Convert to Next.js with security features

- Migrate from Vite to Next.js 15 for server-side API support - Add dynamic API route at /api/filaments that fetches from Confluence - Implement security measures: - API credentials only accessible server-side - Security scan script to detect credential leaks - Tests to ensure no sensitive data exposure - Build-time security checks in CI/CD - Update AWS Amplify configuration for Next.js deployment - Update Terraform to use WEB_COMPUTE platform for Next.js - Add Jest tests for API security - Remove static JSON approach in favor of dynamic API This provides real-time data updates while keeping credentials secure on the server. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-19 00:11:19 +02:00
parent 4b39190251
commit 21f6577592
22 changed files with 5306 additions and 578 deletions
--- a/scripts/security-check.js
+++ b/scripts/security-check.js
@@ -0,0 +1,91 @@
+const fs = require('fs');
+const path = require('path');
+
+// Patterns that might indicate leaked credentials
+const sensitivePatterns = [
+  /ATATT[A-Za-z0-9+/=]{100,}/g, // Confluence tokens
+  /ghp_[A-Za-z0-9]{36,}/g, // GitHub tokens
+  /api[_-]?key[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
+  /token[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
+  /password[_-]?[=:]\s*["']?[^\s"']{8,}/gi,
+  /secret[_-]?[=:]\s*["']?[A-Za-z0-9+/=]{20,}/gi,
+];
+
+// Files to exclude from scanning
+const excludePatterns = [
+  /node_modules/,
+  /\.git/,
+  /\.next/,
+  /dist/,
+  /build/,
+  /terraform\.tfvars$/,
+  /\.env/,
+  /security-check\.js$/,
+];
+
+function scanFile(filePath) {
+  const content = fs.readFileSync(filePath, 'utf8');
+  const issues = [];
+  
+  sensitivePatterns.forEach(pattern => {
+    const matches = content.match(pattern);
+    if (matches) {
+      matches.forEach(match => {
+        // Only flag if it's not a placeholder or example
+        if (!match.includes('example') && !match.includes('YOUR_') && !match.includes('xxx')) {
+          issues.push({
+            file: filePath,
+            pattern: pattern.source,
+            match: match.substring(0, 20) + '...',
+          });
+        }
+      });
+    }
+  });
+  
+  return issues;
+}
+
+function scanDirectory(dir) {
+  const issues = [];
+  
+  function walk(currentPath) {
+    const entries = fs.readdirSync(currentPath, { withFileTypes: true });
+    
+    for (const entry of entries) {
+      const fullPath = path.join(currentPath, entry.name);
+      const relativePath = path.relative(process.cwd(), fullPath);
+      
+      // Skip excluded paths
+      if (excludePatterns.some(pattern => pattern.test(relativePath))) {
+        continue;
+      }
+      
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (entry.isFile() && /\.(js|ts|jsx|tsx|json|yml|yaml|md)$/.test(entry.name)) {
+        const fileIssues = scanFile(fullPath);
+        issues.push(...fileIssues);
+      }
+    }
+  }
+  
+  walk(dir);
+  return issues;
+}
+
+// Run the scan
+console.log('🔍 Scanning for potential credential leaks...\n');
+const issues = scanDirectory(process.cwd());
+
+if (issues.length > 0) {
+  console.error('❌ Found potential credential leaks:\n');
+  issues.forEach(issue => {
+    console.error(`File: ${issue.file}`);
+    console.error(`Pattern: ${issue.pattern}`);
+    console.error(`Match: ${issue.match}\n`);
+  });
+  process.exit(1);
+} else {
+  console.log('✅ No credential leaks detected');
+}