DEV Community: Ferdie Sletering

Angular Signals EventBus pattern

Ferdie Sletering — Tue, 25 Jun 2024 10:09:49 +0000

In several use cases, I find the event bus pattern to be very effective. Angular signals provide an excellent mechanism for managing state, so I decided to implement the event bus pattern using Angular signals.

In my recent project, I am developing a dashboard where the widgets need to communicate with each other while remaining standalone. Each widget has its own state and API, making the event bus pattern a perfect fit for this scenario.

EventBus

Example

Publish banana to the EventBus



import { SignalBusService } from 'ng-signal-bus' 

@Component({
  selector: 'app-widget-add-grocery-items',
  standalone: true,
})
export class WidgetAddGroceryItemsComponent {
  signalBus = inject(SignalBusService)

  constructor() {
    this.publish('fruit:banana', 'Banana')
  }

  publish(key:string, data: any) {
    this.signalBus.publish(key, data)
  }
}

Subscribe to the eventBus and listen for all fruits with the fruit:* selector.



import { SignalBusService } from 'ng-signal-bus' 

@Component({
  selector: 'app-widget-fruit-list',
  standalone: true,
})
export class WidgetFruitListComponent {
  signalBus = inject(SignalBusService)

  ngOnInit() {
     this.signalBus.subscribe('fruit:*', (metaData) => {
      // Outputs { data: 'Banana', timestamp: 1434342 }
      console.log(metaData);
    });
  }
}

metaData

Inside the subscribe callback the service returns a metaData object



export interface MetaData {
  data: any;
  timestamp: number;
}

In this example, we use a simple string as the payload, but you can also provide an object.



 this.publish('fruit:banana', { name: 'Banana', amount: 4 } )
// output
{
 data: { name: 'Banana', amount: 4 }
 timestamp: 232322 
}

Demo

Full demo see Stackblitz

Package

ng-signal-bus - npm

Angular signal based message/event bus service for Angular. Under the hood it's using a signal to store and mutate data, the effect() calls the callback function to update subscribers.. Latest version: 0.2.2, last published: 2 months ago. Start using ng-signal-bus in your project by running `npm i ng-signal-bus`. There are no other projects in the npm registry using ng-signal-bus.

npmjs.com

I have packaged the SignalBusService into an NPM package, so you can easily use it in your project.

Angular Signal

Under the hood it's using a signal to store and mutate data, the effect() calls the callback function to update subscribers.

Note: Only tested with Angular v18.

Angular Material Tabs with components inside the tabs

Ferdie Sletering — Wed, 19 Jun 2024 14:01:07 +0000

My use case was to render components inside the Angular Material Tabs component. Despite searching online, I couldn't find any relevant resources, so I had to figure it out myself.

Below is the structure we want to use to define the components that should be displayed inside the tabs:

 tabs = <Tab[]>[
    {
      label: 'Tab Component',
      component: TabComponent,
      data: {
        title: 'Tab 1 Import information',
        content: `Donec lacinia condimentum efficitur. Phasellus tempor est in luctus
        facilisis.`,
      },
    },
    {
      label: 'Random component',
      component: RandomComponent,
      data: {
        text: 'Text passed on from the random component',
      },
    },
  ];

Component

Here's the complete code snippet for the component that renders the components inside the tab container.

type Tab = {
  label: string;
  component: Type<any>;
  data: Record<string, any>;
};

@Component({
  selector: 'app-tabcontainer',
  standalone: true,
  imports: [MatTabsModule],
  templateUrl: './tabcontainer.component.html',
  styleUrl: './tabcontainer.component.css',
})
export class TabcontainerComponent {
  viewContainerRef = inject(ViewContainerRef);
  tabs = <Tab[]>[
    {
      label: 'Tab Component',
      component: TabComponent,
      data: {
        title: 'Tab 1 Import information',
        content: `Donec lacinia condimentum efficitur. Phasellus tempor est in luctus
        facilisis.`,
      },
    },
    {
      label: 'Random component',
      component: RandomComponent,
      data: {
        text: 'Text passed on from the random component',
      },
    },
  ];

  ngOnInit() {
    this.loadComponent(this.tabs[0]);
  }

  loadComponent(tab: Tab) {
    this.viewContainerRef.clear();
    const ref = this.viewContainerRef.createComponent<any>(tab.component);

    // Pass on the props
    for (const prop in tab.data) {
      if (Object.prototype.hasOwnProperty.call(ref.instance, prop)) {
        ref.instance[prop] = tab.data[prop];
      }
    }
  }

  onTabSelected(index: number) {
    this.loadComponent(this.tabs[index]);
  }
}

Caching the tabs

I conducted performance testing to see if caching the component references and loading them from the cache upon request would improve render time. However, there was no improvement in render time.

Angular signals

The code doesn't work with input() signals yet.

Demo

Try the stackblitz

How to implement an inline styles Content Security Policy with Angular and Nginx

Ferdie Sletering — Sun, 13 Jun 2021 09:16:40 +0000

Intro

We want to make our applications as safe as possible, so we implement a content security policy(CSP) to mitigate Cross Site Scripting (XSS) attacks or Click Jacking.

