fix(csp): remove unsafe-inline from script-src and harden security headers

e2e/dashboard-widgets.spec.js

@@ -1,3 +1,3 @@
 import { expect, test } from "@playwright/test";
 import { encode } from "next-auth/jwt";
 
@@ -65,6 +65,13 @@
     });
   });
 
+  await page.route("**/api/goals/sync", async (route) => {
+    await route.fulfill({
+      contentType: "application/json",
+      body: JSON.stringify({ updated: 0, commitCount: 0 }),
+    });
+  });
+
   await page.route("**/api/goals", async (route) => {
     if (route.request().method() === "POST") {
       await route.fulfill({
@@ -87,6 +94,7 @@
             unit: "commits",
             recurrence: "weekly",
             period_start: "2026-05-18",
+            last_synced_at: new Date().toISOString(),
           },
         ],
       }),
@@ -124,7 +132,7 @@
   await expect(page.getByRole("heading", { name: "Dashboard" })).toBeVisible({ timeout: 30000 });
   await expect(page.getByRole("heading", { name: "Your Commits" })).toBeVisible({ timeout: 10000 });
   await expect(page.getByRole("heading", { name: "PR Analytics" })).toBeVisible({ timeout: 10000 });
   await expect(page.getByRole("heading", { name: "Goals" })).toBeVisible({ timeout: 10000 });
   await expect(page.getByText("Make 10 commits")).toBeVisible({ timeout: 10000 });
 });
 
@@ -140,7 +148,7 @@
   await expect(page.getByRole("heading", { name: "Dashboard" })).toBeVisible({ timeout: 30000 });
   await page.getByRole("button", { name: "Show 90-day range" }).click();
 
   await expect.poll(() => contributionRequests.some((url) => url.includes("days=90")), { timeout: 15000 }).toBe(true);
 });
 
 test("goal form posts a new goal", async ({ page }) => {
@@ -153,7 +161,7 @@
 
   await page.goto("/dashboard", { waitUntil: "load" });
   await expect(page.getByRole("heading", { name: "Dashboard" })).toBeVisible({ timeout: 30000 });
   await page.getByLabel("Goal title").fill("Ship one PR");
   await page.getByLabel("Target").fill("1");
   await page.getByLabel("Unit").selectOption("prs");
   await page.getByRole("button", { name: "Add goal" }).click();

next.config.mjs

@@ -1,4 +1,40 @@
 /** @type {import("next").NextConfig} */
+
+const cspDirectives = [
+  "default-src 'self'",
+  "script-src 'self'",
+  "style-src 'self' 'unsafe-inline'",
+  "img-src 'self' https://avatars.githubusercontent.com data: blob:",
+  "font-src 'self' data:",
+  "connect-src 'self'",
+  "frame-ancestors 'none'",
+  "base-uri 'self'",
+  "form-action 'self'",
+].join("; ");
+
+const securityHeaders = [
+  {
+    key: "Content-Security-Policy",
+    value: cspDirectives,
+  },
+  {
+    key: "X-Frame-Options",
+    value: "DENY",
+  },
+  {
+    key: "X-Content-Type-Options",
+    value: "nosniff",
+  },
+  {
+    key: "Referrer-Policy",
+    value: "strict-origin-when-cross-origin",
+  },
+  {
+    key: "Permissions-Policy",
+    value: "camera=(), microphone=(), geolocation=()",
+  },
+];
+
 const nextConfig = {
   images: {
     remotePatterns: [
@@ -12,15 +48,7 @@ const nextConfig = {
     return [
       {
         source: "/(.*)",
-        headers: [
-          { key: "X-Frame-Options", value: "DENY" },
-          { key: "X-Content-Type-Options", value: "nosniff" },
-          { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
-          {
-            key: "Permissions-Policy",
-            value: "camera=(), microphone=(), geolocation=()",
-          },
-        ],
+        headers: securityHeaders,
       },
     ];
   },

src/app/api/goals/sync/route.ts

@@ -1,6 +1,8 @@
 import { getServerSession } from "next-auth";
+import { NextRequest } from "next/server";
 import { authOptions } from "@/lib/auth";
 import { supabaseAdmin } from "@/lib/supabase";
+import { getGitHubAccessToken } from "@/lib/server-github-token";
 
 export const dynamic = "force-dynamic";
 
