Refactoring#124
Merged
CedrikNikita merged 6 commits intodevelopfrom May 7, 2026
Merged
Conversation
CedrikNikita
force-pushed
the
feature/refactoring
branch
from
5f46fbb to
0ddde14
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0ddde14. Configure here.
CedrikNikita
force-pushed
the
feature/refactoring
branch
2 times, most recently
from
e312509 to
b64a863
Compare
CedrikNikita
force-pushed
the
feature/refactoring
branch
from
b64a863 to
6c0bf75
Compare
CedrikNikita
force-pushed
the
feature/refactoring
branch
from
6c0bf75 to
a0d5d4c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Medium Risk
Touches API surface hardening (CORS, Swagger/GraphQL introspection, websocket behavior, API key auth) and DB sync behavior; misconfiguration could break clients or deployments, but changes are mostly additive safeguards.
Overview
Hardens production security defaults and reduces accidental data/PII exposure. Swagger is now disabled in production unless
ENABLE_SWAGGER=true, GraphQLintrospection/GraphiQL are disabled in production,helmetis added, and CORS/socket.io origins become configurable via newALLOWED_ORIGINSparsing with credentials only enabled when an explicit allowlist is set.Tightens sensitive endpoints and guards.
TRENDING_TAGS_API_KEYno longer has a default, production logs warn when it’s missing/too short, and theApiKeyGuardenforces minimum length plus constant-time comparison. Affiliation invite redemption now returns only minimal data (no full OAuth profile / claimed-by fields).Reduces operational foot-guns. TypeORM
DB_SYNCis ignored in production with a warning (preventing destructive schema sync), compose files bind Postgres/Redis ports to loopback, testnet runs withNODE_ENV=stagingto keepDB_SYNCusable, and the Docker image runs as the unprivilegednodeuser.Fixes injection/broadcast vectors. The token rankings raw SQL query is parameterized, and the token websocket gateway removes client-driven
@SubscribeMessagerelays so only server-side services can emit events.Reviewed by Cursor Bugbot for commit a0d5d4c. Bugbot is set up for automated code reviews on this repo. Configure here.