The demo application contains an ngx-bootstrap toggle and a Angular Material slider component.

application

Implement the Content Security Policy(CSP)

Let's implement a CSP header. More information about CSP.



<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

The result is that our application doesn't look the same anymore.

application

What happened?

Due to our CSP policy, the browser blocks all inline styling that comes from an untrusted source.

console.log

Angular Material and ngx-bootstrap styles are added with the styleUrls property. Angular will parse the component's styling and add them to the

of the page. Based on the ViewEncapsulation property, it's global(none) or scoped(emulated).

<style>

How to solve

When we have control of our styling, we could place all our CSS into a separate file. Issue solved! However, we don't have control over how libraries handle their styling.

Nonce approach

Allows an inline script or CSS to execute if the script (e.g.: <style nonce=" r@nd0m">) tag contains a nonce attribute matching the nonce specified in the CSP header. The nonce should be a secure random string and should not be reused.

Let's add a nonce to our CPS policy and style tags, so our inline styling comes from a trusted source.



 <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'nonce-random-csp-nonce';">

Add nonce to style tag

When looking into the angular/platform-browser package, the following code is responsible for injecting the style tags.

shared_styles_host.ts



private _addStylesToHost(styles: Set<string>, host: Node, styleNodes: Node[]): void {
    styles.forEach((style: string) => {
      const styleEl = this._doc.createElement('style');
      styleEl.textContent = style;
      styleNodes.push(host.appendChild(styleEl));
    });
  }

Luckily Angular provides us with dependency providers, which allows us to create a custom _addStylesToHost function.

We copy the shared_styles_host.ts and modify the _addStylesToHost method.



 private _addStylesToHost(
    styles: Set<string>,
    host: Node,
    styleNodes: Node[]
  ): void {
    styles.forEach((style: string) => {
      const styleEl = this._doc.createElement('style');
      styleEl.textContent = style;
      styleEl.setAttribute('nonce', 'random-csp-nonce'); // Add nonce
      styleNodes.push(host.appendChild(styleEl));
    });
  }

We create a module that can be imported in our app.module.ts

inline-styles-csp.module.ts



import { NgModule } from '@angular/core';
import { CustomDomSharedStylesHost } from './shared_styles_host';
import { ɵDomSharedStylesHost } from '@angular/platform-browser';

@NgModule({
  providers: [
    { provide: ɵDomSharedStylesHost, useClass: CustomDomSharedStylesHost },
  ],
})
export class InlineStylesCSPModule {}

After applying these changes, the style tag contains a nonce.

styletag with nonce

We now have a static nonce that is not secure.

The nonce should be a secure random string and should not be reused.

Create a secure random string with Nginx

We use the sub_filter module of Nginx to replace the static with a dynamic string. In that case, we use the Nginx $request_id variable.

nginx.conf



sub_filter_once off;
sub_filter random-csp-nonce $request_id;

add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'nonce-$request_id'";

Also, note we add the add_header to our config file.

Still, our solution doesn't work because Nginx replaces random-csp-nonce on the index.html file. Angular adds the style tags to the document after Nginx serves the document. When we place a hard-coded <style nonce="random-csp-nonce" /> in the index.html it gets replaced with a dynamic nonce.

Add metatag

We add a new metatag to the index.html so our script can look up the dynamic nonce value.

index.html



<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta name="CSP-NONCE" content="random-csp-nonce"/>
</head>
<body>
  <app-root></app-root>
</body>
</html>

Let's update our _addStylesToHost method to query the nonce.



 private _addStylesToHost(
    styles: Set<string>,
    host: Node,
    styleNodes: Node[]
  ): void {
    const nonce = document
      .querySelector('meta[name="CSP-NONCE"]')
      ?.getAttribute('content');
    styles.forEach((style: string) => {
      const styleEl = this._doc.createElement('style');
      styleEl.textContent = style;
      styleEl.setAttribute('nonce', nonce); // Add nonce
      styleNodes.push(host.appendChild(styleEl));
    });
  }

Each time we reload the page, a new random nonce is generated and applied to all style tags.

random nonce styletag

Our application looks the same as from the beginning. But now, we have applied a CSP policy :).

application

Conclusion

Although we have proof of concept on fixing the inline styles issue, the final and more sustainable solution should come from the community and the Angular team. For now, we have to inject a custom DomSharedStylesHost class.

Demo

The Github code contains a full version of the code. However, for demo purposes, some code is stripped out of the original code.

🌎 Live demo
📝 Github

Improvements

Nonce in style tags remains empty

The browser parses the inline styles, but the actual nonce remains empty. I don't know why this occurs. The response Content-Security-Policy header contains the correct nonce value.

Stronger nonce token

The $request_id is not a cryptographically secure random token. We could improve this with an nginx module as Scott Helme suggests.

100% secure?

The fact we use AOT compilation means all code is already compiled and can't be tampered with. So although the code looks for the CSP header and gets the nonce, any other script that gets executed could do the same.

Any feedback or thoughts are welcome.