@capillarytech/creatives-library 8.0.356 → 8.0.358

package/index.html

@@ -23,6 +23,7 @@
     <!-- End Google Tag Manager -->
     <script>try{Typekit.load({ async: true });}catch(e){console.log(e)}</script>
     <title>Capillary - Creatives</title>
+    <script>try{window.APP_ENV=__ENV_OBJECT__;}catch(e){window.APP_ENV={};}</script>
   </head>
   <body>
     <noscript>

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@capillarytech/creatives-library",
   "author": "meharaj",
-  "version": "8.0.356",
+  "version": "8.0.358",
   "description": "Capillary creatives ui",
   "main": "./index.js",
   "module": "./index.es.js",

package/utils/cdnTransformation.js

@@ -422,14 +422,86 @@ export function removeAllCdnLocalStorageItems() {
 }
 
 /**
- * 
- * @param {*} configsResponse 
+ * Safe JSON.parse — returns fallback if value is empty or malformed.
+ * Used to parse the JSON-string env vars (qualityCfg, mapping, s3CdnMap) injected via window.APP_ENV.
+ */
+function safeJsonParse(value, fallback) {
+  if (!value) return fallback;
+  try {
+    return JSON.parse(value);
+  } catch (e) {
+    return fallback;
+  }
+}
+
+/**
+ * Reads CDN config from window.APP_ENV (injected at container startup by entrypoint.sh)
+ * and populates localStorage via saveCdnConfigs — same shape as the legacy API response.
+ *
+ * Returns true if env config was found and applied, false otherwise (saga falls back to API).
+ *
+ * In deployed containers, window.APP_ENV is populated → no API call. In local dev
+ * (`npm start`), window.APP_ENV is empty → returns false → saga falls back to the API
+ * (legacy path, retained for the rollout window).
+ *
+ * Closes the VAPT info-disclosure surface (CAP-183204) by eliminating the
+ * /getCdnTransformationConfig API response in production.
+ */
+export function initCdnConfigFromEnv() {
+  try {
+    const env = (typeof window !== 'undefined' && window.APP_ENV) || {};
+
+    // All four fields are required to construct a CDN URL. If any is missing,
+    // partial config would silently make every getCdnUrl call fall through to the
+    // raw S3 URL. Return false so the saga falls back to the API (which may still
+    // have the values during the cluster-by-cluster rollout window).
+    if (!env.CDN_HOSTNAME
+        || !env.CDN_IMG_TRANSFORMATION_URL_SUFFIX
+        || !env.CREATIVE_ASSETS_BUCKET_PATH
+        || !env.S3_CDN_MAP) {
+      return false;
+    }
+
+    // Parse and validate S3_CDN_MAP before proceeding; malformed or empty map
+    // means CDN lookups would silently fail, so fall back to the API instead.
+    const parsedS3CdnMap = safeJsonParse(env.S3_CDN_MAP, null);
+    if (
+      !parsedS3CdnMap
+      || typeof parsedS3CdnMap !== 'object'
+      || Array.isArray(parsedS3CdnMap)
+      || !Object.keys(parsedS3CdnMap).length
+    ) {
+      return false;
+    }
+
+    saveCdnConfigs({
+      hostname: env.CDN_HOSTNAME,
+      transformationUrlSuffix: env.CDN_IMG_TRANSFORMATION_URL_SUFFIX,
+      bucketPath: env.CREATIVE_ASSETS_BUCKET_PATH,
+      qualityCfg: safeJsonParse(env.CDN_IMG_QUALITY_CFG, {}),
+      overrideEmailQuality: env.OVERRIDE_IMAGE_QUALITY === 'true',
+      overrideEmailQualityMapping: safeJsonParse(env.IMAGE_QUALITY_MAPPING, []),
+      s3CdnMap: parsedS3CdnMap,
+    });
+    return true;
+  } catch (e) {
+    Bugsnag.leaveBreadcrumb('initCdnConfigFromEnv failed to apply window.APP_ENV');
+    Bugsnag.notify(e, (event) => {
+      event.severity = 'error';
+    });
+    return false;
+  }
+}
+
+/**
+ *
+ * @param {*} configsResponse
  * This util function saves the getCdnConfigs response into the local storage.
  * The following response items are mapped into the following keys in local storage:
  * hostname -> CREATIVES_CDN_BASE_URL
  * qualityCfg ->CREATIVES_CDN_QUALITY_CONFIG
  * transformationUrlSuffix -> CREATIVES_CDN_TRANSFORMATION_URL_SUFFIX
- * 
+ *
  * 1. If configsReponse is empty. All above mentioned keys are deleted from localstorage.
  * 2. If any one of the above keys is missing. The respective keys are deleted from localstorage.
  * 3. Else it is saved into the localstorage.

