StanGirard/quivr
1
1
Fork 0
mirror of https://github.com/StanGirard/quivr.git synced 2024-11-30 21:28:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: configure CSP for self-hosting and multiple ports in dev mode (#1364)

Browse Source 
Closes #1358 
Closes #1359

⚠️ Need to update the preview and prod environment with a
"NEXT_PUBLIC_FRONTEND_URL" variable before merging.
This commit is contained in:
Matthieu Jacq 2023-10-09 17:02:15 +02:00 committed by GitHub
parent 77e135fb5b
commit 2c7d48cf4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.frontend_env.example
View File

@ -1,5 +1,6 @@
NEXT_PUBLIC_ENV=local NEXT_PUBLIC_ENV=local
NEXT_PUBLIC_BACKEND_URL=http://localhost:5050 NEXT_PUBLIC_BACKEND_URL=http://localhost:5050
NEXT_PUBLIC_FRONTEND_URL=http://localhost:*
NEXT_PUBLIC_SUPABASE_URL=<change-me> NEXT_PUBLIC_SUPABASE_URL=<change-me>
NEXT_PUBLIC_SUPABASE_ANON_KEY=<change-me> NEXT_PUBLIC_SUPABASE_ANON_KEY=<change-me>
@ -12,4 +13,3 @@ NEXT_PUBLIC_GA_ID=<ignore-me-or-change-me>
NEXT_PUBLIC_E2E_URL=http://localhost:3003 NEXT_PUBLIC_E2E_URL=http://localhost:3003
NEXT_PUBLIC_E2E_EMAIL=<ignore-me-or-change-me> NEXT_PUBLIC_E2E_EMAIL=<ignore-me-or-change-me>
NEXT_PUBLIC_E2E_PASSWORD=<ignore-me-or-change-me> NEXT_PUBLIC_E2E_PASSWORD=<ignore-me-or-change-me>

36
frontend/next.config.js
View File

@ -24,11 +24,7 @@ const ContentSecurityPolicy = {
"https://fonts.googleapis.com", "https://fonts.googleapis.com",
process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_URL,
"https://api.june.so", "https://api.june.so",
{ process.env.NEXT_PUBLIC_FRONTEND_URL,
prod: "https://www.quivr.app/",
preview: "https://preview.quivr.app/",
local: ["http://localhost:3000", "http://localhost:3001"],
},
], ],
"connect-src": [ "connect-src": [
"'self'", "'self'",
@ -43,44 +39,20 @@ const ContentSecurityPolicy = {
"media-src": [ "media-src": [
"'self'", "'self'",
"https://user-images.githubusercontent.com", "https://user-images.githubusercontent.com",
"https://www.quivr.app/", process.env.NEXT_PUBLIC_FRONTEND_URL,
"https://quivr-cms.s3.eu-west-3.amazonaws.com", "https://quivr-cms.s3.eu-west-3.amazonaws.com",
], ],
"script-src": [ "script-src": [
"'unsafe-inline'", "'unsafe-inline'",
"'unsafe-eval'", "'unsafe-eval'",
"https://va.vercel-scripts.com/", "https://va.vercel-scripts.com/",
{ process.env.NEXT_PUBLIC_FRONTEND_URL,
prod: "https://www.quivr.app/",
preview: "https://preview.quivr.app/",
local: ["http://localhost:3000", "http://localhost:3001"],
},
"https://www.google-analytics.com/", "https://www.google-analytics.com/",
], ],
"frame-ancestors": ["'none'"], "frame-ancestors": ["'none'"],
"style-src": [ "style-src": ["'unsafe-inline'", process.env.NEXT_PUBLIC_FRONTEND_URL],
"'unsafe-inline'",
{
prod: "https://www.quivr.app/",
preview: "https://preview.quivr.app/",
local: ["http://localhost:3000", "http://localhost:3001"],
},
],
}; };
// Resolve environment-specific CSP values
for (const directive of Object.values(ContentSecurityPolicy)) {
for (const [index, resource] of directive.entries()) {
if (typeof resource === "string") {
continue;
}
directive[index] = resource[process.env.NEXT_PUBLIC_ENV];
if (Array.isArray(directive[index])) {
directive[index] = directive[index].join(" ");
}
}
}
// Build CSP string // Build CSP string
const cspString = Object.entries(ContentSecurityPolicy) const cspString = Object.entries(ContentSecurityPolicy)
.map(([key, values]) => `${key} ${values.join(" ")};`) .map(([key, values]) => `${key} ${values.join(" ")};`)