create-tigra 3.0.0 → 3.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/template/client/.env.example +19 -0
- package/template/client/Dockerfile +3 -3
- package/template/client/next.config.ts +7 -42
- package/template/client/package-lock.json +1896 -146
- package/template/client/package.json +2 -0
- package/template/client/src/app/layout.tsx +10 -3
- package/template/client/src/app/providers.tsx +15 -2
- package/template/client/src/instrumentation-client.ts +30 -0
- package/template/client/src/instrumentation.ts +38 -0
- package/template/client/src/lib/env.ts +13 -2
- package/template/client/src/middleware.ts +105 -18
- package/template/server/.env.example +269 -236
- package/template/server/.env.example.production +236 -208
- package/template/server/Dockerfile +7 -5
- package/template/server/docker-compose.yml +17 -0
- package/template/server/package-lock.json +2136 -86
- package/template/server/package.json +6 -0
- package/template/server/src/app.ts +335 -303
- package/template/server/src/config/env.ts +171 -143
- package/template/server/src/config/rate-limit.config.ts +6 -0
- package/template/server/src/libs/__tests__/auth-path.test.ts +24 -0
- package/template/server/src/libs/__tests__/client-ip.test.ts +121 -0
- package/template/server/src/libs/__tests__/ip-block.test.ts +62 -0
- package/template/server/src/libs/__tests__/url-safety.test.ts +80 -0
- package/template/server/src/libs/auth-path.ts +14 -0
- package/template/server/src/libs/client-ip.ts +77 -0
- package/template/server/src/libs/ip-block.ts +220 -212
- package/template/server/src/libs/logger.ts +15 -0
- package/template/server/src/libs/observability/sentry.ts +42 -0
- package/template/server/src/libs/query-counter.ts +59 -0
- package/template/server/src/libs/requestLogger.ts +8 -2
- package/template/server/src/libs/storage/file-storage.service.ts +144 -16
- package/template/server/src/libs/url-safety.ts +121 -0
- package/template/server/src/modules/admin/__tests__/admin.integration.test.ts +128 -0
- package/template/server/src/modules/auth/__tests__/auth.integration.test.ts +138 -0
- package/template/server/src/modules/auth/auth.controller.ts +128 -127
- package/template/server/src/modules/files/__tests__/files.integration.test.ts +157 -0
- package/template/server/src/modules/files/files.controller.ts +180 -0
- package/template/server/src/modules/files/files.routes.ts +46 -0
- package/template/server/src/server.ts +6 -0
- package/template/server/src/test/integration.setup.ts +170 -0
- package/template/server/vitest.config.ts +10 -1
- package/template/server/vitest.integration.config.ts +50 -0
|
@@ -8,11 +8,13 @@
|
|
|
8
8
|
"start": "next start",
|
|
9
9
|
"lint": "eslint src/",
|
|
10
10
|
"typecheck": "tsc --noEmit",
|
|
11
|
+
"audit": "npm audit --audit-level=high",
|
|
11
12
|
"generate:env": "node -e \"import('fs').then(f=>{if(f.existsSync('.env'))console.log('.env already exists, skipping');else{f.copyFileSync('.env.example','.env');console.log('.env created from .env.example')}})\""
|
|
12
13
|
},
|
|
13
14
|
"dependencies": {
|
|
14
15
|
"@hookform/resolvers": "^5.2.2",
|
|
15
16
|
"@reduxjs/toolkit": "^2.11.2",
|
|
17
|
+
"@sentry/nextjs": "^10.62.0",
|
|
16
18
|
"@tanstack/react-query": "^5.90.21",
|
|
17
19
|
"axios": "^1.13.5",
|
|
18
20
|
"class-variance-authority": "^0.7.1",
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { headers } from 'next/headers';
|
|
1
2
|
import type { Metadata, Viewport } from 'next';
|
|
2
3
|
import type React from 'react';
|
|
3
4
|
import { Inter, JetBrains_Mono } from 'next/font/google';
|
|
@@ -27,15 +28,21 @@ export const viewport: Viewport = {
|
|
|
27
28
|
viewportFit: 'cover',
|
|
28
29
|
};
|
|
29
30
|
|
|
30
|
-
export default function RootLayout({
|
|
31
|
+
export default async function RootLayout({
|
|
31
32
|
children,
|
|
32
33
|
}: Readonly<{
|
|
33
34
|
children: React.ReactNode;
|
|
34
|
-
}>): React.ReactElement {
|
|
35
|
+
}>): Promise<React.ReactElement> {
|
|
36
|
+
// Read the per-request nonce set by middleware. next-themes injects an inline
|
|
37
|
+
// anti-FOUC <script> via dangerouslySetInnerHTML that Next does NOT auto-nonce,
|
|
38
|
+
// so under our 'strict-dynamic' CSP it must be passed the nonce explicitly or
|
|
39
|
+
// the browser refuses it (causing a flash / hydration mismatch).