package/utils/tests/cdnTransformation.test.js

@@ -546,6 +546,133 @@ describe("cdnTransformationTests", () => {
     });
   });
 
+  describe("initCdnConfigFromEnv()", () => {
+    afterEach(() => {
+      delete window.APP_ENV;
+    });
+
+    it("returns false when window.APP_ENV is undefined", () => {
+      delete window.APP_ENV;
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(false);
+    });
+
+    const completeEnv = {
+      CDN_HOSTNAME: "https://storage.crm.n.content-cdn.io",
+      CDN_IMG_TRANSFORMATION_URL_SUFFIX: "cdn-cgi/image",
+      CREATIVE_ASSETS_BUCKET_PATH: "intouch_creative_assets",
+      OVERRIDE_IMAGE_QUALITY: "false",
+      CDN_IMG_QUALITY_CFG: "{}",
+      IMAGE_QUALITY_MAPPING: "[]",
+      S3_CDN_MAP: '{"host.s3.amazonaws.com":{"cdn_host":"cdn.example.com","bucket_path":"x"}}',
+    };
+
+    it.each([
+      ["CDN_HOSTNAME"],
+      ["CDN_IMG_TRANSFORMATION_URL_SUFFIX"],
+      ["CREATIVE_ASSETS_BUCKET_PATH"],
+      ["S3_CDN_MAP"],
+    ])("returns false when required field %s is missing", (missingKey) => {
+      window.APP_ENV = { ...completeEnv };
+      delete window.APP_ENV[missingKey];
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(false);
+    });
+
+    it.each([
+      ["CDN_HOSTNAME"],
+      ["CDN_IMG_TRANSFORMATION_URL_SUFFIX"],
+      ["CREATIVE_ASSETS_BUCKET_PATH"],
+      ["S3_CDN_MAP"],
+    ])("returns false when required field %s is empty string", (emptyKey) => {
+      window.APP_ENV = { ...completeEnv, [emptyKey]: "" };
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(false);
+    });
+
+    it("populates localStorage and returns true for a complete env", () => {
+      window.APP_ENV = {
+        CDN_HOSTNAME: "https://storage.crm.n.content-cdn.io",
+        CDN_IMG_TRANSFORMATION_URL_SUFFIX: "cdn-cgi/image",
+        CREATIVE_ASSETS_BUCKET_PATH: "intouch_creative_assets",
+        OVERRIDE_IMAGE_QUALITY: "true",
+        CDN_IMG_QUALITY_CFG: '{"EMAIL":65,"DEFAULT":70}',
+        IMAGE_QUALITY_MAPPING: '[[30,90],[80,85]]',
+        S3_CDN_MAP: '{"host.s3.amazonaws.com":{"cdn_host":"cdn.example.com","bucket_path":"x"}}',
+      };
+
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(true);
+      expect(localStorage.getItem("CREATIVES_CDN_BASE_URL")).toBe("https://storage.crm.n.content-cdn.io");
+      expect(localStorage.getItem("CREATIVES_CDN_TRANSFORMATION_URL_SUFFIX")).toBe("cdn-cgi/image");
+      expect(localStorage.getItem("CREATIVES_S3_BUCKET_PATH")).toBe("intouch_creative_assets");
+      expect(localStorage.getItem("CREATIVES_CDN_QUALITY_CONFIG")).toBe('{"EMAIL":65,"DEFAULT":70}');
+      expect(localStorage.getItem("CREATIVES_CDN_OVERRIDE_DEFAULT_EMAIL_QUALITY")).toBe("true");
+      expect(localStorage.getItem("CREATIVES_CDN_OVERRIDE_DEFAULT_EMAIL_QUALITY_MAPPING")).toBe("[[30,90],[80,85]]");
+      expect(JSON.parse(localStorage.getItem("S3_CDN_MAP"))).toEqual({
+        "host.s3.amazonaws.com": { cdn_host: "cdn.example.com", bucket_path: "x" },
+      });
