Files

bert.hausmans 940297f214 security: implement CSP headers (API middleware + Nginx configs + dev meta tags)

API middleware:
- SecurityHeaders now sets Content-Security-Policy from config/security.php
- Default API policy: "default-src 'none'; frame-ancestors 'none'"
- Supports report-only mode via CSP_REPORT_ONLY env var
- Policy value configurable via CSP_POLICY env var

Nginx deployment configs (deploy/nginx/):
- security-headers.conf: shared headers for all server blocks
- csp-api.conf: restrictive JSON-only policy for api.crewli.app
- csp-spa.conf: SPA policy for app/admin (self + unsafe-inline styles)
- csp-portal.conf: portal policy matching SPA

Development:
- CSP meta tags added to all three index.html files
- Includes 'unsafe-inline' + 'unsafe-eval' for Vite HMR/loader script
- Each app allows its own ws:// port for HMR websocket

Resolves security finding A13-9.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 16:14:37 +02:00

public

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

src

security: migrate auth tokens to httpOnly cookies (hybrid bearer token approach)

2026-04-14 16:06:44 +02:00

auto-imports.d.ts

feat(portal): strip Vuexy demo content and create clean portal shell

2026-04-10 17:38:55 +02:00

components.d.ts

feat(portal): restructure into three-screen architecture with event tabs

2026-04-13 13:30:20 +02:00

dev.Dockerfile

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

docker-compose.dev.yml

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

docker-compose.prod.yml

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

env.d.ts

feat(portal): restructure into three-screen architecture with event tabs

2026-04-13 13:30:20 +02:00

index.html

security: implement CSP headers (API middleware + Nginx configs + dev meta tags)

2026-04-14 16:14:37 +02:00

nginx.conf

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

package.json

security: round 4 — frontend hardening (deps, XSS, cookie security)

2026-04-14 07:15:00 +02:00

pnpm-lock.yaml

security: round 4 — frontend hardening (deps, XSS, cookie security)

2026-04-14 07:15:00 +02:00

prod.Dockerfile

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

README 2.md

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

README.md

chore: align migrations, docs, and frontends with crewli.app setup

2026-04-07 10:45:34 +02:00

shims.d.ts

refactor: align codebase with EventCrew domain and trim legacy band stack

2026-03-29 23:19:06 +02:00

themeConfig.ts

feat(mail): center-align action button in email template

2026-04-14 00:49:41 +02:00

tsconfig.json

feat(portal): strip Vuexy demo content and create clean portal shell

2026-04-10 17:38:55 +02:00

typed-router.d.ts

feat: password reset, email change with verification, and password change

2026-04-14 15:38:54 +02:00

vite.config.ts

security: round 4 — frontend hardening (deps, XSS, cookie security)

2026-04-14 07:15:00 +02:00

README.md

Crewli — Portal SPA

External-facing app for volunteers (login) and artists/suppliers (token links). Stripped Vuexy layout; same stack as other apps.

Setup

Install dependencies:

pnpm install

Create .env.local:

VITE_API_URL=http://localhost:8000/api/v1
VITE_APP_NAME="Crewli Portal"

Dev server uses port 5175 (see vite.config.ts or run from repo root: make portal).

pnpm dev --port 5175

Port

Runs on http://localhost:5175

Production: e.g. VITE_API_URL=https://api.crewli.app/api/v1 and host the SPA at https://portal.crewli.app (portal links in emails use this host; see api/.env.example).