feat: add registration and authentication

backend/src/app.ts

@@ -1,6 +1,10 @@
 import express, { Request, Response, NextFunction } from "express";
 import cors from "cors";
+import cookieParser from "cookie-parser";
+import helmet from "helmet";
 import { config } from "./config";
+import { loadAuth, requireCsrf } from "./authMiddleware";
+import authRouter from "./routes/auth";
 import healthRouter from "./routes/health";
 import racesRouter from "./routes/races";
 
@@ -8,11 +12,43 @@ export function createApp(): express.Express {
   const app = express();
 
   app.use(
-    cors({ origin: config.corsOrigin, methods: ["GET", "POST", "PATCH", "DELETE", "OPTIONS"] }),
+    helmet({
+      contentSecurityPolicy:
+        config.securityProfile === "production"
+          ? {
+              directives: {
+                defaultSrc: ["'self'"],
+                scriptSrc: ["'self'"],
+                styleSrc: ["'self'"],
+                imgSrc: ["'self'", "data:", "https:"],
+                connectSrc: ["'self'"],
+                objectSrc: ["'none'"],
+                frameAncestors: ["'none'"],
+              },
+            }
+          : false,
+      hsts:
+        config.securityProfile === "production"
+          ? { maxAge: 31_536_000, includeSubDomains: true }
+          : false,
+      referrerPolicy: { policy: "strict-origin-when-cross-origin" },
+    }),
+  );
+  app.use(
+    cors({
+      origin: config.corsOrigin,
+      credentials: true,
+      methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+      allowedHeaders: ["Content-Type", "X-CSRF-Token"],
+    }),
   );
   app.use(express.json());
+  app.use(cookieParser(config.session.secret));
+  app.use(loadAuth);
+  app.use(requireCsrf);
 
   app.use("/api", healthRouter);
+  app.use("/api", authRouter);
   app.use("/api", racesRouter);
 
   app.use((err: unknown, _req: Request, res: Response, _next: NextFunction) => {