-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: backoffice run dist with environment variables #2643
base: dev
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/usr/bin/env sh | ||
|
||
if [[ -z "$VITE_DOMAIN" ]] | ||
then | ||
VITE_DOMAIN="http://localhost:3000" | ||
fi | ||
|
||
if [[ -z "$VITE_API_KEY" ]] | ||
then | ||
VITE_API_KEY="secret" | ||
fi | ||
Comment on lines
+8
to
+11
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use a more secure method to set the API key. Hardcoding the API key as ToolsShellcheck
|
||
|
||
if [[ -z "$VITE_AUTH_ENABLED" ]] | ||
then | ||
VITE_AUTH_ENABLED=true | ||
fi | ||
|
||
|
||
if [[ -z "$VITE_MOCK_SERVER" ]] | ||
then | ||
VITE_MOCK_SERVER=false | ||
fi | ||
|
||
if [[ -z "$VITE_POLLING_INTERVAL" ]] | ||
then | ||
VITE_POLLING_INTERVAL=10 | ||
fi | ||
|
||
if [[ -z "$VITE_ASSIGNMENT_POLLING_INTERVAL" ]] | ||
then | ||
VITE_ASSIGNMENT_POLLING_INTERVAL=5 | ||
fi | ||
|
||
if [[ -z "$VITE_FETCH_SIGNED_URL" ]] | ||
then | ||
VITE_FETCH_SIGNED_URL=false | ||
fi | ||
Comment on lines
+3
to
+37
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Add input validation for critical environment variables. The script should validate the format and values of critical variables like VITE_DOMAIN and VITE_POLLING_INTERVAL. if [[ -z "$VITE_DOMAIN" ]]
then
VITE_DOMAIN="http://localhost:3000"
+else
+ # Validate URL format
+ if ! [[ "$VITE_DOMAIN" =~ ^https?:// ]]; then
+ echo "Error: VITE_DOMAIN must start with http:// or https://"
+ exit 1
+ fi
fi
if [[ -z "$VITE_POLLING_INTERVAL" ]]
then
VITE_POLLING_INTERVAL=10
+else
+ # Validate numeric value and range
+ if ! [[ "$VITE_POLLING_INTERVAL" =~ ^[0-9]+$ ]] || \
+ [ "$VITE_POLLING_INTERVAL" -lt 1 ] || \
+ [ "$VITE_POLLING_INTERVAL" -gt 3600 ]; then
+ echo "Error: VITE_POLLING_INTERVAL must be a number between 1 and 3600"
+ exit 1
+ fi
fi
🧰 Tools🪛 Shellcheck (0.10.0)[warning] 3-3: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 8-8: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 13-13: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 19-19: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 24-24: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 29-29: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 34-34: In POSIX sh, [[ ]] is undefined. (SC3010) |
||
|
||
cat << EOF > /usr/share/nginx/html/config.js | ||
globalThis.env = { | ||
VITE_API_URL: "$VITE_DOMAIN/api/v1/internal", | ||
VITE_API_KEY: "$VITE_API_KEY", | ||
VITE_AUTH_ENABLED: "$VITE_AUTH_ENABLED", | ||
VITE_MOCK_SERVER: "$VITE_MOCK_SERVER", | ||
VITE_POLLING_INTERVAL: "$VITE_POLLING_INTERVAL", | ||
VITE_ASSIGNMENT_POLLING_INTERVAL: "$VITE_ASSIGNMENT_POLLING_INTERVAL", | ||
VITE_FETCH_SIGNED_URL: "$VITE_FETCH_SIGNED_URL", | ||
VITE_ENVIRONMENT_NAME: "local", | ||
MODE: "production" | ||
} | ||
EOF | ||
Comment on lines
+39
to
+51
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Add security headers and configure content type for config.js The nginx configuration needs to be enhanced with security headers and proper content type handling for the config.js file:
🔗 Analysis chainAdd security headers and content type for config.js. The config file might be accessible via direct URL. Ensure proper security headers are set in the nginx configuration. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Check if nginx configuration exists and has proper security headers
fd -g "*nginx*.conf" -x grep -l "config\.js"
fd -g "*nginx*.conf" -x grep -l "add_header X-Content-Type-Options nosniff"
Length of output: 124 Script: #!/bin/bash
# Let's try a broader search for nginx configurations and security headers
fd nginx
fd -e conf
rg -l "config\.js"
rg -l "add_header.*nosniff"
Length of output: 1647 Script: #!/bin/bash
# Let's examine the nginx configuration files we found
cat apps/backoffice-v2/example.nginx.conf
Length of output: 322 |
||
|
||
# Handle CMD command | ||
exec "$@" | ||
Comment on lines
+1
to
+54
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification File permissions need to be fixed for Docker entrypoint The script integration has issues that need to be addressed:
To fix:
🔗 Analysis chainVerify Docker integration and file permissions. Let's ensure the script is properly integrated into the Docker setup. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Check if the script is referenced in Dockerfile and has correct permissions
echo "Checking Dockerfile configuration..."
