Repo cleanup and updates

2025-11-10 14:55:22 +01:00 · 2025-11-10 14:55:22 +01:00 · 99f8d7e2eb
commit 99f8d7e2eb
parent 3a1063e40e
72 changed files with 11857 additions and 16439 deletions
--- a/apps/link/middleware.ts
+++ b/apps/link/middleware.ts
@ -52,19 +52,44 @@ const checkRewrites = async (request: NextRequestWithAuth) => {
  };

  if (request.nextUrl.pathname.startsWith("/dashboards")) {
-    return rewriteURL(
-      request,
-      `${linkBaseURL}/dashboards`,
-      opensearchBaseURL,
-      headers,
-    );
+    // Extract the path after /dashboards and append to OpenSearch URL
+    let path = request.nextUrl.pathname.slice("/dashboards".length);
+    if (path.startsWith("/")) {
+      path = path.slice(1);
+    }
+    const search = request.nextUrl.search;
+    const destinationURL = `${opensearchBaseURL}/${path}${search}`;
+
+    logger.debug({
+      pathname: request.nextUrl.pathname,
+      path,
+      search,
+      destinationURL
+    }, "OpenSearch proxy");
+
+    const requestHeaders = new Headers(request.headers);
+    requestHeaders.delete("x-forwarded-user");
+    requestHeaders.delete("x-forwarded-roles");
+    requestHeaders.delete("connection");
+
+    for (const [key, value] of Object.entries(headers)) {
+      requestHeaders.set(key, value as string);
+    }
+
+    return NextResponse.rewrite(new URL(destinationURL), {
+      request: { headers: requestHeaders },
+    });
  }

  const isDev = process.env.NODE_ENV === "development";
  const nonce = Buffer.from(crypto.randomUUID()).toString("base64");
+
+  // Allow digiresilience.org for embedding documentation
+  const frameSrcDirective = `frame-src 'self' https://digiresilience.org;`;
+
  const cspHeader = `
    default-src 'self';
-    frame-src 'self' https://digiresilience.org;
+    ${frameSrcDirective}
    connect-src 'self';
    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${isDev ? "'unsafe-eval'" : ""};
    style-src 'self' 'unsafe-inline';
@ -98,6 +123,16 @@ const checkRewrites = async (request: NextRequestWithAuth) => {
    contentSecurityPolicyHeaderValue,
  );

+  // Additional security headers
+  response.headers.set("X-Frame-Options", "SAMEORIGIN");
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  response.headers.set("X-XSS-Protection", "1; mode=block");
+  response.headers.set(
+    "Permissions-Policy",
+    "camera=(), microphone=(), geolocation=()"
+  );
+
  return response;
 }