From 3bc0bc183346d6df62deb92adacc1adb035bad11 Mon Sep 17 00:00:00 2001 From: Viktoria Polyakova Date: Sun, 25 Jan 2026 22:06:14 +0000 Subject: [PATCH] feat: remove helmet security headers and disable validation pipe - Remove helmet security middleware and related CSP configuration - Disable global validation pipe by commenting it out - Fix type assertion in FieldValueService by removing unnecessary cast - Changes made to simplify configuration and reduce strict validation during development --- backend/src/main.ts | 54 +++---------------- .../field-value/field-value.service.ts | 2 +- 2 files changed, 9 insertions(+), 47 deletions(-) diff --git a/backend/src/main.ts b/backend/src/main.ts index 27aaa4b..5824ab9 100644 --- a/backend/src/main.ts +++ b/backend/src/main.ts @@ -5,12 +5,11 @@ import { NestFactory } from '@nestjs/core'; if (!global.crypto) { global.crypto = webcrypto as any; } +//import { Logger } from '@nestjs/common'; import { Logger, ValidationPipe } from '@nestjs/common'; import { NestExpressApplication } from '@nestjs/platform-express'; import { utilities, WinstonModule } from 'nest-winston'; import winston from 'winston'; -import helmet from 'helmet'; -//import rateLimit from 'express-rate-limit'; import cookieParser from 'cookie-parser'; import { AppModule } from './app.module'; @@ -40,43 +39,6 @@ async function bootstrap() { } const app = await NestFactory.create(AppModule, { rawBody: true, logger: getLogger() }); - - // Security headers - app.use(helmet({ - contentSecurityPolicy: { - directives: { - defaultSrc: ["'self'"], - scriptSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com", "blob:"], - styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"], - imgSrc: ["'self'", "data:", "blob:", "https://*"], - fontSrc: ["'self'", "https://fonts.gstatic.com"], - connectSrc: ["'self'"], - frameSrc: ["'self'"], - objectSrc: ["'none'"], - baseUri: ["'self'"], - formAction: ["'self'"] - } - }, - hsts: { - maxAge: 31536000, - includeSubDomains: true, - preload: true - }, - referrerPolicy: { policy: 'strict-origin-when-cross-origin' } - })); - - // Rate limiting disabled to eliminate 429 errors - // app.use( - // rateLimit({ - // windowMs: 15 * 60 * 1000, // 15 minutes - // max: 1000, // limit each IP to 1000 requests per windowMs - // message: 'Too many requests from this IP, please try again later.', - // standardHeaders: true, - // legacyHeaders: false, - // }), - // ); - - // CORS with restrictions app.enableCors({ origin: process.env['FRONTEND_URL'] || 'http://localhost:3000', methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS', @@ -89,13 +51,13 @@ async function bootstrap() { app.use(extractSubdomain); app.setGlobalPrefix('api'); - // Global validation - app.useGlobalPipes(new ValidationPipe({ - whitelist: true, - forbidNonWhitelisted: false, - transform: true, - disableErrorMessages: process.env['NODE_ENV'] === 'production' - })); + //Global validation + // app.useGlobalPipes(new ValidationPipe({ + // whitelist: false, + // forbidNonWhitelisted: false, + // transform: false, + // disableErrorMessages: process.env['NODE_ENV'] === 'production' + // })); app.useGlobalInterceptors(new LoggingInterceptor()); diff --git a/backend/src/modules/entity/entity-field/field-value/field-value.service.ts b/backend/src/modules/entity/entity-field/field-value/field-value.service.ts index baba237..71cece2 100644 --- a/backend/src/modules/entity/entity-field/field-value/field-value.service.ts +++ b/backend/src/modules/entity/entity-field/field-value/field-value.service.ts @@ -125,7 +125,7 @@ export class FieldValueService { let updateParticipants = false; let value: number | undefined = undefined; for (const dto of dtos) { - if ([ObjectState.Created, ObjectState.Updated].includes(dto.state as ObjectState)) { + if ([ObjectState.Created, ObjectState.Updated].includes(dto.state)) { await this.setValue({ accountId, entityId, fieldId: dto.fieldId, dto }); } else if (dto.state === ObjectState.Deleted) { await this.delete({ accountId, entityId, fieldId: dto.fieldId });