create-nextblock 0.9.0 → 0.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/bin/create-nextblock.js +40 -60
  2. package/docker-template/.env.docker.example +5 -4
  3. package/docker-template/Dockerfile +20 -3
  4. package/docker-template/docker-compose.yml +5 -1
  5. package/docker-template/scripts/docker-setup.mjs +19 -4
  6. package/package.json +1 -1
  7. package/templates/nextblock-template/Dockerfile +20 -3
  8. package/templates/nextblock-template/app/[slug]/page.tsx +5 -0
  9. package/templates/nextblock-template/app/actions.ts +58 -8
  10. package/templates/nextblock-template/app/api/cron/reset-sandbox/sandboxResetSql.ts +83 -0
  11. package/templates/nextblock-template/app/article/[slug]/page.tsx +5 -0
  12. package/templates/nextblock-template/app/cms/settings/security/actions.ts +30 -0
  13. package/templates/nextblock-template/app/cms/settings/security/components/SecurityPanel.tsx +69 -0
  14. package/templates/nextblock-template/app/layout.tsx +57 -3
  15. package/templates/nextblock-template/app/lib/site-settings.ts +22 -7
  16. package/templates/nextblock-template/app/page.tsx +6 -0
  17. package/templates/nextblock-template/app/product/[slug]/page.tsx +5 -0
  18. package/templates/nextblock-template/app/setup/SetupWizard.tsx +771 -0
  19. package/templates/nextblock-template/app/setup/layout.tsx +13 -0
  20. package/templates/nextblock-template/app/setup/page.tsx +103 -0
  21. package/templates/nextblock-template/components/AppShell.tsx +12 -0
  22. package/templates/nextblock-template/components/header-auth.tsx +24 -62
  23. package/templates/nextblock-template/docker-compose.yml +5 -1
  24. package/templates/nextblock-template/docs/11-SELF-HOSTED-DOCKER.md +173 -0
  25. package/templates/nextblock-template/docs/12-VERCEL-DEPLOYMENT.md +67 -0
  26. package/templates/nextblock-template/docs/README.md +2 -0
  27. package/templates/nextblock-template/lib/blocks/FeaturedProductBlock.tsx +1 -1
  28. package/templates/nextblock-template/lib/blocks/ProductGridBlock.tsx +1 -1
  29. package/templates/nextblock-template/lib/setup/actions.ts +370 -0
  30. package/templates/nextblock-template/lib/setup/env-status.ts +86 -0
  31. package/templates/nextblock-template/lib/setup/env-write.ts +111 -0
  32. package/templates/nextblock-template/lib/setup/provisioning.ts +59 -0
  33. package/templates/nextblock-template/lib/setup/schema-apply.ts +379 -0
  34. package/templates/nextblock-template/lib/setup/system-config.ts +105 -0
  35. package/templates/nextblock-template/lib/setup/types.ts +18 -0
  36. package/templates/nextblock-template/package.json +1 -1
  37. package/templates/nextblock-template/proxy.ts +143 -49
  38. package/templates/nextblock-template/scripts/docker-setup.mjs +19 -4
  39. package/templates/nextblock-template/tsconfig.tsbuildinfo +1 -1
@@ -1,5 +1,6 @@
1
1
  import { createServerClient, type CookieOptions } from '@supabase/ssr';
2
2
  import { NextResponse, type NextRequest } from 'next/server';
3
+ import type { SupabaseClient } from '@supabase/supabase-js';
3
4
  import type { Database } from '@nextblock-cms/db';
4
5
 
5
6
  type Profile = Database['public']['Tables']['profiles']['Row'];
@@ -42,6 +43,63 @@ function getRequiredRolesForPath(pathname: string): UserRole[] | null {
42
43
  return null;
43
44
  }
44
45
 