@@ -36,9 +38,10 @@ function currentWeekEnd(): string {
 
 const GITHUB_API = "https://api.github.com";
 
-export async function POST() {
+export async function POST(req: NextRequest) {
   const session = await getServerSession(authOptions);
-  if (!session?.accessToken || !session.githubId || !session.githubLogin) {
+  const accessToken = await getGitHubAccessToken(req);
+  if (!accessToken || !session?.githubId || !session?.githubLogin) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
@@ -78,7 +81,7 @@ export async function POST() {
     `${GITHUB_API}/search/commits?q=author:${session.githubLogin}+author-date:${weekStart}..${weekEnd}&per_page=100`,
     {
       headers: {
-        Authorization: `Bearer ${session.accessToken}`,
+        Authorization: `Bearer ${accessToken}`,
         Accept: "application/vnd.github+json",
       },
       cache: "no-store",

src/app/api/metrics/activity/route.ts

@@ -14,6 +14,7 @@ import {
 } from "@/lib/metrics-cache";
 import { supabaseAdmin } from "@/lib/supabase";
 import { resolveAppUser } from "@/lib/resolve-user";
+import { getGitHubAccessToken } from "@/lib/server-github-token";
 
 export const dynamic = "force-dynamic";
 
@@ -221,11 +222,11 @@ async function fetchFormattedActivityWithFallback(
 export async function GET(req: NextRequest) {
   const session = await getServerSession(authOptions);
 
-  if (!session?.accessToken || !session.githubLogin) {
+  const accessToken = await getGitHubAccessToken(req);
+  if (!accessToken || !session?.githubLogin) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
-  const accessToken: string = session.accessToken;
   const githubLogin: string = session.githubLogin;
   const accountId = req.nextUrl.searchParams.get("accountId");
   const bypass = isMetricsCacheBypassed(req);

src/app/api/metrics/ci/route.ts

@@ -6,6 +6,7 @@ import { GITHUB_API } from "@/lib/github";
 import { supabaseAdmin } from "@/lib/supabase";
 import { resolveAppUser } from "@/lib/resolve-user";
 import { isMetricsCacheBypassed, metricsCacheKey, withMetricsCache } from "@/lib/metrics-cache";
+import { getGitHubAccessToken } from "@/lib/server-github-token";
 
 export const dynamic = "force-dynamic";
 
@@ -27,7 +28,7 @@ async function fetchCIAnalyticsForAccount(token: string, githubLogin: string): P
   const searchRes = await fetch(`${GITHUB_API}/search/commits?q=author:${githubLogin}+author-date:>=${toIsoDate(30)}&per_page=100&sort=author-date&order=desc`, { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json" }, cache: "no-store" });
   if (!searchRes.ok) throw new Error("API error");
   const data = await searchRes.json();
-  
+
   const repoMap = new Map<string, number>();
   for (const item of data.items) { const n = item.repository.full_name; repoMap.set(n, (repoMap.get(n) ?? 0) + 1); }
   const repos = Array.from(repoMap.entries()).map(([name, commits]) => ({ name, commits })).sort((a, b) => b.commits - a.commits).slice(0, 5);
@@ -58,28 +59,31 @@ async function fetchCIAnalyticsForAccount(token: string, githubLogin: string): P
 
 export async function GET(req: NextRequest) {
   const session = await getServerSession(authOptions);
-  if (!session?.accessToken || !session.githubLogin) return Response.json({ error: "Unauthorized" }, { status: 401 });
+  const accessToken = await getGitHubAccessToken(req);
+  if (!accessToken || !session?.githubLogin) {
+    return Response.json({ error: "Unauthorized" }, { status: 401 });
+  }
 
   const accountId = req.nextUrl.searchParams.get("accountId");
   const bypass = isMetricsCacheBypassed(req);
   const key = metricsCacheKey(session.githubId ?? session.githubLogin, "ci" as any, { accountId: accountId || "default" });
 
