fix: relax CSP for /docs page — allow unsafe-eval for Swagger UI 5.x (ajv)

Swagger UI 5.x uses new Function() via ajv for JSON schema validation. Helmet default CSP (script-src self) blocks this in Firefox, causing TypeError: NetworkError when attempting to fetch resource on Try It. Override CSP on /docs route to allow unsafe-eval.
2026-02-18 13:33:26 +00:00 · 2026-02-18 13:33:26 +00:00 · a45d7704ab
commit a45d7704ab
parent a996c76c11
3 changed files with 24 additions and 6 deletions
--- a/dist/index.js
+++ b/dist/index.js
@ -182,6 +182,9 @@ app.use(express.static(path.join(__dirname, "../public"), {
 }));
 // Docs page (clean URL)
 app.get("/docs", (_req, res) => {
+    // Swagger UI 5.x uses new Function() (via ajv) for JSON schema validation.
+    // Override helmet's default CSP to allow 'unsafe-eval' + blob: for Swagger UI.
+    res.setHeader("Content-Security-Policy", "default-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' https: 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' https: data:;connect-src 'self';worker-src 'self' blob:;base-uri 'self';form-action 'self';frame-ancestors 'self';object-src 'none'");
    res.setHeader('Cache-Control', 'public, max-age=86400');
    res.sendFile(path.join(__dirname, "../public/docs.html"));
 });
--- a/dist/services/email.js
+++ b/dist/services/email.js
@ -1,18 +1,28 @@
 import nodemailer from "nodemailer";
 import logger from "./logger.js";
-const transporter = nodemailer.createTransport({
-    host: process.env.SMTP_HOST || "host.docker.internal",
-    port: Number(process.env.SMTP_PORT || 25),
-    secure: false,
+const smtpUser = process.env.SMTP_USER;
+const smtpPass = process.env.SMTP_PASS;
+const smtpHost = process.env.SMTP_HOST || "host.docker.internal";
+const smtpPort = Number(process.env.SMTP_PORT || 25);
+const smtpFrom = process.env.SMTP_FROM || "DocFast <noreply@docfast.dev>";
+const smtpSecure = smtpPort === 465;
+const transportConfig = {
+    host: smtpHost,
+    port: smtpPort,
+    secure: smtpSecure,
    connectionTimeout: 5000,
    greetingTimeout: 5000,
    socketTimeout: 10000,
    tls: { rejectUnauthorized: false },
-});
+};
+if (smtpUser && smtpPass) {
+    transportConfig.auth = { user: smtpUser, pass: smtpPass };
+}
+const transporter = nodemailer.createTransport(transportConfig);
 export async function sendVerificationEmail(email, code) {
    try {
        const info = await transporter.sendMail({
-            from: "DocFast <noreply@docfast.dev>",
+            from: smtpFrom,
            to: email,
            subject: "DocFast - Verify your email",
            text: `Your DocFast verification code is: ${code}\n\nThis code expires in 15 minutes.\n\nIf you didn't request this, ignore this email.`,