+    });
+
+    it("uses fallback values for malformed optional JSON env vars (qualityCfg, mapping)", () => {
+      window.APP_ENV = {
+        CDN_HOSTNAME: "https://storage.crm.n.content-cdn.io",
+        CDN_IMG_TRANSFORMATION_URL_SUFFIX: "cdn-cgi/image",
+        CREATIVE_ASSETS_BUCKET_PATH: "intouch_creative_assets",
+        OVERRIDE_IMAGE_QUALITY: "false",
+        CDN_IMG_QUALITY_CFG: "not-valid-json{{",
+        IMAGE_QUALITY_MAPPING: "also-broken",
+        S3_CDN_MAP: '{"host.s3.amazonaws.com":{"cdn_host":"cdn.example.com","bucket_path":"x"}}',
+      };
+
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(true);
+      expect(localStorage.getItem("CREATIVES_CDN_BASE_URL")).toBe("https://storage.crm.n.content-cdn.io");
+    });
+
+    it("returns false when S3_CDN_MAP is malformed JSON", () => {
+      window.APP_ENV = { ...completeEnv, S3_CDN_MAP: "}{" };
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(false);
+    });
+
+    it.each([
+      ["empty object", "{}"],
+      ["array", '["a","b"]'],
+      ["null", "null"],
+      ["number", "42"],
+      ["string", '"foo"'],
+    ])("returns false when S3_CDN_MAP parses to %s (not a non-empty object)", (_label, value) => {
+      window.APP_ENV = { ...completeEnv, S3_CDN_MAP: value };
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(false);
+    });
+
+    it("treats OVERRIDE_IMAGE_QUALITY values other than the string \"true\" as false", () => {
+      window.APP_ENV = {
+        CDN_HOSTNAME: "https://storage.crm.n.content-cdn.io",
+        CDN_IMG_TRANSFORMATION_URL_SUFFIX: "cdn-cgi/image",
+        CREATIVE_ASSETS_BUCKET_PATH: "intouch_creative_assets",
+        OVERRIDE_IMAGE_QUALITY: "no",
+        CDN_IMG_QUALITY_CFG: "{}",
+        IMAGE_QUALITY_MAPPING: "[]",
+        S3_CDN_MAP: '{"host.s3.amazonaws.com":{"cdn_host":"cdn.example.com","bucket_path":"x"}}',
+      };
+
+      cdnUtils.initCdnConfigFromEnv();
+      expect(localStorage.getItem("CREATIVES_CDN_OVERRIDE_DEFAULT_EMAIL_QUALITY")).toBe(undefined);
+    });
+
+    it("returns false and notifies Bugsnag when window.APP_ENV access throws", () => {
+      // Force the `window.APP_ENV` read inside initCdnConfigFromEnv to throw,
+      // which exercises the function's outer catch block.
+      Object.defineProperty(window, "APP_ENV", {
+        get() { throw new Error("APP_ENV access boom"); },
+        configurable: true,
+      });
+      const breadcrumbSpy = jest.spyOn(Bugsnag, "leaveBreadcrumb");
+
+      expect(cdnUtils.initCdnConfigFromEnv()).toBe(false);
+      expect(breadcrumbSpy).toHaveBeenCalledWith(
+        "initCdnConfigFromEnv failed to apply window.APP_ENV"
+      );
+      expect(bugsnagSpy).toHaveBeenCalled();
+    });
+  });
+
   describe("getEmailImageOverrideQuality()",()=>{
     it("Should return quality of last element in array if file size is greater than max provided in array",()=>{
       localStorage.setItem("CREATIVES_CDN_OVERRIDE_DEFAULT_EMAIL_QUALITY", "true");      