|
|
40
|
+
const nonce = (await headers()).get('x-nonce') ?? undefined;
|
|
41
|
+
|
|
35
42
|
return (
|
|
36
43
|
<html lang="en" suppressHydrationWarning>
|
|
37
44
|
<body className={`${inter.variable} ${jetbrainsMono.variable} font-sans antialiased`}>
|
|
38
|
-
<Providers>{children}</Providers>
|
|
45
|
+
<Providers nonce={nonce}>{children}</Providers>
|
|
39
46
|
</body>
|
|
40
47
|
</html>
|
|
41
48
|
);
|
|
@@ -11,7 +11,15 @@ import { Toaster } from 'sonner';
|
|
|
11
11
|
import { store } from '@/store';
|
|
12
12
|
import { AuthInitializer } from '@/features/auth/components/AuthInitializer';
|
|
13
13
|
|
|
14
|
-
export function Providers({
|
|
14
|
+
export function Providers({
|
|
15
|
+
children,
|
|
16
|
+
nonce,
|
|
17
|
+
}: {
|
|
18
|
+
children: React.ReactNode;
|
|
19
|
+
// Per-request CSP nonce from middleware (via the root layout). Forwarded to
|
|
20
|
+
// next-themes so its inline anti-FOUC script is allowed under 'strict-dynamic'.
|
|
21
|
+
nonce?: string;
|
|
22
|
+
}): React.ReactElement {
|
|
15
23
|
const [queryClient] = useState(
|
|
16
24
|
() =>
|
|
17
25
|
new QueryClient({
|
|
@@ -30,7 +38,12 @@ export function Providers({ children }: { children: React.ReactNode }): React.Re
|
|
|
30
38
|
return (
|
|
31
39
|
<ReduxProvider store={store}>
|
|
32
40
|
<QueryClientProvider client={queryClient}>
|
|
33
|
-
<ThemeProvider
|
|
41
|
+
<ThemeProvider
|
|
42
|
+
attribute="class"
|
|
43
|
+
defaultTheme="light"
|
|
44
|
+
enableColorScheme={false}
|
|
45
|
+
nonce={nonce}
|
|
46
|
+
>
|
|
34
47
|
<AuthInitializer>
|
|
35
48
|
{children}
|
|
36
49
|
</AuthInitializer>
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Browser (client) instrumentation — env-gated Sentry, INERT by default.
|
|
3
|
+
*
|
|
4
|
+
* Next.js 15.3+/16 loads this module in the browser before the app hydrates.
|
|
5
|
+
* We init Sentry ONLY when the public DSN is set, so with no DSN this file is a
|
|
6
|
+
* no-op and ships nothing that phones home.
|
|
7
|
+
*
|
|
8
|
+
* `process.env.NEXT_PUBLIC_*` is inlined at build time by Next — reference it
|
|
9
|
+
* literally (not via a computed key) so the value is statically replaced.
|
|
10
|
+
*
|
|
11
|
+
* Like the server side, this stays runtime + env-gated: we do NOT wrap
|
|
12
|
+
* next.config.ts with `withSentryConfig` (that would couple `next build` to a
|
|
13
|
+
* source-map upload auth token). withSentryConfig is the opt-in upgrade.
