Convert to Next.js with security features
- Migrate from Vite to Next.js 15 for server-side API support - Add dynamic API route at /api/filaments that fetches from Confluence - Implement security measures: - API credentials only accessible server-side - Security scan script to detect credential leaks - Tests to ensure no sensitive data exposure - Build-time security checks in CI/CD - Update AWS Amplify configuration for Next.js deployment - Update Terraform to use WEB_COMPUTE platform for Next.js - Add Jest tests for API security - Remove static JSON approach in favor of dynamic API This provides real-time data updates while keeping credentials secure on the server. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
DaX
@@ -1,35 +0,0 @@
|
||||
import fs from 'fs';
|
||||
import path from 'path';
|
||||
import { fileURLToPath } from 'url';
|
||||
import { fetchFromConfluence } from '../src/server/confluence.ts';
|
||||
|
||||
const __filename = fileURLToPath(import.meta.url);
|
||||
const __dirname = path.dirname(__filename);
|
||||
|
||||
async function buildData() {
|
||||
try {
|
||||
console.log('Fetching filament data from Confluence...');
|
||||
const filaments = await fetchFromConfluence({
|
||||
CONFLUENCE_API_URL: process.env.CONFLUENCE_API_URL,
|
||||
CONFLUENCE_TOKEN: process.env.CONFLUENCE_TOKEN,
|
||||
CONFLUENCE_PAGE_ID: process.env.CONFLUENCE_PAGE_ID
|
||||
});
|
||||
|
||||
// Create public directory if it doesn't exist
|
||||
const publicDir = path.join(__dirname, '..', 'public');
|
||||
if (!fs.existsSync(publicDir)) {
|
||||
fs.mkdirSync(publicDir, { recursive: true });
|
||||
}
|
||||
|
||||
// Write data to public directory
|
||||
const dataPath = path.join(publicDir, 'filaments.json');
|
||||
fs.writeFileSync(dataPath, JSON.stringify(filaments, null, 2));
|
||||
|
||||
console.log(`Successfully wrote ${filaments.length} filaments to ${dataPath}`);
|
||||
} catch (error) {
|
||||
console.error('Error building data:', error);
|
||||
process.exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
buildData();
|
||||
91
scripts/security-check.js
Normal file
91
scripts/security-check.js
Normal file
@@ -0,0 +1,91 @@
|
||||
const fs = require('fs');
|
||||
const path = require('path');
|
||||
|
||||
// Patterns that might indicate leaked credentials
|
||||
const sensitivePatterns = [
|
||||
/ATATT[A-Za-z0-9+/=]{100,}/g, // Confluence tokens
|
||||
/ghp_[A-Za-z0-9]{36,}/g, // GitHub tokens
|
||||
/api[_-]?key[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
|
||||
/token[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
|
||||
/password[_-]?[=:]\s*["']?[^\s"']{8,}/gi,
|
||||
/secret[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
|
||||
];
|
||||
|
||||
// Files to exclude from scanning
|
||||
const excludePatterns = [
|
||||
/node_modules/,
|
||||
/\.git/,
|
||||
/\.next/,
|
||||
/dist/,
|
||||
/build/,
|
||||
/terraform\.tfvars$/,
|
||||
/\.env/,
|
||||
/security-check\.js$/,
|
||||
];
|
||||
|
||||
function scanFile(filePath) {
|
||||
const content = fs.readFileSync(filePath, 'utf8');
|
||||
const issues = [];
|
||||
|
||||
sensitivePatterns.forEach(pattern => {
|
||||
const matches = content.match(pattern);
|
||||
if (matches) {
|
||||
matches.forEach(match => {
|
||||
// Only flag if it's not a placeholder or example
|
||||
if (!match.includes('example') && !match.includes('YOUR_') && !match.includes('xxx')) {
|
||||
issues.push({
|
||||
file: filePath,
|
||||
pattern: pattern.source,
|
||||
match: match.substring(0, 20) + '...',
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
return issues;
|
||||
}
|
||||
|
||||
function scanDirectory(dir) {
|
||||
const issues = [];
|
||||
|
||||
function walk(currentPath) {
|
||||
const entries = fs.readdirSync(currentPath, { withFileTypes: true });
|
||||
|
||||
for (const entry of entries) {
|
||||
const fullPath = path.join(currentPath, entry.name);
|
||||
const relativePath = path.relative(process.cwd(), fullPath);
|
||||
|
||||
// Skip excluded paths
|
||||
if (excludePatterns.some(pattern => pattern.test(relativePath))) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (entry.isDirectory()) {
|
||||
walk(fullPath);
|
||||
} else if (entry.isFile() && /\.(js|ts|jsx|tsx|json|yml|yaml|md)$/.test(entry.name)) {
|
||||
const fileIssues = scanFile(fullPath);
|
||||
issues.push(...fileIssues);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
walk(dir);
|
||||
return issues;
|
||||
}
|
||||
|
||||
// Run the scan
|
||||
console.log('🔍 Scanning for potential credential leaks...\n');
|
||||
const issues = scanDirectory(process.cwd());
|
||||
|
||||
if (issues.length > 0) {
|
||||
console.error('❌ Found potential credential leaks:\n');
|
||||
issues.forEach(issue => {
|
||||
console.error(`File: ${issue.file}`);
|
||||
console.error(`Pattern: ${issue.pattern}`);
|
||||
console.error(`Match: ${issue.match}\n`);
|
||||
});
|
||||
process.exit(1);
|
||||
} else {
|
||||
console.log('✅ No credential leaks detected');
|
||||
}
|
||||
Reference in New Issue
Block a user