fix shit

backend/src/app.js

@@ -28,7 +28,6 @@ const PORT = process.env.PORT || 5000;
 app.set('trust proxy', 1);
 
 // Security middleware
-// Loosen CSP slightly to support CRA dev server/HMR behind proxy
 app.use(helmet({
   contentSecurityPolicy: {
     directives: {
@@ -37,9 +36,7 @@ app.use(helmet({
       styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
       fontSrc: ["'self'", "https://fonts.gstatic.com"],
       imgSrc: ["'self'", "data:", "https://maps.googleapis.com", "https://maps.gstatic.com"],
-      connectSrc: ["'self'", "https:", "wss:", "ws:", "https://api.openweathermap.org"],
-      // Allow eval for development source maps if needed (not for production)
-      // 'unsafe-eval' is not added here by default
+      connectSrc: ["'self'", "https://api.openweathermap.org"]
     }
   }
 }));
@@ -54,18 +51,13 @@ const limiter = rateLimit({
 });
 app.use(limiter);
 
-// Stricter rate limiting for auth routes (but skip harmless public checks)
+// Stricter rate limiting for auth routes
 const authLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: parseInt(process.env.AUTH_RATE_LIMIT_MAX || '2000', 10),
+  max: 200, // Increased to 200 auth requests per 15 minutes for development
   message: 'Too many authentication attempts, please try again later.',
   standardHeaders: true,
   legacyHeaders: false,
-  skip: (req) => {
-    // Skip rate limiting for public, low-risk endpoints that the UI may poll
-    const p = req.path || '';
-    return p === '/registration-status' || p.startsWith('/authentik');
-  }
 });
 
 // Middleware