From 198aac246c4d2481e36cc0400cd48c788fbe715f Mon Sep 17 00:00:00 2001
From: Julien Nahum <julien@nahum.net>
Date: Fri, 12 Jan 2024 11:35:50 +0100
Subject: [PATCH] Embeddable form as a nuxt middleware

---
 app/Http/Kernel.php                     |  3 ---
 app/Http/Middleware/EmbeddableForms.php | 36 -------------------------
 client/server/plugins/embeddable.js     |  9 +++++++
 3 files changed, 9 insertions(+), 39 deletions(-)
 delete mode 100644 app/Http/Middleware/EmbeddableForms.php
 create mode 100644 client/server/plugins/embeddable.js

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 10678e3..1ae7aeb 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -4,7 +4,6 @@ namespace App\Http;
 
 use App\Http\Middleware\AuthenticateJWT;
 use App\Http\Middleware\CustomDomainRestriction;
-use App\Http\Middleware\EmbeddableForms;
 use App\Http\Middleware\IsAdmin;
 use App\Http\Middleware\IsNotSubscribed;
 use App\Http\Middleware\IsSubscribed;
@@ -46,12 +45,10 @@ class Kernel extends HttpKernel
             \Illuminate\View\Middleware\ShareErrorsFromSession::class,
             \App\Http\Middleware\VerifyCsrfToken::class,
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
-            EmbeddableForms::class
         ],
 
         'spa' => [
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
-            EmbeddableForms::class
         ],
 
         'api' => [
diff --git a/app/Http/Middleware/EmbeddableForms.php b/app/Http/Middleware/EmbeddableForms.php
deleted file mode 100644
index e571fc4..0000000
--- a/app/Http/Middleware/EmbeddableForms.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-
-namespace App\Http\Middleware;
-
-use Closure;
-use Illuminate\Http\Response;
-
-class EmbeddableForms
-{
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
-     *
-     * @return mixed
-     */
-    public function handle($request, Closure $next)
-    {
-        if ($request->expectsJson() || $request->wantsJson()) {
-            return $next($request);
-        }
-
-        $response = $next($request);
-
-        if (!str_starts_with($request->url(), url('/forms/'))) {
-            if ($response instanceof Response) {
-                $response->header('X-Frame-Options', 'SAMEORIGIN');
-            } elseif ($response instanceof \Symfony\Component\HttpFoundation\Response) {
-                $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
-            }
-        }
-
-        return $response;
-    }
-}
diff --git a/client/server/plugins/embeddable.js b/client/server/plugins/embeddable.js
new file mode 100644
index 0000000..744ec50
--- /dev/null
+++ b/client/server/plugins/embeddable.js
@@ -0,0 +1,9 @@
+export default defineNitroPlugin(nitroApp => {
+  nitroApp.hooks.hook('render:response', (response, { event }) => {
+    const routePath= event.context.params._
+    if (!routePath.startsWith('forms/')) {
+      // Only allow embedding of forms
+      response.headers['X-Frame-Options'] = 'sameorigin'
+    }
+  })
+})