   try {
     const data = await withMetricsCache({ bypass, key, ttlSeconds: 10 * 60 }, async () => {
-      if (!accountId) return await fetchCIAnalyticsForAccount(session.accessToken!, session.githubLogin!);
-      
+      if (!accountId) return await fetchCIAnalyticsForAccount(accessToken, session.githubLogin!);
+
       const userRow = await resolveAppUser(session.githubId!, session.githubLogin!);
       if (!userRow) throw new Error("User not found");
 
       if (accountId === "combined") {
-        const accounts = await getAllAccounts({ token: session.accessToken!, githubId: session.githubId!, githubLogin: session.githubLogin! }, userRow.id);
+        const accounts = await getAllAccounts({ token: accessToken, githubId: session.githubId!, githubLogin: session.githubLogin! }, userRow.id);
         const results = await Promise.allSettled(accounts.map((a) => fetchCIAnalyticsForAccount(a.token, a.githubLogin)));
         const merged = mergeMetrics(results, mergeCIAnalytics);
         if (!merged) throw new Error("Merge failed");
         return merged;
       }
 
-      if (accountId === session.githubId) return await fetchCIAnalyticsForAccount(session.accessToken!, session.githubLogin!);
+      if (accountId === session.githubId) return await fetchCIAnalyticsForAccount(accessToken, session.githubLogin!);
 
       const accountToken = await getAccountToken(userRow.id, accountId);
       if (!accountToken) throw new Error("Token missing");

src/app/api/metrics/coding-activity-insights/route.ts

@@ -14,6 +14,7 @@ import {
 } from "@/lib/metrics-cache";
 import { supabaseAdmin } from "@/lib/supabase";
 import { resolveAppUser } from "@/lib/resolve-user";
+import { getGitHubAccessToken } from "@/lib/server-github-token";
 import {
   summarizeCodingActivity,
   type CodingActivityInsight,
@@ -138,8 +139,9 @@ async function buildInsightsForAccount(
 
 export async function GET(req: NextRequest) {
   const session = await getServerSession(authOptions);
+  const accessToken = await getGitHubAccessToken(req);
 
-  if (!session?.accessToken || !session.githubLogin) {
+  if (!accessToken || !session?.githubLogin) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
@@ -151,7 +153,7 @@ export async function GET(req: NextRequest) {
   if (!accountId) {
     try {
       const data = await buildInsightsForAccount(
-        session.accessToken,
+        accessToken,
         session.githubLogin,
         timeZone,
         { bypass, userId: cacheUserId }
@@ -176,8 +178,8 @@ export async function GET(req: NextRequest) {
     if (accountId === "combined") {
       const accounts = await getAllAccounts(
         {
-          token: session.accessToken,
-          githubId: session.githubId,
+          token: accessToken,
+          githubId: session.githubId!,
           githubLogin: session.githubLogin,
         },
         userRow.id
@@ -210,7 +212,7 @@ export async function GET(req: NextRequest) {
 
     if (accountId === session.githubId) {
       const data = await buildInsightsForAccount(
-        session.accessToken,
+        accessToken,
         session.githubLogin,
         timeZone,
         { bypass, userId: session.githubId }

src/app/api/metrics/compare/route.ts

@@ -3,14 +3,16 @@ import { NextRequest } from "next/server";
 import { authOptions } from "@/lib/auth";
 import { dateDiffDays, toDateStr } from "@/lib/dateUtils";
 import { normalizeGitHubUsername } from "@/lib/validate-github-username";
+import { getGitHubAccessToken } from "@/lib/server-github-token";
 
 export const dynamic = "force-dynamic";
 
 const GITHUB_API = "https://api.github.com";
 
 export async function GET(req: NextRequest) {
   const session = await getServerSession(authOptions);
-  if (!session?.accessToken || !session.githubLogin) {
+  const accessToken = await getGitHubAccessToken(req);
+  if (!accessToken || !session?.githubLogin) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
@@ -37,7 +39,7 @@ export async function GET(req: NextRequest) {
 
   // 1. Verify user exists
   const userRes = await fetch(`${GITHUB_API}/users/${encodedUsername}`, {
-    headers: { Authorization: `Bearer ${session.accessToken}` },
+    headers: { Authorization: `Bearer ${accessToken}` },
     cache: "no-store",
   });
 