rg -l "COPY.*entrypoint.sh" && \
rg -l "RUN chmod \+x.*entrypoint.sh" && \
rg -l "ENTRYPOINT.*entrypoint.sh"
# Check if nginx configuration exists for serving the config.js
echo "Checking nginx configuration..."
fd -g "*nginx*.conf" -x grep -l "config.js"
Length of output: 298 Script: #!/bin/bash
# Let's check the actual Dockerfile content to verify the integration
echo "Checking Dockerfile content:"
cat apps/backoffice-v2/Dockerfile
# Let's also check if there are any nginx configuration files
echo -e "\nListing nginx configuration files:"
fd -g "*nginx*.conf"
# Check if the entrypoint.sh is executable
echo -e "\nChecking file permissions:"
ls -l apps/backoffice-v2/entrypoint.sh
Length of output: 1202 🧰 Tools🪛 Shellcheck[warning] 3-3: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 8-8: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 13-13: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 19-19: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 24-24: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 29-29: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 34-34: In POSIX sh, [[ ]] is undefined. (SC3010)
Comment on lines
+53
to
+54
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Validate and sanitize command input. The
+# Define allowed commands
+ALLOWED_COMMANDS=("nginx" "node" "npm" "serve")
+
+# Validate command
+if [ $# -gt 0 ]; then
+ command_name=$(basename "$1")
+ if ! [[ " ${ALLOWED_COMMANDS[@]} " =~ " ${command_name} " ]]; then
+ echo "Error: Command '$command_name' is not allowed"
+ exit 1
+ fi
+fi
+
# Handle CMD command
exec "$@"
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
declare global { | ||
export var env: { [key: string]: any }; | ||
} | ||
Comment on lines
+1
to
+3
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Migration from There are still several instances of
🔗 Analysis chainVerify the environment variable usage across the codebase. Since this is part of a migration from 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Description: Check for any remaining import.meta.env usage that needs to be migrated
echo "Checking for remaining import.meta.env usage..."
rg "import\.meta\.env" apps/backoffice-v2/
echo "Checking current globalThis.env usage..."