46
+ /**
47
+ * Paths that must stay reachable while the instance is unprovisioned: the wizard,
48
+ * its server actions/APIs, the auth callback, and framework internals. Everything
49
+ * else is redirected to /setup until a first admin exists.
50
+ */
51
+ function isSetupAllowlisted(pathname: string): boolean {
52
+ return (
53
+ pathname === '/setup' ||
54
+ pathname.startsWith('/setup/') ||
55
+ pathname.startsWith('/api/setup') ||
56
+ pathname.startsWith('/auth/') ||
57
+ pathname.startsWith('/_next/') ||
58
+ pathname.startsWith('/favicon')
59
+ );
60
+ }
61
+
62
+ // Module-level cache for the "has the first admin been created?" flag. Middleware
63
+ // modules persist across requests in a worker, so this avoids a per-request DB hit.
64
+ let provisionedAdminCache: { value: boolean; expires: number } | null = null;
65
+
66
+ /**
67
+ * Returns true once the system has a first admin (site_settings.is_admin_created).
68
+ * `is_admin_created` is a non-sensitive, anon-readable key, so the request-scoped
69
+ * anon client can read it. Cached aggressively once true (it never reverts) and
70
+ * briefly while false (so the gate releases promptly after the wizard runs).
71
+ * Fail-open: any read error returns true so a hiccup never traps the whole site.
72
+ */
73
+ async function hasProvisionedAdmin(supabase: SupabaseClient): Promise<boolean> {
74
+ const now = Date.now();
75
+ if (provisionedAdminCache && provisionedAdminCache.expires > now) {
76
+ return provisionedAdminCache.value;
77
+ }
78
+
79
+ try {
80
+ const { data, error } = await supabase
81
+ .from('site_settings')
82
+ .select('value')
83
+ .eq('key', 'is_admin_created')
84
+ .maybeSingle();
85
+
86
+ if (error) {
87
+ return true;
88
+ }
89
+
90
+ const hasAdmin = data?.value === true || data?.value === 'true';
91
+ // Cache "provisioned" for a long time (it never reverts); keep the unprovisioned
92
+ // window short so the gate releases promptly once the wizard creates the admin.
93
+ provisionedAdminCache = {
94
+ value: hasAdmin,
95
+ expires: now + (hasAdmin ? 10 * 60_000 : 3_000),
96
+ };
97
+ return hasAdmin;
98
+ } catch {
99
+ return true;
100
+ }
101
+ }
102
+
45
103
  function getHttpOrigin(value: string | undefined): string | null {
46
104
  if (!value) {
47
105
  return null;
@@ -110,11 +168,21 @@ function createRedirectResponse(
110
168
  return applySecurityHeaders(NextResponse.redirect(url), contentSecurityPolicy);
111
169
  }
112
170
 
113
- function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): string {
171
+ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string | undefined): string {
114
172
  const isDev = process.env.NODE_ENV !== 'production';
115
- const parsedSupabaseUrl = new URL(supabaseUrl);
116
- const supabaseOrigin = parsedSupabaseUrl.origin;
117
- const supabaseRealtimeOrigin = `${parsedSupabaseUrl.protocol === 'https:' ? 'wss:' : 'ws:'}//${parsedSupabaseUrl.host}`;
173
+ // supabaseUrl is absent on an unconfigured instance (pre-/setup). Build the policy
174
+ // without Supabase origins in that case — uniqueSources() drops the null entries.
175
+ let supabaseOrigin: string | null = null;
176
+ let supabaseRealtimeOrigin: string | null = null;
177
+ if (supabaseUrl) {
178
+ try {
179
+ const parsedSupabaseUrl = new URL(supabaseUrl);
180
+ supabaseOrigin = parsedSupabaseUrl.origin;
181
+ supabaseRealtimeOrigin = `${parsedSupabaseUrl.protocol === 'https:' ? 'wss:' : 'ws:'}//${parsedSupabaseUrl.host}`;
182
+ } catch {
183
+ // malformed URL — treat as unconfigured for CSP purposes
184
+ }
185
+ }
118
186
  const assetSources = getAssetSources();
119
187
 