@@ -50,7 +52,7 @@ export async function GET(req: NextRequest) {
   const since90 = new Date();
   since90.setDate(since90.getDate() - 90);
   const since90Str = since90.toISOString().slice(0, 10);
-  
+
   const since30 = new Date();
   since30.setDate(since30.getDate() - 30);
   const since30Str = since30.toISOString().slice(0, 10);
@@ -66,7 +68,7 @@ export async function GET(req: NextRequest) {
 
   const commitsRes = await fetch(commitsUrl.toString(), {
     headers: {
-      Authorization: `Bearer ${session.accessToken}`,
+      Authorization: `Bearer ${accessToken}`,
       Accept: "application/vnd.github+json",
     },
     cache: "no-store",
@@ -75,11 +77,11 @@ export async function GET(req: NextRequest) {
   let streak = 0;
   let commits30d = 0;
   let topLanguage = "Unknown";
-  
+
   if (commitsRes.ok) {
     const commitsData = await commitsRes.json();
     const items = commitsData.items || [];
-    
+
     const daySet: Record<string, true> = {};
     for (const item of items) {
       const dateStr = item.commit.author.date.slice(0, 10);
@@ -89,22 +91,20 @@ export async function GET(req: NextRequest) {
       }
     }
     const commitDays = Object.keys(daySet).sort();
-    
+
     if (commitDays.length > 0) {
       let currentRun = 1;
-      let runs: { end: string; length: number }[] = [];
-      let runStart = commitDays[0];
+      const runs: { end: string; length: number }[] = [];
       for (let i = 1; i < commitDays.length; i++) {
         if (dateDiffDays(commitDays[i - 1], commitDays[i]) === 1) {
           currentRun++;
         } else {
           runs.push({ end: commitDays[i - 1], length: currentRun });
-          runStart = commitDays[i];
           currentRun = 1;
         }
       }
       runs.push({ end: commitDays[commitDays.length - 1], length: currentRun });
-      
+
       const today = toDateStr(new Date());
       const yesterday = toDateStr(new Date(Date.now() - 86400000));
       const lastRun = runs[runs.length - 1];
@@ -118,10 +118,10 @@ export async function GET(req: NextRequest) {
   reposUrl.searchParams.set("sort", "pushed");
 
   const reposRes = await fetch(reposUrl.toString(), {
-    headers: { Authorization: `Bearer ${session.accessToken}` },
+    headers: { Authorization: `Bearer ${accessToken}` },
     cache: "no-store",
   });
-  
+
   if (reposRes.ok) {
     const reposData = await reposRes.json();
     const langCounts: Record<string, number> = {};
@@ -140,7 +140,7 @@ export async function GET(req: NextRequest) {
   prsUrl.searchParams.set("per_page", "1");
 
   const prsRes = await fetch(prsUrl.toString(), {
-    headers: { Authorization: `Bearer ${session.accessToken}` },
+    headers: { Authorization: `Bearer ${accessToken}` },
     cache: "no-store",
   });
   let prs = 0;
@@ -154,6 +154,6 @@ export async function GET(req: NextRequest) {
     streak,
     commits30d,
     topLanguage,
-    prs
+    prs,
   });
 }

src/app/api/metrics/contributions/daily/route.ts

@@ -8,6 +8,7 @@ import {
   metricsCacheKey,
   withMetricsCache,
 } from "@/lib/metrics-cache";
+import { getGitHubAccessToken } from "@/lib/server-github-token";
 
 export const dynamic = "force-dynamic";
 
@@ -19,7 +20,8 @@ interface RepoCommit {
 
 export async function GET(req: NextRequest) {
   const session = await getServerSession(authOptions);
-  if (!session?.accessToken || !session.githubLogin) {
+  const accessToken = await getGitHubAccessToken(req);
+  if (!accessToken || !session?.githubLogin) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
 
@@ -47,7 +49,7 @@ export async function GET(req: NextRequest) {
           `${GITHUB_API}/search/commits?q=author:${session.githubLogin}+author-date:${date}&per_page=100`,
           {
             headers: {
-              Authorization: `Bearer ${session.accessToken}`,
+              Authorization: `Bearer ${accessToken}`,
               Accept: "application/vnd.github+json",
             },
             cache: "no-store",