Convert to Next.js with security features
- Migrate from Vite to Next.js 15 for server-side API support - Add dynamic API route at /api/filaments that fetches from Confluence - Implement security measures: - API credentials only accessible server-side - Security scan script to detect credential leaks - Tests to ensure no sensitive data exposure - Build-time security checks in CI/CD - Update AWS Amplify configuration for Next.js deployment - Update Terraform to use WEB_COMPUTE platform for Next.js - Add Jest tests for API security - Remove static JSON approach in favor of dynamic API This provides real-time data updates while keeping credentials secure on the server. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
DaX
59
__tests__/security.test.ts
Normal file
59
__tests__/security.test.ts
Normal file
@@ -0,0 +1,59 @@
|
||||
// Mock Next.js server components
|
||||
jest.mock('next/server', () => ({
|
||||
NextResponse: {
|
||||
json: (data: any, init?: ResponseInit) => ({
|
||||
json: async () => data,
|
||||
...init
|
||||
})
|
||||
}
|
||||
}));
|
||||
|
||||
// Mock confluence module
|
||||
jest.mock('../src/server/confluence', () => ({
|
||||
fetchFromConfluence: jest.fn()
|
||||
}));
|
||||
|
||||
import { GET } from '../app/api/filaments/route';
|
||||
import { fetchFromConfluence } from '../src/server/confluence';
|
||||
|
||||
describe('API Security Tests', () => {
|
||||
const originalEnv = process.env;
|
||||
|
||||
beforeEach(() => {
|
||||
jest.resetModules();
|
||||
process.env = { ...originalEnv };
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
process.env = originalEnv;
|
||||
});
|
||||
|
||||
it('should not expose credentials in error responses', async () => {
|
||||
// Simulate missing environment variables
|
||||
delete process.env.CONFLUENCE_TOKEN;
|
||||
|
||||
const response = await GET();
|
||||
const data = await response.json();
|
||||
|
||||
// Check that response doesn't contain sensitive information
|
||||
expect(JSON.stringify(data)).not.toContain('ATATT');
|
||||
expect(JSON.stringify(data)).not.toContain('token');
|
||||
expect(JSON.stringify(data)).not.toContain('password');
|
||||
expect(data.error).toBe('Server configuration error');
|
||||
});
|
||||
|
||||
it('should not expose internal error details', async () => {
|
||||
// Set invalid environment to trigger error
|
||||
process.env.CONFLUENCE_API_URL = 'invalid-url';
|
||||
process.env.CONFLUENCE_TOKEN = 'test-token';
|
||||
process.env.CONFLUENCE_PAGE_ID = 'test-page';
|
||||
|
||||
const response = await GET();
|
||||
const data = await response.json();
|
||||
|
||||
// Should get generic error, not specific details
|
||||
expect(data.error).toBe('Failed to fetch filaments');
|
||||
expect(data).not.toHaveProperty('stack');
|
||||
expect(data).not.toHaveProperty('message');
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user