clinch/app/controllers/api/csp_controller.rb

module Api
  class CspController < ApplicationController
    # CSP violation reports don't need authentication
    skip_before_action :verify_authenticity_token
    allow_unauthenticated_access

    # POST /api/csp-violation-report
    def violation_report
      # Parse CSP violation report
      report_data = JSON.parse(request.body.read)
      csp_report = report_data['csp-report']

      # Validate that we have a proper CSP report
      unless csp_report.is_a?(Hash) && csp_report.present?
        Rails.logger.warn "Received empty or invalid CSP violation report"
        head :bad_request
        return
      end

      # Log the violation for security monitoring
      Rails.logger.warn "CSP Violation Report:"
      Rails.logger.warn "  Blocked URI: #{csp_report['blocked-uri']}"
      Rails.logger.warn "  Document URI: #{csp_report['document-uri']}"
      Rails.logger.warn "  Referrer: #{csp_report['referrer']}"
      Rails.logger.warn "  Violated Directive: #{csp_report['violated-directive']}"
      Rails.logger.warn "  Original Policy: #{csp_report['original-policy']}"
      Rails.logger.warn "  User Agent: #{request.user_agent}"
      Rails.logger.warn "  IP Address: #{request.remote_ip}"

      # Emit structured event for CSP violation
      # This allows multiple subscribers to process the event (Sentry, local logging, etc.)
      Rails.event.notify("csp.violation", {
        blocked_uri: csp_report['blocked-uri'],
        document_uri: csp_report['document-uri'],
        referrer: csp_report['referrer'],
        violated_directive: csp_report['violated-directive'],
        original_policy: csp_report['original-policy'],
        disposition: csp_report['disposition'],
        effective_directive: csp_report['effective-directive'],
        source_file: csp_report['source-file'],
        line_number: csp_report['line-number'],
        column_number: csp_report['column-number'],
        status_code: csp_report['status-code'],
        user_agent: request.user_agent,
        ip_address: request.remote_ip,
        current_user_id: Current.user&.id,
        timestamp: Time.current,
        session_id: Current.session&.id
      })

      head :no_content
    rescue JSON::ParserError => e
      Rails.logger.error "Invalid CSP violation report: #{e.message}"
      head :bad_request
    end
  end
end