chore: improve rate limit store + tighten up CSP policies

[paustint]

No description provided.

[Copilot]

Pull request overview

This PR improves security and correctness of request throttling across horizontally-scaled API instances by adding a Postgres-backed express-rate-limit store, while also tightening /app CSP enforcement (nonce + strict-dynamic, narrower allowlists, and CSP violation reporting).

Changes:

• Add a distributed Postgres rate-limit store (RateLimitHit + PgRateLimitStore) and switch security-sensitive limiters to use it.
• Tighten CSP policies for /app (strict-dynamic + nonce, narrower connect-src/img-src/Google hosts) and add CSP violation report ingestion.
• Misc security hardening: constant-time Basic Auth comparisons, strip auth cookies/headers on /analytics proxy, shorten external-auth LRU TTL, and add avatar fallback for CSP-blocked legacy hosts.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
prisma/schema.prisma	Removes WebExtensionToken.deviceId uniqueness and adds RateLimitHit model backing the distributed limiter.
prisma/migrations/20260601140634_add_rate_limit_store/migration.sql	Drops the old deviceId unique index and creates rate_limit_hits + expiry index.
libs/auth/server/src/lib/auth.db.service.ts	Prunes expired distributed rate-limit rows during periodic cleanup.
libs/api-config/src/lib/pg-rate-limit-store.ts	Implements Postgres-backed express-rate-limit store with atomic upsert semantics.
libs/api-config/src/lib/api-rate-limit.config.ts	Adds distributed option to createRateLimit, fail-open behavior, and throttled store-error reporting.
libs/api-config/src/index.ts	Exports the new Postgres rate limit store.
apps/jetstream/vite.plugins.ts	Adds Vite bundle-stage HTML transform to stamp CSP nonce placeholders onto emitted script/modulepreload tags.
apps/jetstream/vite.config.ts	Enables the new CSP nonce Vite plugin in the Jetstream SPA build.
apps/jetstream/src/app/components/profile/ProfileIdentityCard.tsx	Adds an onError avatar fallback to a local default image to handle CSP-blocked legacy avatar URLs.
apps/api/src/main.ts	Mounts CSP report route early, tightens /app CSP directives, secures session cookie name, and strips sensitive headers in /analytics proxy.
apps/api/src/app/utils/security-headers.ts	Introduces /app-specific CSP builder, narrows WebSocket/connect sources, and adds CSP reporting directives.
apps/api/src/app/utils/tests/security-headers.spec.ts	Adds tests for shared vs /app CSP differences (strict-dynamic, narrowed sources, etc.).
apps/api/src/app/services/external-auth.service.ts	Adds a 60s TTL to the in-process external-auth LRU cache to bound stale authorization after revocation.
apps/api/src/app/routes/route.middleware.ts	Uses timing-safe comparisons in Basic Auth, sets Reporting-Endpoints, and adds a distributed per-email password reset limiter.
apps/api/src/app/routes/openapi.routes.ts	Adds a distributed limiter ahead of Basic Auth to slow brute-force attempts.
apps/api/src/app/routes/index.ts	Exposes the new CSP report router.
apps/api/src/app/routes/csp-report.routes.ts	Adds a dedicated, small-body CSP report ingestion endpoint (204 response).
apps/api/src/app/routes/auth.routes.ts	Switches strict auth limiters to distributed store and adds per-email password reset throttling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.