From 714f90bb1adc53b262dd7c48982a599ca2f03ace Mon Sep 17 00:00:00 2001
From: Jake Kasper <jake.kasper@hpe.com>
Date: Tue, 2 Sep 2025 07:28:28 -0500
Subject: [PATCH] asdlfk

---
 backend/src/app.js | 16 ++++++++++++----
 docker-compose.yml |  4 ++--
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/backend/src/app.js b/backend/src/app.js
index 807a468..7a8f364 100644
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -28,6 +28,7 @@ const PORT = process.env.PORT || 5000;
 app.set('trust proxy', 1);
 
 // Security middleware
+// Loosen CSP slightly to support CRA dev server/HMR behind proxy
 app.use(helmet({
   contentSecurityPolicy: {
     directives: {
@@ -36,7 +37,9 @@ app.use(helmet({
       styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
       fontSrc: ["'self'", "https://fonts.gstatic.com"],
       imgSrc: ["'self'", "data:", "https://maps.googleapis.com", "https://maps.gstatic.com"],
-      connectSrc: ["'self'", "https://api.openweathermap.org"]
+      connectSrc: ["'self'", "https:", "wss:", "ws:", "https://api.openweathermap.org"],
+      // Allow eval for development source maps if needed (not for production)
+      // 'unsafe-eval' is not added here by default
     }
   }
 }));
@@ -51,13 +54,18 @@ const limiter = rateLimit({
 });
 app.use(limiter);
 
-// Stricter rate limiting for auth routes
+// Stricter rate limiting for auth routes (but skip harmless public checks)
 const authLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 200, // Increased to 200 auth requests per 15 minutes for development
+  max: parseInt(process.env.AUTH_RATE_LIMIT_MAX || '2000', 10),
   message: 'Too many authentication attempts, please try again later.',
   standardHeaders: true,
   legacyHeaders: false,
+  skip: (req) => {
+    // Skip rate limiting for public, low-risk endpoints that the UI may poll
+    const p = req.path || '';
+    return p === '/registration-status' || p.startsWith('/authentik');
+  }
 });
 
 // Middleware
@@ -118,4 +126,4 @@ process.on('SIGINT', () => {
 app.listen(PORT, '0.0.0.0', () => {
   console.log(`TurfTracker API server running on port ${PORT}`);
   console.log(`Environment: ${process.env.NODE_ENV || 'development'}`);
-});
\ No newline at end of file
+});
diff --git a/docker-compose.yml b/docker-compose.yml
index 6097958..c6e11b2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -67,7 +67,7 @@ services:
       - FRONTEND_URL=https://turftracker.kaspers.us
     volumes:
       - ./backend:/app
-      - /app/node_modules
+      - backend_node_modules:/app/node_modules
     depends_on:
       - db
     networks:
@@ -105,7 +105,7 @@ services:
       - FLYWAY_USER=${DB_USER:-turftracker}
       - FLYWAY_PASSWORD=${DB_PASSWORD:-password123}
       # Uncomment if you need to baseline an existing DB without schema history
-      # - FLYWAY_BASELINE_ON_MIGRATE=true
+      - FLYWAY_BASELINE_ON_MIGRATE=true
     command: -locations=filesystem:/migrations migrate
     volumes:
       - ./database/migrations:/migrations:ro