|
|
14
|
+
*/
|
|
15
|
+
import * as Sentry from '@sentry/nextjs';
|
|
16
|
+
|
|
17
|
+
const dsn = process.env.NEXT_PUBLIC_SENTRY_DSN;
|
|
18
|
+
|
|
19
|
+
if (dsn) {
|
|
20
|
+
Sentry.init({
|
|
21
|
+
dsn,
|
|
22
|
+
tracesSampleRate: process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
|
|
23
|
+
? Number(process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE)
|
|
24
|
+
: 0.1,
|
|
25
|
+
});
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
// Instruments App Router navigations for tracing. Harmless when Sentry is
|
|
29
|
+
// uninitialized (no DSN).
|
|
30
|
+
export const onRouterTransitionStart = Sentry.captureRouterTransitionStart;
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Server/Edge runtime instrumentation — env-gated Sentry, INERT by default.
|
|
3
|
+
*
|
|
4
|
+
* Next.js calls `register()` once per server runtime at startup. We init Sentry
|
|
5
|
+
* ONLY when a DSN is present (a server `SENTRY_DSN`, or the public DSN shared
|
|
6
|
+
* with the browser), so with no DSN this is a clean no-op and `next build`
|
|
7
|
+
* succeeds with zero Sentry credentials.
|
|
8
|
+
*
|
|
9
|
+
* NOTE: we deliberately do NOT wrap next.config.ts with `withSentryConfig`.
|
|
10
|
+
* That adds build-time source-map upload which requires a SENTRY_AUTH_TOKEN and
|
|
11
|
+
* would couple `next build` to credentials. Source-map upload is the opt-in
|
|
12
|
+
* upgrade — add `withSentryConfig` + an auth token when you want it. This setup
|
|
13
|
+
* stays purely runtime + env-gated.
|
|
14
|
+
*/
|
|
15
|
+
import * as Sentry from '@sentry/nextjs';
|
|
16
|
+
|
|
17
|
+
const dsn = process.env.NEXT_PUBLIC_SENTRY_DSN ?? process.env.SENTRY_DSN;
|
|
18
|
+
|
|
19
|
+
const tracesSampleRate = process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE
|
|
20
|
+
? Number(process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE)
|
|
21
|
+
: 0.1;
|
|
22
|
+
|
|
23
|
+
export async function register(): Promise<void> {
|
|
24
|
+
// No DSN → stay inert.
|
|
25
|
+
if (!dsn) return;
|
|
26
|
+
|
|
27
|
+
if (process.env.NEXT_RUNTIME === 'nodejs' || process.env.NEXT_RUNTIME === 'edge') {
|
|
28
|
+
Sentry.init({
|
|
29
|
+
dsn,
|
|
30
|
+
tracesSampleRate,
|
|
31
|
+
environment: process.env.SENTRY_ENVIRONMENT ?? process.env.NODE_ENV,
|
|
32
|
+
});
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
// Capture errors from Server Components, route handlers, and middleware.
|
|
37
|
+
// Safe no-op when Sentry was never initialized (no DSN).
|
|
38
|
+
export const onRequestError = Sentry.captureRequestError;
|
|
@@ -1,19 +1,30 @@
|
|
|
1
1
|
import { z } from 'zod';
|
|
2
2
|
|
|
3
|
-
// Every field MUST have a .default() so the dev fallback
|
|
4
|
-
// can produce valid defaults when env vars are missing in
|
|
3
|
+
// Every required field MUST have a .default() so the dev fallback
|
|
4
|
+
// (envSchema.parse({})) can produce valid defaults when env vars are missing in
|
|
5
|
+
// development. Genuinely optional integrations (e.g. Sentry) use .optional()
|
|
6
|
+
// instead — unset means "disabled", and the build must pass with them absent.
