CSP connect-src needs origin (https://api.goodgo.vn), not a URL with
path (/api/v1). The path form only matches that exact path, blocking
fetch to /api/v1/listings, /api/v1/health etc.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Content-Security-Policy connect-src only allowed 'self' + mapbox in
production, blocking all browser fetch to api.goodgo.vn. Added
NEXT_PUBLIC_API_URL to connect-src whitelist.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In monorepo, Next.js standalone creates symlinks instead of real files.
Setting outputFileTracingRoot to repo root produces self-contained output.
Dockerfile updated to copy from correct standalone structure.
Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
Root causes of web E2E failures:
1. CSP connect-src only included API origin for NODE_ENV=development,
blocking test mode (NODE_ENV=test) from fetching API data
2. CORS_ORIGINS missing the test web port (3010), so API rejected
cross-origin requests from the web app
3. NEXT_PUBLIC_API_URL not set in .env.test or playwright config,
causing web app to default to port 3001 instead of test port 3011
4. Playwright webServer config didn't inherit parent env vars,
so API server lacked Redis/Typesense/MinIO connection info
Fixes:
- next.config.js: CSP connect-src allows API origins for all non-prod envs
- next.config.js: image remotePatterns allow localhost in test mode
- .env.test: add NEXT_PUBLIC_API_URL and CORS_ORIGINS
- playwright.config.ts: spread process.env into webServer env configs
- e2e.yml: add NEXT_PUBLIC_API_URL, API_PORT, WEB_PORT to GH Actions env
- homepage.spec.ts: update stale assertions to match current UI
Result: 147/202 tests passing (111 API + 36 web), up from 37/91.
Remaining 55 web failures are stale UI assertions needing frontend update.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The i18n architecture (config, routing, translation files, locale pages) was
already built but non-functional due to three missing pieces:
1. next-intl not listed in package.json
2. middleware.ts not using createMiddleware from next-intl/middleware
3. next.config.js not wrapped with createNextIntlPlugin
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Replace innerHTML/setHTML with DOM API (createElement/textContent/setDOMContent)
to prevent XSS via user-controlled listing titles, URLs, and prices
- Add Content-Security-Policy header to next.config.js with proper directives
for Mapbox, API, images, workers, and frame-ancestors
- Add X-CSRF-Token header to media upload fetch call, matching apiClient behavior
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Whitelist OAuth error codes; never render raw URL params (XSS fix)
- Add error state UI with retry button for API failures on homepage and search
- Use <article> for property cards with ARIA labels and semantic list markup
- Replace raw <img> with Next.js <Image> across all listing/gallery/KYC pages
- Add security headers (X-Content-Type-Options, X-Frame-Options, etc.) in next.config.js
- Gate console.error behind NODE_ENV check in global error boundary
- Mapbox confirmed npm-bundled (SRI N/A)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Multi-stage Dockerfile for apps/api (NestJS) and apps/web (Next.js standalone)
- Production docker-compose.prod.yml with all services, health checks, and security
- Real deploy.yml pipeline: build → push to GHCR → deploy staging/production
- .dockerignore for optimized build context
- Enable Next.js standalone output mode
Co-Authored-By: Paperclip <noreply@paperclip.ing>