120
188
  const googleSources = [
@@ -126,15 +194,15 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
126
194
  'https://stats.g.doubleclick.net',
127
195
  ];
128
196
 
129
- const vercelSources = [
130
- 'https://vercel.live',
131
- 'https://vercel.com',
132
- 'https://assets.vercel.com',
133
- 'https://vitals.vercel-insights.com',
134
- 'https://*.vercel-insights.com',
135
- ];
136
- const vercelToolbarConnectSources = ['wss://ws-us3.pusher.com'];
137
- const turnstileSources = ['https://challenges.cloudflare.com'];
197
+ const vercelSources = [
198
+ 'https://vercel.live',
199
+ 'https://vercel.com',
200
+ 'https://assets.vercel.com',
201
+ 'https://vitals.vercel-insights.com',
202
+ 'https://*.vercel-insights.com',
203
+ ];
204
+ const vercelToolbarConnectSources = ['wss://ws-us3.pusher.com'];
205
+ const turnstileSources = ['https://challenges.cloudflare.com'];
138
206
 
139
207
  const developmentHttpSources = isDev
140
208
  ? [
@@ -161,21 +229,21 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
161
229
  "'self'",
162
230
  `'nonce-${nonceValue}'`,
163
231
  "'unsafe-inline'",
164
- "'unsafe-eval'",
165
- 'blob:',
166
- 'data:',
167
- ...vercelSources,
168
- ...turnstileSources,
169
- ...developmentHttpSources,
170
- ]
171
- : [
172
- "'self'",
173
- `'nonce-${nonceValue}'`,
174
- 'blob:',
175
- ...googleSources,
176
- ...vercelSources,
177
- ...turnstileSources,
178
- ],
232
+ "'unsafe-eval'",
233
+ 'blob:',
234
+ 'data:',
235
+ ...vercelSources,
236
+ ...turnstileSources,
237
+ ...developmentHttpSources,
238
+ ]
239
+ : [
240
+ "'self'",
241
+ `'nonce-${nonceValue}'`,
242
+ 'blob:',
243
+ ...googleSources,
244
+ ...vercelSources,
245
+ ...turnstileSources,
246
+ ],
179
247
  ),
180
248
  createDirective('script-src-attr', ["'none'"]),
181
249
  createDirective('style-src', [
@@ -205,25 +273,25 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
205
273
  "'self'",
206
274
  supabaseOrigin,
207
275
  supabaseRealtimeOrigin,
208
- ...assetSources,
209
- ...googleSources,
210
- ...vercelSources,
211
- ...vercelToolbarConnectSources,
212
- ...turnstileSources,
213
- ...developmentConnectSources,
214
- ]),
215
- createDirective('frame-src', [
216
- "'self'",
217
- 'blob:',
276
+ ...assetSources,
277
+ ...googleSources,
278
+ ...vercelSources,
279
+ ...vercelToolbarConnectSources,
280
+ ...turnstileSources,
281
+ ...developmentConnectSources,
282
+ ]),
283
+ createDirective('frame-src', [
284
+ "'self'",
285
+ 'blob:',
218
286
  'data:',
219
287
  'https://checkout.freemius.com',
220
288
  'https://www.youtube.com',
221
289
  'https://www.youtube-nocookie.com',
222
- 'https://player.vimeo.com',
223
- 'https://vercel.live',
224
- 'https://vercel.com',
225
- ...turnstileSources,
226
- ]),
290
+ 'https://player.vimeo.com',
291
+ 'https://vercel.live',
292
+ 'https://vercel.com',
293
+ ...turnstileSources,
294
+ ]),
227
295
  createDirective('media-src', ["'self'", 'data:', 'blob:', supabaseOrigin, ...assetSources]),
228
296
  createDirective('worker-src', ["'self'", 'blob:']),
229
297
  createDirective('manifest-src', ["'self'"]),
@@ -238,29 +306,44 @@ function createContentSecurityPolicy(nonceValue: string, supabaseUrl: string): s
238
306
  }
239
307
 