rg "globalThis\.env" apps/backoffice-v2/
Length of output: 1425 🛠️ Refactor suggestion Improve type safety by using a specific interface instead of any. Using declare global {
- export var env: { [key: string]: any };
+ export interface EnvConfig {
+ API_URL: string;
+ NODE_ENV: 'development' | 'production' | 'test';
+ // Add other environment variables with specific types
+ }
+ export var env: EnvConfig;
}
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,7 @@ | |
<link rel="manifest" href="/manifest.webmanifest" /> | ||
<meta name="viewport" content="width=device-width, initial-scale=1.0" /> | ||
<title>Ballerine - Backoffice</title> | ||
<script type="text/javascript" src="/config.js"></script> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not sure this is needed since There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this is needed else the config changes are not getting rendered There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Environment variables exposure requires attention The config.js file exposes several sensitive configuration variables that should be handled more securely:
Recommendations:
🔗 Analysis chainReview security implications of exposing environment variables The inclusion of environment variables in a client-side config.js file requires careful consideration of security implications. Ensure that sensitive configuration data (API keys, secrets, internal URLs) are not exposed. Let's verify what environment variables are being exposed: Consider implementing:
Let me check the config.js file content to verify what environment variables are being exposed: 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Description: Check for potential sensitive data in environment variable handling
# Check entrypoint.sh for environment variable exposure
echo "Checking entrypoint.sh for environment variables:"
rg -i "export|env\." apps/backoffice-v2/entrypoint.sh
# Check for sensitive patterns in environment variable usage
echo -e "\nChecking for potentially sensitive patterns:"
rg -i "key|token|secret|password|credential" apps/backoffice-v2/
Length of output: 107207 Script: #!/bin/bash
# Check the content of config.js
cat apps/backoffice-v2/public/config.js
Length of output: 613 |
||
<script> | ||
let cachedTheme = localStorage.getItem('theme'); | ||
const themes = ['dark', 'light']; | ||
|
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,9 @@ | ||||||||||||||||||||||||||||||||||||||
globalThis.env = { | ||||||||||||||||||||||||||||||||||||||
VITE_API_URL: import.meta.env.VITE_API_URL || 'http://google.com', | ||||||||||||||||||||||||||||||||||||||
VITE_KYB_DEFINITION_ID: import.meta.env.VITE_KYB_DEFINITION_ID || 'kyb_parent_kyc_session_example', | ||||||||||||||||||||||||||||||||||||||
VITE_API_KEY: import.meta.env.VITE_API_KEY || 'secret', | ||||||||||||||||||||||||||||||||||||||
VITE_ENVIRONMENT_NAME: import.meta.env.VITE_ENVIRONMENT_NAME || 'local', | ||||||||||||||||||||||||||||||||||||||
VITE_DEFAULT_EXAMPLE_TOKEN: import.meta.env.VITE_DEFAULT_EXAMPLE_TOKEN || '12345678-1234-1234-1234-123456789012', | ||||||||||||||||||||||||||||||||||||||
VITE_SENTRY_AUTH_TOKEN: import.meta.env.VITE_SENTRY_AUTH_TOKEN || '', | ||||||||||||||||||||||||||||||||||||||
VITE_SENTRY_DSN: import.meta.env.VITE_SENTRY_DSN || '', | ||||||||||||||||||||||||||||||||||||||
}; | ||||||||||||||||||||||||||||||||||||||
Comment on lines
+1
to
+9
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Security: Avoid exposing sensitive default values in public files The configuration file contains sensitive default values (API key, token) and is located in the public directory, which could pose security risks in production environments. Consider these improvements:
globalThis.env = {
- VITE_API_URL: import.meta.env.VITE_API_URL || 'http://google.com',
- VITE_KYB_DEFINITION_ID: import.meta.env.VITE_KYB_DEFINITION_ID || 'kyb_parent_kyc_session_example',
- VITE_API_KEY: import.meta.env.VITE_API_KEY || 'secret',
- VITE_ENVIRONMENT_NAME: import.meta.env.VITE_ENVIRONMENT_NAME || 'local',
- VITE_DEFAULT_EXAMPLE_TOKEN: import.meta.env.VITE_DEFAULT_EXAMPLE_TOKEN || '12345678-1234-1234-1234-123456789012',
+ VITE_API_URL: import.meta.env.VITE_API_URL || '<REQUIRED_API_URL>',
+ VITE_KYB_DEFINITION_ID: import.meta.env.VITE_KYB_DEFINITION_ID || '<REQUIRED_KYB_DEFINITION_ID>',
+ VITE_API_KEY: import.meta.env.VITE_API_KEY || '<REQUIRED_API_KEY>',
+ VITE_ENVIRONMENT_NAME: import.meta.env.VITE_ENVIRONMENT_NAME || 'development',
+ VITE_DEFAULT_EXAMPLE_TOKEN: import.meta.env.VITE_DEFAULT_EXAMPLE_TOKEN || '<REQUIRED_TOKEN>',
VITE_SENTRY_AUTH_TOKEN: import.meta.env.VITE_SENTRY_AUTH_TOKEN || '',
VITE_SENTRY_DSN: import.meta.env.VITE_SENTRY_DSN || '',
}; 📝 Committable suggestion
Suggested change
💡 Codebase verification Let me analyze the results and generate a final response based on the findings. Environment variables are properly used, but some hardcoded values need attention The verification revealed several areas that need attention:
The rest of the hardcoded URLs appear to be in mock data, story files, or SVG namespaces which are acceptable. 🔗 Analysis chainVerify environment variable usage across the application Let's ensure these environment variables are properly used throughout the application and that there are no hardcoded values that should be using these configurations instead. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Description: Search for potential hardcoded values that should use environment variables instead
# Test: Search for hardcoded URLs that might need to use VITE_API_URL
echo "Checking for hardcoded URLs..."
