Harden frontend assets: disable source maps, add JS obfuscation, env var config

- Disable source maps in production builds (vite.config.ts: sourcemap: false)
- Add vite-plugin-obfuscator for JS obfuscation (hex identifiers, base64 string encoding)
- Move OIDC config behind VITE_* env vars with dev fallbacks (auth/config.ts)
- Add server_tokens off to nginx.conf to stop advertising nginx version
- Add type declaration for vite-plugin-obfuscator

frontend/nginx.conf

@@ -1,6 +1,7 @@
 server {
     listen 80;
     server_name _;
+    server_tokens off;
 
     # Root directory for static files (must match Docker COPY path)
     root /usr/share/nginx/html;

frontend/package.json

@@ -65,6 +65,7 @@
     "tw-animate-css": "^1.3.4",
     "typescript": "~5.8.3",
     "typescript-eslint": "^8.30.1",
-    "vite": "^6.3.5"
+    "vite": "^6.3.5",
+    "vite-plugin-obfuscator": "^1.0.5"
   }
 }

frontend/src/auth/config.ts

@@ -1,10 +1,10 @@
 import { WebStorageStateStore } from "oidc-client-ts";
 
 export const oidcConfig = {
-    authority: "https://authentik.viktorbarzin.me/application/o/wrongmove/",
+    authority: import.meta.env.VITE_OIDC_AUTHORITY || "https://authentik.viktorbarzin.me/application/o/wrongmove/",
-    client_id: "5AJKRgcdgVm1OyApBzFkadDFfStW9a555zwv2MOe",
+    client_id: import.meta.env.VITE_OIDC_CLIENT_ID || "5AJKRgcdgVm1OyApBzFkadDFfStW9a555zwv2MOe",
-    redirect_uri: import.meta.env.MODE === 'development' ? "https://localhost/callback" : "https://wrongmove.viktorbarzin.me/callback",
+    redirect_uri: import.meta.env.VITE_REDIRECT_URI || (import.meta.env.MODE === 'development' ? "https://localhost/callback" : "https://wrongmove.viktorbarzin.me/callback"),
-    post_logout_redirect_uri: import.meta.env.MODE === 'development' ? "https://localhost/" : "https://wrongmove.viktorbarzin.me/",
+    post_logout_redirect_uri: import.meta.env.VITE_LOGOUT_REDIRECT_URI || (import.meta.env.MODE === 'development' ? "https://localhost/" : "https://wrongmove.viktorbarzin.me/"),
     userStore: new WebStorageStateStore({ store: window.localStorage }),
     response_type: 'code', // PKCE flow (recommended for SPAs)
     scope: 'openid profile email', // Requested scopes

frontend/src/constants/index.ts

@@ -17,6 +17,7 @@ export const API_ENDPOINTS = {
 
 // Map configuration
 export const MAP_CONFIG = {
+  // Dev fallback token — production builds must set VITE_MAPBOX_TOKEN
   MAPBOX_TOKEN: import.meta.env.VITE_MAPBOX_TOKEN || 'pk.eyJ1IjoiZGktdG8iLCJhIjoiY2o0bnBoYXcxMW1mNzJ3bDhmc2xiNWttaiJ9.ZccatVk_4shzoAsEUXXecA',
   DEFAULT_CENTER: [13.38032, 49.994210] as [number, number],
   DEFAULT_ZOOM: 5,

frontend/tsconfig.node.json

@@ -22,6 +22,7 @@
     // "noUncheckedSideEffectImports": true
   },
   "include": [
-    "vite.config.ts"
+    "vite.config.ts",
+    "vite-plugin-obfuscator.d.ts"
   ]
 }

frontend/vite-plugin-obfuscator.d.ts

@@ -0,0 +1,4 @@
+declare module 'vite-plugin-obfuscator' {
+  import type { Plugin } from 'vite';
+  export function viteObfuscateFile(options?: Record<string, unknown>): Plugin;
+}

frontend/vite.config.ts

@@ -3,12 +3,30 @@ import react from '@vitejs/plugin-react-swc';
 import path from "path";
 import { env } from "process";
 import { defineConfig } from 'vite';
+import { viteObfuscateFile } from 'vite-plugin-obfuscator';
 
 // https://vite.dev/config/
 export default defineConfig({
-  plugins: [react(), tailwindcss()],
+  plugins: [
+    react(),
+    tailwindcss(),
+    viteObfuscateFile({
+      compact: true,
+      controlFlowFlattening: false,
+      deadCodeInjection: false,
+      debugProtection: false,
+      identifierNamesGenerator: 'hexadecimal',
+      renameGlobals: false,
+      stringArray: true,
+      stringArrayThreshold: 0.75,
+      stringArrayEncoding: ['base64'],
+      splitStrings: true,
+      splitStringsChunkLength: 10,
+    }),
+  ],
   build: {
-    outDir: "dist"
+    outDir: "dist",
+    sourcemap: false,
   },
   resolve: {
     alias: {