Severity: High
Type: Security hardening
Scope: Notifications
Labels: security, refactoring
Description
NotificationsGateway (src/notifications/notifications.gateway.ts, lines ~29–34) is annotated with @WebSocketGateway({ cors: { origin: '*', credentials: true } }). Per the CORS specification, browsers reject responses when Access-Control-Allow-Origin: * is combined with Access-Control-Allow-Credentials: true; the dev experience is therefore broken. More importantly, if origin: '*' is interpreted by an upstream proxy as a passthrough (or if a misconfigured Socket.IO adapter echoes a reflected origin), credentialed cross-origin WebSocket connections could be accepted from unintended origins.
Recommendation
- Replace
'*' with an explicit allowlist, e.g. origin: process.env.ALLOWED_ORIGINS?.split(',') ?? [].
- Set
credentials to false unless the gateway needs to forward cookies; JWT auth via the auth.token handshake option does not require credentials.
- Document the rationale and the env vars in
.env.example.
Severity: High
Type: Security hardening
Scope: Notifications
Labels:
security,refactoringDescription
NotificationsGateway(src/notifications/notifications.gateway.ts, lines ~29–34) is annotated with@WebSocketGateway({ cors: { origin: '*', credentials: true } }). Per the CORS specification, browsers reject responses whenAccess-Control-Allow-Origin: *is combined withAccess-Control-Allow-Credentials: true; the dev experience is therefore broken. More importantly, iforigin: '*'is interpreted by an upstream proxy as a passthrough (or if a misconfigured Socket.IO adapter echoes a reflected origin), credentialed cross-origin WebSocket connections could be accepted from unintended origins.Recommendation
'*'with an explicit allowlist, e.g.origin: process.env.ALLOWED_ORIGINS?.split(',') ?? [].credentialstofalseunless the gateway needs to forward cookies; JWT auth via theauth.tokenhandshake option does not require credentials..env.example.