helmet, cors tweaks

2025-03-31 23:53:34 +02:00 · 2025-03-31 23:53:34 +02:00 · 96cf5968eb
commit 96cf5968eb
parent a7a7f918d2
6 changed files with 446 additions and 301 deletions
--- a/backend/.env
+++ b/backend/.env
@ -4,7 +4,7 @@ POSTGRES_PASSWORD=postgres
 POSTGRES_DB=imk_db
 DATABASE_URL=postgresql://postgres:postgres@postgres:5432/imk_db?schema=public
 API_URL="https://imkapi.oblak.solutions"
-CORS_ORIGIN="[http://localhost:5173,https://www.placebo.mk,https://placebo.mk]"
+CORS_ORIGIN="[http://localhost:5173,https://www.placebo.mk,https://placebo.mk, https://imkapi.oblak.solutions]"

 REDIS_PASSWORD=somerandompassword

--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -29,20 +29,21 @@
    "@aws-sdk/client-s3": "^3.679.0",
    "@aws-sdk/lib-storage": "^3.679.0",
    "@aws-sdk/s3-request-presigner": "^3.679.0",
-    "@nestjs/common": "^10.0.0",
-    "@nestjs/config": "^3.3.0",
-    "@nestjs/core": "^10.0.0",
-    "@nestjs/jwt": "^10.2.0",
+    "@nestjs/common": "^11.0.12",
+    "@nestjs/config": "^4.0.2",
+    "@nestjs/core": "^11.0.12",
+    "@nestjs/jwt": "^11.0.0",
    "@nestjs/mapped-types": "^2.0.5",
-    "@nestjs/passport": "^10.0.3",
-    "@nestjs/platform-express": "^10.4.6",
-    "@nestjs/typeorm": "^10.0.2",
+    "@nestjs/passport": "^11.0.5",
+    "@nestjs/platform-express": "^11.0.12",
+    "@nestjs/typeorm": "^11.0.0",
    "@prisma/client": "^6.5.0",
    "@types/multer": "^1.4.12",
    "@types/nodemailer": "^6.4.17",
    "bcrypt": "^5.1.1",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.14.1",
+    "helmet": "^8.1.0",
    "nodemailer": "^6.10.0",
    "passport": "^0.7.0",
    "passport-jwt": "^4.0.1",
@ -55,7 +56,7 @@
  "devDependencies": {
    "@nestjs/cli": "^10.0.0",
    "@nestjs/schematics": "^10.0.0",
-    "@nestjs/testing": "^10.0.0",
+    "@nestjs/testing": "^11.0.12",
    "@types/bcrypt": "^5.0.2",
    "@types/express": "^4.17.17",
    "@types/jest": "^29.5.2",
--- a/backend/src/app.module.ts
+++ b/backend/src/app.module.ts
@ -1,4 +1,4 @@
-import { Module } from "@nestjs/common";
+import { MiddlewareConsumer, Module, NestModule } from "@nestjs/common";
 import { AppController } from "./app.controller";
 import { AppService } from "./app.service";
 import { AuthModule } from "./auth/auth.module";
@ -17,7 +17,7 @@ import { DocumentsController } from "./documents/documents.controller";
 import { JwtModule } from "@nestjs/jwt";
 import { EmailModule } from "./email/email.module";
 import { InitModule } from "./init/init.module";
-import { HealthController } from './health/health.controller';
+import { HealthController } from "./health/health.controller";

@Module({
  imports: [
@ -36,7 +36,12 @@ import { HealthController } from './health/health.controller';
    EmailModule,
    InitModule,
  ],
-  controllers: [AppController, AuthController, DocumentsController, HealthController],
+  controllers: [
+    AppController,
+    AuthController,
+    DocumentsController,
+    HealthController,
+  ],
  providers: [
    AppService,
    UploadService,
@ -45,4 +50,22 @@ import { HealthController } from './health/health.controller';
    PrismaService,
  ],
 })
-export class AppModule {}
+export class AppModule implements NestModule {
+  configure(consumer: MiddlewareConsumer) {
+    consumer
+      .apply((req, res, next) => {
+        res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
+        res.header("Access-Control-Allow-Credentials", "true");
+        res.header(
+          "Access-Control-Allow-Headers",
+          "Origin, X-Requested-With, Content-Type, Accept",
+        );
+        res.header(
+          "Access-Control-Allow-Methods",
+          "GET, POST, PUT, DELETE, OPTIONS",
+        );
+        next();
+      })
+      .forRoutes("*");
+  }
+}
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@ -1,6 +1,8 @@
 import { Logger, ValidationPipe } from "@nestjs/common";
 import { NestFactory } from "@nestjs/core";
 import { AppModule } from "./app.module";
+// import { CorsOptions } from '@nestjs/common/interfaces/external/cors-options.interface';
+import helmet from "helmet";

 async function bootstrap() {
  const logger = new Logger("Bootstrap");
@ -28,14 +30,14 @@ async function bootstrap() {
        "Content-Type",
        "Accept",
        "Authorization",
-        'Access-Control-Allow-Headers',
+        "Access-Control-Allow-Headers",
        "Access-Control-Allow-Origin",
        "Access-Control-Allow-Credentials",
      ],
      exposedHeaders: [
-              'Access-Control-Allow-Origin',
-              'Access-Control-Allow-Credentials',
-            ],
+        "Access-Control-Allow-Origin",
+        "Access-Control-Allow-Credentials",
+      ],
      preflightContinue: false,
      optionsSuccessStatus: 204,
    });
@ -48,6 +50,17 @@ async function bootstrap() {
      }),
    );

+    app.use(
+      helmet({
+        crossOriginResourcePolicy: {
+          policy: "cross-origin",
+        },
+        crossOriginOpenerPolicy: {
+          policy: "same-origin-allow-popups",
+        },
+      }),
+    );
+
    const port = process.env.PORT || 3000;

    logger.log(`Attempting to start server on port ${port}...`);
--- a/frontend/src/services/api.js
+++ b/frontend/src/services/api.js
@ -2,8 +2,8 @@ import axios from "axios";

 const API_URL =
  // process.env.NODE_ENV === "production"
-  // "https://imkapi.oblak.solutions" ||
-  "http://localhost:3000";
+  "https://imkapi.oblak.solutions";
+// "http://localhost:3000";

 const api = axios.create({
  baseURL: API_URL,