From d8d04adfc6ec19e8f74bc6a4d47af1d4a4883bfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Gierwia=C5=82o?= <github@radziel.com>
Date: Wed, 3 Dec 2025 19:21:52 +0100
Subject: [PATCH] fix(nginx): allow Vite dev dependencies in development mode

- Changed regex /\. to /\.(git|svn|htaccess|htpasswd|env) to allow .vite directory
- Removed node_modules from nginx blocked paths for Vite dependency serving
- Set VITE_ALLOWED_HOSTS=all in development mode for Docker networking

Fixes issue where nginx was blocking Vite's pre-bundled dependencies in
/node_modules/.vite/deps/, causing 404 errors for React and other imports.
---
 docker-compose.yml        | 2 +-
 nginx/conf.d/default.conf | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 182d89b..602866d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -63,7 +63,7 @@ services:
     environment:
       - NODE_ENV=development
       - VITE_HOST=0.0.0.0
-      - VITE_ALLOWED_HOSTS=${VITE_ALLOWED_HOSTS:-localhost,spotlight.cam,.spotlight.cam}
+      - VITE_ALLOWED_HOSTS=${VITE_ALLOWED_HOSTS:-all}
     stdin_open: true
     tty: true
     command: npm run dev
diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
index 85ca865..e687005 100644
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -22,8 +22,8 @@ server {
     # Content Security Policy (permissive for dev, tighten for production)
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' ws: wss:; media-src 'self' blob:; object-src 'none'; base-uri 'self'; form-action 'self';" always;
 
-    # Block access to sensitive files and directories
-    location ~ /\. {
+    # Block access to hidden files and directories (but allow .vite for development)
+    location ~ /\.(git|svn|htaccess|htpasswd|env) {
         deny all;
         access_log off;
         log_not_found off;
@@ -37,7 +37,9 @@ server {
         return 404;
     }
 
-    location ~ ^/(node_modules|\.git|\.vscode|\.idea|docker-compose|Dockerfile|package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|\.npmrc|\.yarnrc|tsconfig\.json|\.eslintrc|\.prettierrc|prisma|\.env.*|\.db|\.sqlite|\.sql|backup|backups|dumps|logs)/? {
+    # DEV MODE: node_modules allowed for Vite dependencies
+    # Block access to sensitive files and directories (excluding node_modules for Vite)
+    location ~ ^/(\.git|\.vscode|\.idea|docker-compose|Dockerfile|package\.json|package-lock\.json|yarn\.lock|pnpm-lock\.yaml|\.npmrc|\.yarnrc|tsconfig\.json|\.eslintrc|\.prettierrc|prisma|\.env.*|\.db|\.sqlite|\.sql|backup|backups|dumps|logs)/? {
         deny all;
         access_log off;
         log_not_found off;