rg -g '!{*.md,*.json,*.lock}' -i "http[s]?://[a-zA-Z0-9./?=_%:-]+" apps/backoffice-v2/src/
# Test: Search for hardcoded API keys or tokens
echo "Checking for potential hardcoded secrets..."
rg -g '!{*.md,*.json,*.lock}' -i "api[_-]?key|secret|token" apps/backoffice-v2/src/
# Test: Verify environment variable usage
echo "Checking environment variable usage..."
rg "import\.meta\.env\.VITE_" apps/backoffice-v2/src/
Length of output: 14917 |
Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -17,6 +17,7 @@ import dayjs from 'dayjs'; | |||||||||||||||||||||||||||||||||||||||||||||||
import advancedFormat from 'dayjs/plugin/advancedFormat'; | ||||||||||||||||||||||||||||||||||||||||||||||||
import { initializeMonitoring } from '@/initialize-monitoring/initialize-monitoring'; | ||||||||||||||||||||||||||||||||||||||||||||||||
import { initializeSessionRecording } from '@/initialize-session-recording/initialize-session-recording'; | ||||||||||||||||||||||||||||||||||||||||||||||||
import '../public/config.js?url'; | ||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||
initializeMonitoring(); | ||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||
|
@@ -53,3 +54,8 @@ void prepare().then(() => { | |||||||||||||||||||||||||||||||||||||||||||||||
); | ||||||||||||||||||||||||||||||||||||||||||||||||
} | ||||||||||||||||||||||||||||||||||||||||||||||||
}); | ||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||
//@ts-ignore | ||||||||||||||||||||||||||||||||||||||||||||||||
globalThis.env = globalThis.env || { | ||||||||||||||||||||||||||||||||||||||||||||||||
API_URL: import.meta.env.VITE_API_URL, | ||||||||||||||||||||||||||||||||||||||||||||||||
}; | ||||||||||||||||||||||||||||||||||||||||||||||||
Comment on lines
+58
to
+61
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Improve type safety and environment variable handling The current implementation has several concerns:
Consider this type-safe alternative: -//@ts-ignore
-globalThis.env = globalThis.env || {
- API_URL: import.meta.env.VITE_API_URL,
-};
+interface AppEnv {
+ API_URL: string;
+ // Add other environment variables as needed
+}
+
+const validateEnv = (env: Partial<AppEnv>): AppEnv => {
+ if (!env.API_URL) {
+ throw new Error('VITE_API_URL is required but not provided');
+ }
+ return env as AppEnv;
+};
+
+declare global {
+ var env: AppEnv;
+}
+
+globalThis.env = validateEnv({
+ API_URL: import.meta.env.VITE_API_URL,
+}); This solution:
📝 Committable suggestion
Suggested change
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update shebang to match script requirements.
The script uses bash-specific features but declares itself as a sh script. Either:
#!/usr/bin/env bash
to explicitly require bash, or[[
with[
📝 Committable suggestion