feat: add security headers to nginx configurations and improve environment variable handling

2026-04-28 14:12:28 -04:00
parent 49d24b5fb5
commit 2eb887c486
15 changed files with 43 additions and 85 deletions
@@ -129,8 +129,9 @@ async fn main() {
        .allow_origin(AllowOrigin::predicate(|origin: &http::HeaderValue, _request: &http::request::Parts| -> bool {
            let origin_str = origin.to_str().unwrap_or("");
            
-            // Orígenes de desarrollo
+            // Allowlist explícita de orígenes permitidos
            let allowed_origins = [
+                // Desarrollo local
                "http://localhost:3000",
                "http://localhost:3003",
                "http://127.0.0.1:3000",
@@ -138,41 +139,14 @@ async fn main() {
                "http://192.168.0.254:3000",
                "http://192.168.0.254:3003",
                "http://192.168.0.254",
-                // Producción - Dominios de Norteamericano (.cl y .com)
-                "http://studio.norteamericano.com",
+                // Producción - solo HTTPS
                "https://studio.norteamericano.com",
-                "http://learning.norteamericano.com",
                "https://learning.norteamericano.com",
-                "http://studio.norteamericano.cl",
                "https://studio.norteamericano.cl",
-                "http://learning.norteamericano.cl",
                "https://learning.norteamericano.cl",
            ];
            
-            // Comprobar coincidencias exactas
-            if allowed_origins.contains(&origin_str) {
-                return true;
-            }
-            
-            // Comprobar comodín para subdominios en norteamericano.cl/.com sobre HTTP(S)
-            for scheme in ["http://", "https://"] {
-                for domain in [".norteamericano.cl", ".norteamericano.com"] {
-                    if origin_str.starts_with(scheme) && origin_str.ends_with(domain) {
-                        let subdomain = origin_str
-                            .strip_prefix(scheme)
-                            .unwrap_or("")
-                            .strip_suffix(domain)
-                            .unwrap_or("");
-
-                        // Permitir cualquier subdominio (ej., api., cdn., admin., etc.)
-                        if !subdomain.is_empty() && !subdomain.contains('/') {
-                            return true;
-                        }
-                    }
-                }
-            }
-            
-            false
+            allowed_origins.contains(&origin_str)
        }))
        .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS, Method::PATCH, Method::HEAD])
        .allow_headers([
@@ -9,17 +9,20 @@ pub async fn set_session_context(
    event_type: Option<String>,
 ) -> Result<(), sqlx::Error> {
    if let Some(uid) = user_id {
-        sqlx::query(&format!("SET LOCAL app.current_user_id = '{}'", uid))
+        sqlx::query("SELECT set_config('app.current_user_id', $1, true)")
+            .bind(uid.to_string())
            .execute(&mut **tx)
            .await?;
    }
    if let Some(oid) = org_id {
-        sqlx::query(&format!("SET LOCAL app.current_org_id = '{}'", oid))
+        sqlx::query("SELECT set_config('app.current_org_id', $1, true)")
+            .bind(oid.to_string())
            .execute(&mut **tx)
            .await?;
    }
    if let Some(ip_addr) = ip {
-        sqlx::query(&format!("SET LOCAL app.client_ip = '{}'", ip_addr))
+        sqlx::query("SELECT set_config('app.client_ip', $1, true)")
+            .bind(ip_addr)
            .execute(&mut **tx)
            .await?;
    }
@@ -94,8 +94,9 @@ async fn main() {
        .allow_origin(AllowOrigin::predicate(|origin: &http::HeaderValue, _request: &http::request::Parts| -> bool {
            let origin_str = origin.to_str().unwrap_or("");
            
-            // Orígenes de desarrollo
+            // Allowlist explícita de orígenes permitidos
            let allowed_origins = [
+                // Desarrollo local
                "http://localhost:3000",
                "http://localhost:3003",
                "http://127.0.0.1:3000",
@@ -103,31 +104,12 @@ async fn main() {
                "http://192.168.0.254:3000",
                "http://192.168.0.254:3003",
                "http://192.168.0.254",
-                // Producción - Dominios de Norteamericano (HTTPS)
+                // Producción - solo HTTPS
                "https://studio.norteamericano.cl",
                "https://learning.norteamericano.cl",
            ];
            
-            // Comprobar coincidencias exactas
-            if allowed_origins.contains(&origin_str) {
-                return true;
-            }
-            
-            // Comprobar comodín para subdominios: https://*.norteamericano.cl
-            if origin_str.starts_with("https://") && origin_str.ends_with(".norteamericano.cl") {
-                let subdomain = origin_str
-                    .strip_prefix("https://")
-                    .unwrap_or("")
-                    .strip_suffix(".norteamericano.cl")
-                    .unwrap_or("");
-                
-                // Permitir cualquier subdominio (p. ej., api., cdn., admin., etc.)
-                if !subdomain.is_empty() && !subdomain.contains('/') {
-                    return true;
-                }
-            }
-            
-            false
+            allowed_origins.contains(&origin_str)
        }))
        .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS, Method::PATCH])
        .allow_headers([