|
|
5
7
|
const envSchema = z.object({
|
|
6
8
|
NEXT_PUBLIC_API_BASE_URL: z
|
|
7
9
|
.string()
|
|
8
10
|
.url('NEXT_PUBLIC_API_BASE_URL must be a valid URL')
|
|
9
11
|
.default('http://localhost:8000/api/v1'),
|
|
10
12
|
NEXT_PUBLIC_APP_NAME: z.string().default('My App'),
|
|
13
|
+
|
|
14
|
+
// --- Error Tracking (Optional, Sentry) ---
|
|
15
|
+
// Inert without a DSN: instrumentation only inits Sentry when this is set.
|
|
16
|
+
// Optional so `next build` passes with it unset. Never hardcode a DSN.
|
|
17
|
+
NEXT_PUBLIC_SENTRY_DSN: z.string().url().optional(),
|
|
18
|
+
// Fraction of transactions sampled for browser performance tracing (0..1).
|
|
19
|
+
NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE: z.coerce.number().min(0).max(1).optional(),
|
|
11
20
|
});
|
|
12
21
|
|
|
13
22
|
function validateEnv(): z.infer<typeof envSchema> {
|
|
14
23
|
const result = envSchema.safeParse({
|
|
15
24
|
NEXT_PUBLIC_API_BASE_URL: process.env.NEXT_PUBLIC_API_BASE_URL,
|
|
16
25
|
NEXT_PUBLIC_APP_NAME: process.env.NEXT_PUBLIC_APP_NAME,
|
|
26
|
+
NEXT_PUBLIC_SENTRY_DSN: process.env.NEXT_PUBLIC_SENTRY_DSN,
|
|
27
|
+
NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE: process.env.NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE,
|
|
17
28
|
});
|
|
18
29
|
|
|
19
30
|
if (!result.success) {
|
|
@@ -14,9 +14,94 @@ function isTokenExpired(token: string): boolean {
|
|
|
14
14
|
}
|
|
15
15
|
}
|
|
16
16
|
|
|
17
|
+
/**
|
|
18
|
+
* Derive the origin (scheme://host[:port]) of a URL, falling back to the input
|
|
19
|
+
* when it can't be parsed. Used to turn NEXT_PUBLIC_API_BASE_URL (which may
|
|
20
|
+
* carry a path like .../api/v1) and the Sentry DSN into bare CSP source values.
|
|
21
|
+
*/
|
|
22
|
+
function toOrigin(url: string | undefined): string | null {
|
|
23
|
+
if (!url) return null;
|
|
24
|
+
try {
|
|
25
|
+
return new URL(url).origin;
|
|
26
|
+
} catch {
|
|
27
|
+
return null;
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
const apiOrigin = toOrigin(process.env.NEXT_PUBLIC_API_BASE_URL) ?? 'http://localhost:8000';
|
|
32
|
+
// When Sentry is configured, its browser SDK POSTs envelopes to the DSN origin;
|
|
33
|
+
// it must be allowed in connect-src or every error report is blocked by CSP.
|
|
34
|
+
const sentryOrigin = toOrigin(process.env.NEXT_PUBLIC_SENTRY_DSN);
|
|
35
|
+
|
|
36
|
+
/**
|
|
37
|
+
* Build the per-request Content-Security-Policy. A fresh nonce is minted for
|
|
38
|
+
* every request and threaded onto Next's own scripts (see middleware below), so
|
|
39
|
+
* 'strict-dynamic' can trust them while refusing any attacker-injected inline
|
|
40
|
+
* script that lacks the nonce.
|
|
41
|
+
*
|
|
42
|
+
* DEV relaxes script-src with 'unsafe-eval' (Next's HMR/react-refresh evals) and
|
|
43
|
+
* style-src with 'unsafe-inline' (the dev overlay injects inline styles). PROD
|
|
44
|
+
* is strict. Style-src keeps 'unsafe-inline' in PROD too: Tailwind v4 and some
|
|
45
|
+
* libraries emit inline <style>/style="" that a nonce cannot cover and that a
|
|
46
|
+
* strict style-src would REFUSE, breaking the page. Inline styles cannot
|
|
47
|
+
* exfiltrate data the way inline scripts can, so this is an accepted tradeoff —
|
|
48
|
+
* the high-value half (the strict, nonce-gated script-src) stays intact.
