feat: add support for nonce

[snyamathi]

This PR adds a CSP nonce if given in $global. fixes: #8

Description

The midstream redirect script should include a CSP nonce if one exists in $global

Since we don't have a handle to $global in the redirect function, I can't really think of a better way to add the nonce in without either

• changing the signature of res.redirect (not ideal)
• adding a new variable to req or res which might break others

Motivation and Context

We need a CSP Nonce for our security settings

Screenshots (if appropriate):

Checklist:

• I have updated/added documentation affected by my changes.
• I have added tests to cover my changes.

cc @DylanPiercey

---

I signed the CLA but still showing an error

[changeset-bot]

🦋 Changeset detected

Latest commit: 6043795

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@marko/express	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: snyamathi / name: Suneil Nyamathi (dbff785, cf67f30)
• ✅ login: DylanPiercey / name: Dylan Piercey (76aa395, 339bb13, 8ed27c0, 6043795)

[snyamathi]

Adds a wrapper to the function so we can inject the csp nonce

[snyamathi]

Default export to maintain backward compatibility and avoid having to re-create the function each request unless a nonce is given.

[codecov]

Codecov Report

Base: 100.00% // Head: 100.00% // No change to project coverage 👍

Coverage data is based on head (8af3945) compared to base (5672b65).
Patch coverage: 100.00% of modified lines in pull request are covered.

❗ Current head 8af3945 differs from pull request most recent head 6043795. Consider uploading reports for the commit 6043795 to get more accurate results

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #10   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            7         7           
  Lines           53        58    +5     
  Branches        13        16    +3     
=========================================
+ Hits            53        58    +5     

Impacted Files	Coverage Δ
src/index.ts	100.00% <100.00%> (ø)
src/redirect.ts	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[DylanPiercey]

@snyamathi thanks for the reminder and the PR. I went ahead and improved/simplified a few things and will get out the patch shortly 😄

(Note: there's something wrong with the format script in the CLI, I went ahead and ensured the formatting was good)

[snyamathi]

Got it - yeah I like the approach using a symbol to store the cspNonce on the res object - LGTM and much easier.

[DylanPiercey]

Awesome. I'm just working to figure out what's wrong with the format CI. Once I get that fixed I'll get this merged.

[DylanPiercey]

Seems like github just doesn't like having a commit action from a fork so 🤷. Thanks again for the PR, just going to go ahead and merge!