240
308
  export async function proxy(request: NextRequest) {
309
+ const { pathname } = request.nextUrl;
241
310
  const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
242
311
  const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
243
-
244
- if (!supabaseUrl || !supabaseAnonKey) {
245
- throw new Error('Missing required Supabase environment variables');
246
- }
312
+ const configured = Boolean(supabaseUrl && supabaseAnonKey);
313
+ process.env.NEXTBLOCK_UNCONFIGURED = configured ? 'false' : 'true';
247
314
 
248
315
  const requestHeaders = new Headers(request.headers);
249
316
  const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
250
317
  const contentSecurityPolicy = createContentSecurityPolicy(nonce, supabaseUrl);
251
318
 
252
319
  requestHeaders.set('x-nonce', nonce);
320
+ requestHeaders.set('x-nextblock-path', pathname);
253
321
  if (contentSecurityPolicy) {
254
322
  requestHeaders.set('Content-Security-Policy', contentSecurityPolicy);
255
323
  }
256
324
 
325
+ const allowlisted = isSetupAllowlisted(pathname);
326
+
327
+ // First-boot setup gate (unconfigured): no Supabase env yet, so the browser /setup
328
+ // wizard is the only thing that can run. Let allowlisted paths render with the
329
+ // nonce/CSP applied; redirect everything else to /setup. No Supabase work happens.
330
+ if (!configured) {
331
+ if (allowlisted) {
332
+ return applySecurityHeaders(
333
+ NextResponse.next({ request: { headers: requestHeaders } }),
334
+ contentSecurityPolicy,
335
+ );
336
+ }
337
+ return createRedirectResponse(new URL('/setup', request.url), contentSecurityPolicy);
338
+ }
339
+
257
340
  let response = NextResponse.next({
258
341
  request: {
259
342
  headers: requestHeaders,
260
343
  },
261
344
  });
262
345
 
263
- const supabase = createServerClient(supabaseUrl, supabaseAnonKey, {
346
+ const supabase = createServerClient(supabaseUrl as string, supabaseAnonKey as string, {
264
347
  cookies: {
265
348
  get(name: string) {
266
349
  return request.cookies.get(name)?.value;
@@ -293,7 +376,18 @@ export async function proxy(request: NextRequest) {
293
376
  data: { user },
294
377
  error: userError,
295
378
  } = await supabase.auth.getUser();
296
- const { pathname } = request.nextUrl;
379
+
380
+ // First-boot setup gate (configured but no admin yet, and nobody signed in): funnel
381
+ // anonymous traffic to /setup so the wizard can create the first admin. A logged-in
382
+ // user is proof the system is provisioned, so never gate them — this also prevents a
383
+ // redirect loop in the moment right after the wizard signs the new admin in. Cached
384
+ // + fail-open so a transient status error can't trap the whole site.
385
+ if (!user && !allowlisted && !(await hasProvisionedAdmin(supabase))) {
386
+ return createRedirectResponse(
387
+ new URL('/setup', request.url),
388
+ contentSecurityPolicy,
389
+ );
390
+ }
297
391
 
