Use helmet to set security headers and restrict information sent to t…

…he frontend
will2hew · Jul 6, 2024 · f9c972a · f9c972a
1 parent 8343701
commit f9c972a
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 54 deletions.
diff --git a/apps/client/src/features/user/types/user.types.ts b/apps/client/src/features/user/types/user.types.ts
@@ -4,19 +4,10 @@ export interface IUser {
   id: string;
   name: string;
   email: string;
-  emailVerifiedAt: Date;
   avatarUrl: string;
   timezone: string;
-  settings: IUserSettings;
-  invitedById: string;
-  lastLoginAt: string;
-  lastActiveAt: Date;
-  createdAt: Date;
-  updatedAt: Date;
   role: string;
   workspaceId: string;
-  deactivatedAt: Date;
-  deletedAt: Date;
   fullPageWidth: boolean; // used for update
 }
 

diff --git a/apps/client/src/features/workspace/types/workspace.types.ts b/apps/client/src/features/workspace/types/workspace.types.ts
@@ -3,14 +3,9 @@ export interface IWorkspace {
   name: string;
   description: string;
   logo: string;
-  hostname: string;
-  defaultSpaceId: string;
-  customDomain: string;
-  enableInvite: boolean;
   inviteCode: string;
-  settings: any;
-  createdAt: Date;
-  updatedAt: Date;
+  oidcEnabled: boolean;
+  oidcButtonName: string;
 }
 
 export interface ICreateInvite {

diff --git a/apps/server/package.json b/apps/server/package.json
@@ -33,6 +33,7 @@
     "@casl/ability": "^6.7.1",
     "@docmost/editor-ext": "workspace:*",
     "@fastify/cookie": "^9.3.1",
+    "@fastify/helmet": "^11.1.1",
     "@fastify/multipart": "^8.3.0",
     "@fastify/static": "^7.0.4",
     "@nestjs/bullmq": "^10.1.1",
@@ -56,7 +57,6 @@
     "bytes": "^3.1.2",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
-    "fastify": "^4.28.0",
     "fix-esm": "^1.0.1",
     "fs-extra": "^11.2.0",
     "kysely": "^0.27.3",

diff --git a/apps/server/src/core/user/dto/current-user.dto.ts b/apps/server/src/core/user/dto/current-user.dto.ts
@@ -0,0 +1,20 @@
+export interface CurrentUserDto {
+  user: {
+    id: string;
+    name: string;
+    email: string;
+    role: string;
+    timezone: string;
+    avatarUrl: string;
+    workspaceId: string;
+  };
+
+  workspace: {
+    id: string;
+    name: string;
+    description: string;
+    logo: string;
+    oidcEnabled: boolean;
+    oidcButtonName: string;
+  };
+}
diff --git a/apps/server/src/core/user/user.controller.ts b/apps/server/src/core/user/user.controller.ts
@@ -13,6 +13,7 @@ import { AuthUser } from '../../common/decorators/auth-user.decorator';
 import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
 import { AuthWorkspace } from '../../common/decorators/auth-workspace.decorator';
 import { User, Workspace } from '@docmost/db/types/entity.types';
+import { CurrentUserDto } from './dto/current-user.dto';
 
 @UseGuards(JwtAuthGuard)
 @Controller('users')
@@ -24,8 +25,30 @@ export class UserController {
   async getUserIno(
     @AuthUser() authUser: User,
     @AuthWorkspace() workspace: Workspace,
-  ) {
-    return { user: authUser, workspace };
+  ): Promise<CurrentUserDto> {
+    // Whenever we are sending user or workspace information to the frontend,
+    // we should only send the necessary information and not the entire object.
+    // This mitigates the risk of exposing sensitive information.
+
+    return {
+      user: {
+        id: authUser.id,
+        name: authUser.name,
+        email: authUser.email,
+        role: authUser.role,
+        timezone: authUser.timezone,
+        avatarUrl: authUser.avatarUrl,
+        workspaceId: authUser.workspaceId,
+      },
+      workspace: {
+        id: workspace.id,
+        name: workspace.name,
+        description: workspace.description,
+        logo: workspace.logo,
+        oidcEnabled: workspace.oidcEnabled,
+        oidcButtonName: workspace.oidcButtonName,
+      },
+    };
   }
 
   @HttpCode(HttpStatus.OK)

diff --git a/apps/server/src/main.ts b/apps/server/src/main.ts
@@ -10,6 +10,7 @@ import fastifyMultipart from '@fastify/multipart';
 import { WsRedisIoAdapter } from './ws/adapter/ws-redis.adapter';
 import { InternalLogFilter } from './common/logger/internal-log-filter';
 import fastifyCookie from '@fastify/cookie';
+import helmet from '@fastify/helmet';
 
 async function bootstrap() {
   const app = await NestFactory.create<NestFastifyApplication>(
@@ -31,8 +32,8 @@ async function bootstrap() {
 
   app.useWebSocketAdapter(redisIoAdapter);
 
-  await app.register(fastifyMultipart as any);
-  await app.register(fastifyCookie as any);
+  await app.register(fastifyMultipart);
+  await app.register(fastifyCookie);
 
   app
     .getHttpAdapter()
@@ -65,6 +66,8 @@ async function bootstrap() {
   app.useGlobalInterceptors(new TransformHttpResponseInterceptor());
   app.enableShutdownHooks();
 
+  app.register(helmet, { global: true });
+
   await app.listen(process.env.PORT || 3000, '0.0.0.0');
 }
 

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml