fix: disable csp

Author: qamarq

frontend/src/app/layout.tsx

@@ -1,6 +1,5 @@
 import type { Metadata } from "next";
 import { Space_Grotesk } from "next/font/google";
-import { headers } from "next/headers";
 import Script from "next/script";
 import type React from "react";
 
@@ -99,8 +98,6 @@ export default async function RootLayout({
   children: React.ReactNode;
 }) {
   const user = await auth({ disableThrow: true });
-  const headersList = await headers();
-  const nonce = headersList.get("x-nonce");
 
   return (
     <html lang="pl" suppressHydrationWarning={true} className="scroll-smooth">
@@ -121,7 +118,6 @@ export default async function RootLayout({
               src="https://analytics.solvro.pl/script.js"
               data-website-id="ab126a0c-c0ab-401b-bf9d-da652aab69ec"
               data-domains="planer.solvro.pl"
-              nonce={nonce ?? undefined}
             />
             <Toaster richColors={true} />
           </body>

frontend/src/middleware.ts

@@ -4,42 +4,6 @@ import { NextResponse } from "next/server";
 import { auth } from "./lib/auth";
 
 export async function middleware(request: NextRequest) {
-  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
-  const cspHeader = `
-    default-src 'self' 'nonce-${nonce}' https://fonts.googleapis.com https://fonts.gstatic.com https://analytics.solvro.pl;
-    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${process.env.NODE_ENV === "development" ? "'unsafe-eval'" : ""} https://analytics.solvro.pl;
-    style-src 'self' 'nonce-${nonce}';
-    img-src 'self' blob: data: https://avatars.githubusercontent.com https://wit.pwr.edu.pl https://cms.solvro.pl https://apps.usos.pwr.edu.pl;
-    font-src 'self';
-    object-src 'none';
-    base-uri 'self';
-    form-action 'self';
-    frame-ancestors 'none';
-    upgrade-insecure-requests;
-  `;
-
-  const contentSecurityPolicyHeaderValue = cspHeader
-    .replaceAll(/\s{2,}/g, " ")
-    .trim();
-
-  const requestHeaders = new Headers(request.headers);
-  requestHeaders.set("x-nonce", nonce);
-
-  requestHeaders.set(
-    "Content-Security-Policy",
-    contentSecurityPolicyHeaderValue,
-  );
-
-  const nextResponse = NextResponse.next({
-    request: {
-      headers: requestHeaders,
-    },
-  });
-  nextResponse.headers.set(
-    "Content-Security-Policy",
-    contentSecurityPolicyHeaderValue,
-  );
-
   const tokens = {
     token: request.cookies.get("access_token")?.value,
     secret: request.cookies.get("access_token_secret")?.value,
@@ -50,31 +14,12 @@ export async function middleware(request: NextRequest) {
   const user = await auth(tokens);
 
   if (!isProtectedRoute) {
-    return nextResponse;
+    return NextResponse.next();
   }
 
   if (user === null) {
     return NextResponse.redirect(new URL("/", request.url));
   }
 
-  return nextResponse;
+  return NextResponse.next();
 }
-
-export const config = {
-  matcher: [
-    /*
-     * Match all request paths except for the ones starting with:
-     * - api (API routes)
-     * - _next/static (static files)
-     * - _next/image (image optimization files)
-     * - favicon.ico (favicon file)
-     */
-    {
-      source: "/((?!api|_next/static|_next/image|favicon.ico).*)",
-      missing: [
-        { type: "header", key: "next-router-prefetch" },
-        { type: "header", key: "purpose", value: "prefetch" },
-      ],
-    },
-  ],
-};