298
392
  if (pathname.startsWith('/cms')) {
299
393
  if (userError || !user) {
@@ -168,7 +168,6 @@ async function main() {
168
168
  ANON_KEY: `ANON_KEY=${anonKey}`,
169
169
  SERVICE_ROLE_KEY: `SERVICE_ROLE_KEY=${serviceRoleKey}`,
170
170
  NEXT_PUBLIC_SUPABASE_URL: 'NEXT_PUBLIC_SUPABASE_URL=http://localhost:8000',
171
- SUPABASE_INTERNAL_URL: 'SUPABASE_INTERNAL_URL=http://kong:8000',
172
171
  NEXT_PUBLIC_SUPABASE_ANON_KEY: `NEXT_PUBLIC_SUPABASE_ANON_KEY=${anonKey}`,
173
172
  SUPABASE_SERVICE_ROLE_KEY: `SUPABASE_SERVICE_ROLE_KEY=${serviceRoleKey}`,
174
173
  API_EXTERNAL_URL: 'API_EXTERNAL_URL=http://localhost:8000',
@@ -184,10 +183,14 @@ async function main() {
184
183
  R2_ACCOUNT_ID: 'R2_ACCOUNT_ID=minio',
185
184
  R2_REGION: 'R2_REGION=us-east-1',
186
185
  R2_S3_ENDPOINT: 'R2_S3_ENDPOINT=http://minio:9000',
187
- R2_S3_PUBLIC_ENDPOINT: 'R2_S3_PUBLIC_ENDPOINT=http://localhost:9000',
186
+ // Storage URLs use 127.0.0.1 (NOT localhost) on purpose: on localhost, cookies aren't
187
+ // port-scoped, so the browser would send the app's Supabase auth cookies to MinIO too — and
188
+ // MinIO rejects oversized header sets (MetadataTooLarge), breaking image display once cookies
189
+ // grow. 127.0.0.1 is a different cookie host, so the browser never sends them there.
190
+ R2_S3_PUBLIC_ENDPOINT: 'R2_S3_PUBLIC_ENDPOINT=http://127.0.0.1:9000',
188
191
  R2_FORCE_PATH_STYLE: 'R2_FORCE_PATH_STYLE=true',
189
- NEXT_PUBLIC_R2_BASE_URL: `NEXT_PUBLIC_R2_BASE_URL=http://localhost:9000/${bucket}`,
190
- NEXT_PUBLIC_R2_PUBLIC_URL: `NEXT_PUBLIC_R2_PUBLIC_URL=http://localhost:9000/${bucket}`,
192
+ NEXT_PUBLIC_R2_BASE_URL: `NEXT_PUBLIC_R2_BASE_URL=http://127.0.0.1:9000/${bucket}`,
193
+ NEXT_PUBLIC_R2_PUBLIC_URL: `NEXT_PUBLIC_R2_PUBLIC_URL=http://127.0.0.1:9000/${bucket}`,
191
194
  NEXT_PUBLIC_TURNSTILE_SITE_KEY: `NEXT_PUBLIC_TURNSTILE_SITE_KEY=${turnstileSiteKey}`,
192
195
  TURNSTILE_SECRET_KEY: `TURNSTILE_SECRET_KEY=${turnstileSecretKey}`,
193
196
  GOTRUE_MAILER_AUTOCONFIRM: `GOTRUE_MAILER_AUTOCONFIRM=${mailerAutoconfirm}`,
@@ -205,6 +208,18 @@ async function main() {
205
208
  await writeFile(ENV_PATH, nextEnv, 'utf8');
206
209
  console.log('✓ Wrote .env (Postgres, JWT secret + signed anon/service keys, MinIO, app secrets).\n');
207
210
 
211
+ // A brand-new .env means brand-new secrets. Postgres only runs its init scripts (which set role
212
+ // passwords) on an EMPTY volume, so a leftover volume from a previous install would keep the old
213
+ // credentials and GoTrue/PostgREST could not log in. Reset volumes when the config is fresh.
214
+ if (!existing) {
215
+ console.log('Fresh configuration — clearing any previous local sandbox volume so the database matches the new credentials...');
216
+ try {
217
+ await run(compose.cmd, [...compose.args, 'down', '-v'], { cwd: PROJECT_ROOT });
218
+ } catch {
219
+ /* nothing to tear down */
220
+ }
221
+ }
222
+
208
223
  console.log('Building and starting the stack (first run pulls images + builds the app — a few minutes)...');
209
224
  await run(compose.cmd, [...compose.args, 'up', '-d', '--build'], { cwd: PROJECT_ROOT });
210
225