id="root"></div>
+  <script type="module" src="/src/main.jsx"></script>
+</body>
+
+</html>

src/civic-canister-frontend/package.json

@@ -0,0 +1,37 @@
+{
+  "dependencies": {
+    "@dfinity/auth-client": "^1.3.0",
+    "@dfinity/candid": "^1.3.0",
+    "@dfinity/identity-secp256k1": "^1.3.0",
+    "@dfinity/principal": "^1.3.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0"
+  },
+  "devDependencies": {
+    "@testing-library/jest-dom": "^5.16.5",
+    "@testing-library/react": "^14.0.0",
+    "@types/react": "^18.2.14",
+    "@types/react-dom": "^18.2.6",
+    "@vitejs/plugin-react": "^4.0.1",
+    "cross-fetch": "^3.1.6",
+    "dotenv": "^16.3.1",
+    "jsdom": "^22.1.0",
+    "sass": "^1.63.6",
+    "typescript": "^5.1.3",
+    "vite": "^4.3.9",
+    "vite-plugin-environment": "^1.1.3",
+    "vitest": "^0.32.2"
+  },
+  "name": "civic-canister-frontend",
+  "private": true,
+  "scripts": {
+    "build": "tsc && vite build",
+    "format": "prettier --write \"src/**/*.{json,js,jsx,ts,tsx,css,scss}\"",
+    "prebuild": "dfx generate",
+    "setup": "npm i && dfx canister create icp-civic-canister-backend && dfx generate icp-civic-canister-backend && dfx deploy",
+    "start": "vite --port 3000",
+    "test": "vitest run"
+  },
+  "type": "module",
+  "version": "0.0.0"
+}

src/civic-canister-frontend/public/.ic-assets.json5

@@ -0,0 +1,56 @@
+[
+    {
+        "match": "**/*",
+        "headers": {
+            // Security: The Content Security Policy (CSP) given below aims at working with many apps rather than providing maximal security.
+            // We recommend tightening the CSP for your specific application. Some recommendations are as follows:
+            // - Use the CSP Evaluator (https://csp-evaluator.withgoogle.com/) to validate the CSP you define.
+            // - Follow the “Strict CSP” recommendations (https://csp.withgoogle.com/docs/strict-csp.html). However, note that in the context of the IC,
+            //   nonces cannot be used because the response bodies must be static to work well with HTTP asset certification.
+            //   Thus, we recommend to include script hashes (in combination with strict-dynamic) in the CSP as described
+            //   in https://csp.withgoogle.com/docs/faq.html in section “What if my site is static and I can't add nonces to scripts?”.
+            //   See for example the II CSP (https://github.com/dfinity/internet-identity/blob/main/src/internet_identity/src/http.rs).
+            // - It is recommended to tighten the connect-src directive. With the current CSP configuration the browser can
+            //   make requests to https://*.icp0.io, hence being able to call any canister via https://icp0.io/api/v2/canister/{canister-ID}.
+            //   This could potentially be used in combination with another vulnerability (e.g. XSS) to exfiltrate private data.
+            //   The developer can configure this policy to only allow requests to their specific canisters,
+            //   e.g: connect-src 'self' https://icp-api.io/api/v2/canister/{my-canister-ID}, where {my-canister-ID} has the following format: aaaaa-aaaaa-aaaaa-aaaaa-aaa
+            // - It is recommended to configure style-src, style-src-elem and font-src directives with the resources your canister is going to use
+            //   instead of using the wild card (*) option. Normally this will include 'self' but also other third party styles or fonts resources (e.g: https://fonts.googleapis.com or other CDNs)
+
+            // Notes about the CSP below:
+            // - script-src 'unsafe-eval' is currently required because agent-js uses a WebAssembly module for the validation of bls signatures.
+            //   There is currently no other way to allow execution of WebAssembly modules with CSP.
+            //   See: https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md.
+            // - We added img-src data: because data: images are used often.
+            // - frame-ancestors: none mitigates clickjacking attacks. See https://owasp.org/www-community/attacks/Clickjacking.
+            "Content-Security-Policy": "default-src 'self';script-src 'self' 'unsafe-eval';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",
+
+            // Security: The permissions policy disables all features for security reasons. If your site needs such permissions, activate them.
+            // To configure permissions go here https://www.permissionspolicy.com/
+            "Permissions-Policy": "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()",
+
+            // Security: Mitigates clickjacking attacks.
+            // See: https://owasp.org/www-community/attacks/Clickjacking.
+            "X-Frame-Options": "DENY",
+
+            // Security: Avoids forwarding referrer information to other origins.
+            // See: https://owasp.org/www-project-secure-headers/#referrer-policy.
+            "Referrer-Policy": "same-origin",
+
+            // Security: Tells the user’s browser that it must always use HTTPS with your site.
+            // See: https://owasp.org/www-project-secure-headers/#http-strict-transport-security
+            "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+
+            // Security: Prevents the browser from interpreting files as a different MIME type to what is specified in the Content-Type header.
+            // See: https://owasp.org/www-project-secure-headers/#x-content-type-options
+            "X-Content-Type-Options": "nosniff",
+
+            // Security: Enables browser features to mitigate some of the XSS attacks. Note that it has to be in mode=block.
+            // See: https://owasp.org/www-community/attacks/xss/
+            "X-XSS-Protection": "1; mode=block"
+        },
+        // Uncomment to redirect all requests from .raw.icp0.io to .icp0.io
+        // "allow_raw_access": false
+    },
+]