fix: use private helcimApiToken for all server-side Helcim API calls

2026-04-04 13:37:34 +01:00 · 2026-04-04 13:37:34 +01:00 · d31b5b4dac
commit d31b5b4dac
parent ccd1d0783a
53 changed files with 1755 additions and 572 deletions
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@ -18,9 +18,9 @@ export default defineEventHandler((event) => {
      headers['Content-Security-Policy'] = [
        "default-src 'self'",
        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://myposjs.helcim.com https://plausible.io",
-        "style-src 'self' 'unsafe-inline'",
+        "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
        "img-src 'self' data: https://res.cloudinary.com https://*.cloudinary.com",
-        "font-src 'self'",
+        "font-src 'self' https://fonts.gstatic.com",
        "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
        "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
        "base-uri 'self'",
--- a/server/middleware/03.rate-limit.js
+++ b/server/middleware/03.rate-limit.js
@ -35,7 +35,7 @@ function getClientIp(event) {
    || 'unknown'
 }

-const AUTH_PATHS = new Set(['/api/auth/login'])
+const AUTH_PATHS = new Set(['/api/auth/login', '/api/auth/verify'])
 const PAYMENT_PREFIXES = ['/api/helcim/']
 const UPLOAD_PATHS = new Set(['/api/upload/image'])