feat(security): adds cors & small security fixes (#362)

Author: n3rdc4ptn

.env.template

@@ -32,3 +32,7 @@ FEEDBACK_URL_LINK=
 
 # frame-ancestors attribute of CSP. Separate multiple values with a space
 FRAME_ANCESTORS=
+
+# Allowed CORS origins (comma-separated). Example: https://app.example.com,https://admin.example.com
+# Leave empty to use POST_LOGIN_REDIRECT as the default allowed origin
+ALLOWED_CORS_ORIGINS=

package-lock.json

@@ -28,6 +28,7 @@
     "@apollo/client": "3.14.0",
     "@fastify/autoload": "6.3.1",
     "@fastify/cookie": "11.0.2",
+    "@fastify/cors": "11.1.0",
     "@fastify/env": "5.0.3",
     "@fastify/helmet": "13.0.2",
     "@fastify/http-proxy": "11.3.0",

package.json

@@ -1,5 +1,6 @@
 import Fastify from 'fastify';
 import FastifyVite from '@fastify/vite';
+import cors from '@fastify/cors';
 import helmet from '@fastify/helmet';
 import { fileURLToPath } from 'node:url';
 import path from 'node:path';
@@ -12,8 +13,6 @@ import { injectDynatraceTag } from './server/config/dynatrace.js';
 
 dotenv.config();
 
-console.log(process.env);
-
 const { DYNATRACE_SCRIPT_URL } = process.env;
 if (DYNATRACE_SCRIPT_URL) {
   injectDynatraceTag(DYNATRACE_SCRIPT_URL);
@@ -70,6 +69,33 @@ const fastify = Fastify({
 Sentry.setupFastifyErrorHandler(fastify);
 await fastify.register(envPlugin);
 
+fastify.register(cors, {
+  origin: isLocalDev
+    ? true // Allow all origins in local development
+    : (origin, callback) => {
+        // In production, validate against allowed origins
+        const allowedOrigins =
+          // @ts-ignore
+          fastify.config.ALLOWED_CORS_ORIGINS && fastify.config.ALLOWED_CORS_ORIGINS.trim()
+            ? // @ts-ignore
+              fastify.config.ALLOWED_CORS_ORIGINS.split(',')
+                // @ts-ignore
+                .map((o) => o.trim())
+                // @ts-ignore
+                .filter((o) => o)
+            : // @ts-ignore
+              [fastify.config.POST_LOGIN_REDIRECT]; // Fallback to POST_LOGIN_REDIRECT
+
+        if (!origin || allowedOrigins.includes(origin)) {
+          callback(null, true);
+        } else {
+          callback(null, false);
+        }
+      },
+  methods: ['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE'],
+  credentials: true, // Required for cookie-based sessions
+});
+
 let sentryHost = '';
 // @ts-ignore
 if (fastify.config.FRONTEND_SENTRY_DSN && fastify.config.FRONTEND_SENTRY_DSN.length > 0) {
@@ -94,6 +120,10 @@ if (DYNATRACE_SCRIPT_URL) {
 fastify.register(helmet, {
   contentSecurityPolicy: {
     directives: {
+      defaultSrc: ["'self'"],
+      // styleSrc: unsafe-inline is needed for our styling
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:'],
       'connect-src': ["'self'", 'sdk.openui5.org', sentryHost, dynatraceOrigin],
       'script-src': isLocalDev
         ? ["'self'", "'unsafe-inline'", "'unsafe-eval'", sentryHost, dynatraceOrigin]
@@ -102,6 +132,12 @@ fastify.register(helmet, {
       'frame-ancestors': [...fastify.config.FRAME_ANCESTORS.split(',')],
     },
   },
+  // Needed for https enforcement
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true,
+  },
 });
 
 fastify.register(proxy, {

server.ts

@@ -29,6 +29,7 @@ const schema = {
     FEEDBACK_SLACK_URL: { type: 'string' },
     FEEDBACK_URL_LINK: { type: 'string' },
     FRAME_ANCESTORS: { type: 'string' },
+    ALLOWED_CORS_ORIGINS: { type: 'string' },
     BFF_SENTRY_DSN: { type: 'string' },
     FRONTEND_SENTRY_DSN: { type: 'string' },
     FRONTEND_SENTRY_ENVIRONMENT: { type: 'string' },

server/config/env.ts

@@ -35,7 +35,7 @@ export default defineConfig({
   },
 
   build: {
-    sourcemap: true,
+    sourcemap: true, // crucial for sentry
     target: 'esnext', // Support top-level await
   },
 });