package/v2Containers/Templates/sagas.js

@@ -6,7 +6,7 @@ import { CapNotification } from '@capillarytech/cap-ui-library';
 // import { schema, normalize } from 'normalizr';
 import * as Api from '../../services/api';
 import * as types from './constants';
-import { saveCdnConfigs, removeAllCdnLocalStorageItems } from '../../utils/cdnTransformation';
+import { saveCdnConfigs, removeAllCdnLocalStorageItems, initCdnConfigFromEnv } from '../../utils/cdnTransformation';
 import { COPY_OF } from '../../constants/unified';
 import { ZALO_TEMPLATE_INFO_REQUEST } from '../Zalo/constants';
 import { getTemplateInfoById } from '../Zalo/saga';
@@ -107,6 +107,11 @@ export function* getOrgLevelCampaignSettings() {
 
 export function* getCdnTransformationConfig() {
   try {
+    // VAPT CAP-183204: prefer env vars injected via window.APP_ENV — avoids the
+    // API response that leaked CDN/S3 infrastructure details. Fallback to API
+    // keeps clusters that haven't received the env vars yet working during rollout.
+    if (initCdnConfigFromEnv()) return;
+
     const res = yield call(Api.getCdnTransformationConfig);
     if (res?.success && res?.status?.code === 200) {
       const cdnConfigs = res?.response;

package/v2Containers/Templates/tests/sagas.test.js

@@ -54,10 +54,25 @@ jest.mock('@capillarytech/cap-ui-library', () => ({
 }));
 
 describe('getCdnTransformationConfig saga', () => {
-  it("handle valid response from api", () => {
+  afterEach(() => {
+    delete window.APP_ENV;
+  });
+
+  it("short-circuits to env config and skips the API call when window.APP_ENV is set", async () => {
+    const initSpy = jest.spyOn(cdnUtils, "initCdnConfigFromEnv").mockReturnValue(true);
+    const apiSpy = jest.spyOn(api, "getCdnTransformationConfig");
+
+    await expectSaga(getCdnTransformationConfig).run();
+
+    expect(initSpy).toHaveBeenCalled();
+    expect(apiSpy).not.toHaveBeenCalled();
+  });
+
+  it("handle valid response from api", async () => {
+    jest.spyOn(cdnUtils, "initCdnConfigFromEnv").mockReturnValue(false);
     const saveCdnConfigsSpy = jest.spyOn(cdnUtils, "saveCdnConfigs");
 
-    expectSaga(getCdnTransformationConfig)
+    await expectSaga(getCdnTransformationConfig)
       .provide([
         [
           call(api.getCdnTransformationConfig),
@@ -68,13 +83,14 @@ describe('getCdnTransformationConfig saga', () => {
     expect(saveCdnConfigsSpy).toHaveBeenCalled();
   });
 
-    it("handle error response from api", () => {
+    it("handle error response from api", async () => {
+      jest.spyOn(cdnUtils, "initCdnConfigFromEnv").mockReturnValue(false);
       const removeAllCdnLocalStorageItemsSpy = jest.spyOn(
         cdnUtils,
         "removeAllCdnLocalStorageItems"
       );
 
-      expectSaga(getCdnTransformationConfig)
+      await expectSaga(getCdnTransformationConfig)
         .provide([
           [
             call(api.getCdnTransformationConfig),
@@ -85,7 +101,8 @@ describe('getCdnTransformationConfig saga', () => {
       expect(removeAllCdnLocalStorageItemsSpy).toHaveBeenCalled();
     });
 
-    it("remove localStorage items when an error is thrown", () => {
+    it("remove localStorage items when an error is thrown", async () => {
+        jest.spyOn(cdnUtils, "initCdnConfigFromEnv").mockReturnValue(false);
         const saveCdnConfigsSpy = jest.spyOn(cdnUtils, "saveCdnConfigs").mockImplementation(()=>{
             throw new Error()
         });
@@ -94,7 +111,7 @@ describe('getCdnTransformationConfig saga', () => {
             "removeAllCdnLocalStorageItems"
           );
 
-        expectSaga(getCdnTransformationConfig)
+        await expectSaga(getCdnTransformationConfig)
           .provide([
             [
               call(api.getCdnTransformationConfig),