security: address assessment findings and bump to v2026.3.11

- C1: Disable Swagger UI in production (env gate) - M1+M2: Add Helmet.js for security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) and remove X-Powered-By - H2: Add @nestjs/throttler rate limiting (5 req/min on login/register) - M4: Remove orgSchema from JWT payload and client-side storage; tenant middleware now resolves schema from orgId via cached DB lookup - L1: Fix Chatwoot user identification (read from auth store on ready) - Remove schemaName from frontend Organization type and UI displays Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 15:22:58 -04:00
parent a047144922
commit 208c1dd7bc
14 changed files with 105 additions and 64 deletions
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -23,24 +23,20 @@
          })
        }
      })(document,"script");
+      window.addEventListener('chatwoot:ready', function() {
+        try {
+          var raw = localStorage.getItem('ledgeriq-auth');
+          if (!raw) return;
+          var auth = JSON.parse(raw);
+          var user = auth && auth.state && auth.state.user;
+          if (user && window.$chatwoot) {
+            window.$chatwoot.setUser(user.id, {
+              name: (user.firstName || '') + ' ' + (user.lastName || ''),
+              email: user.email
+            });
+          }
+        } catch (e) {}
+      });
    </script>
-    <script>
-    window.addEventListener('chatwoot:ready', function () {
-      // 1. Identify the user (use your real variables/server-side values)
-      window.$chatwoot.setUser("{{ current_user.id }}", {  // or just a string like "user-123"
-        identifier: "{{ current_user.id }}",
-        name: "{{ current_user.name }}",
-        email: "{{ current_user.email }}",
-        // identifier_hash: "your-hmac-hash-if-using-verification",
-      });
-
-      // 2. Send current URL + extras
-      window.$chatwoot.setCustomAttributes({
-        current_page_url: window.location.href,
-        // e.g. user_plan: "premium",
-        // last_action: "viewed_pricing"
-      });
-    });
-  </script>
  </body>
 </html>
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "hoa-ledgeriq-frontend",
-  "version": "2026.03.10",
+  "version": "2026.3.11",
  "private": true,
  "type": "module",
  "scripts": {
--- a/frontend/src/pages/auth/SelectOrgPage.tsx
+++ b/frontend/src/pages/auth/SelectOrgPage.tsx
@@ -120,11 +120,6 @@ export function SelectOrgPage() {
                  <Text fw={500}>{org.name}</Text>
                  <Group gap={4}>
                    <Badge size="sm" variant="light">{org.role}</Badge>
-                    {org.schemaName && (
-                      <Badge size="xs" variant="dot" color="gray">
-                        {org.schemaName}
-                      </Badge>
-                    )}
                  </Group>
                </div>
              </Group>
--- a/frontend/src/pages/settings/SettingsPage.tsx
+++ b/frontend/src/pages/settings/SettingsPage.tsx
@@ -38,10 +38,6 @@ export function SettingsPage() {
              <Text size="sm" c="dimmed">Your Role</Text>
              <Badge variant="light">{currentOrg?.role || 'N/A'}</Badge>
            </Group>
-            <Group justify="space-between">
-              <Text size="sm" c="dimmed">Schema</Text>
-              <Text size="sm" ff="monospace" c="dimmed">{currentOrg?.schemaName || 'N/A'}</Text>
-            </Group>
          </Stack>
        </Card>

--- a/frontend/src/stores/authStore.ts
+++ b/frontend/src/stores/authStore.ts
@@ -5,7 +5,6 @@ interface Organization {
  id: string;
  name: string;
  role: string;
-  schemaName?: string;
  status?: string;
  settings?: Record<string, any>;
 }