|
|
49
|
+
*/
|
|
50
|
+
function buildCsp(nonce: string, isProd: boolean): string {
|
|
51
|
+
const connectSrc = ["'self'", apiOrigin, sentryOrigin].filter(Boolean).join(' ');
|
|
52
|
+
|
|
53
|
+
const scriptSrc = isProd
|
|
54
|
+
? `'self' 'nonce-${nonce}' 'strict-dynamic' https:`
|
|
55
|
+
: `'self' 'nonce-${nonce}' 'strict-dynamic' 'unsafe-eval' https:`;
|
|
56
|
+
|
|
57
|
+
// 'unsafe-inline' in style-src in BOTH modes (see note above).
|
|
58
|
+
const styleSrc = `'self' 'unsafe-inline'`;
|
|
59
|
+
|
|
60
|
+
return [
|
|
61
|
+
`default-src 'self'`,
|
|
62
|
+
`script-src ${scriptSrc}`,
|
|
63
|
+
`style-src ${styleSrc}`,
|
|
64
|
+
`img-src 'self' blob: data: ${apiOrigin}`,
|
|
65
|
+
`font-src 'self'`,
|
|
66
|
+
`connect-src ${connectSrc}`,
|
|
67
|
+
`object-src 'none'`,
|
|
68
|
+
`base-uri 'none'`,
|
|
69
|
+
`form-action 'self'`,
|
|
70
|
+
`frame-ancestors 'none'`,
|
|
71
|
+
`upgrade-insecure-requests`,
|
|
72
|
+
].join('; ');
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
/**
|
|
76
|
+
* Attach the static security headers shared by every response. HSTS is
|
|
77
|
+
* deliberately NOT set here — it is managed at the Cloudflare edge.
|
|
78
|
+
*/
|
|
79
|
+
function applySecurityHeaders(response: NextResponse): NextResponse {
|
|
80
|
+
response.headers.set('X-Content-Type-Options', 'nosniff');
|
|
81
|
+
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
82
|
+
// Redundant with frame-ancestors 'none' but harmless for legacy browsers.
|
|
83
|
+
response.headers.set('X-Frame-Options', 'DENY');
|
|
84
|
+
return response;
|
|
85
|
+
}
|
|
86
|
+
|
|
17
87
|
export function middleware(request: NextRequest): NextResponse {
|
|
18
88
|
const { pathname } = request.nextUrl;
|
|
19
89
|
|
|
90
|
+
const isProd = process.env.NODE_ENV === 'production';
|
|
91
|
+
|
|
92
|
+
// --- Per-request nonce + CSP (canonical Next.js pattern) ---
|
|
93
|
+
// base64-encoded random UUID. Minted fresh per request so 'strict-dynamic'
|
|
94
|
+
// only trusts scripts we (and Next) emit this request.
|
|
95
|
+
const nonce = Buffer.from(crypto.randomUUID()).toString('base64');
|
|
96
|
+
const cspHeader = buildCsp(nonce, isProd);
|
|
97
|
+
|
|
98
|
+
// Propagate the nonce + CSP on the REQUEST headers. Next reads the CSP from
|
|
99
|
+
// the request to extract the nonce and stamps it onto its own <script> tags;
|
|
100
|
+
// without this, strict-dynamic would refuse Next's scripts and break the page.
|
|
101
|
+
const requestHeaders = new Headers(request.headers);
|
|
102
|
+
requestHeaders.set('x-nonce', nonce);
|
|
103
|
+
requestHeaders.set('content-security-policy', cspHeader);
|
|
104
|
+
|
|
20
105
|
// NOTE: This middleware only checks COOKIE PRESENCE (and a best-effort,
|
|
21
106
|
// unverified exp claim) for UX-level routing — redirecting users who are
|
|
22
107
|
// obviously logged out away from protected pages. It does NOT verify the
|
|
@@ -29,36 +114,38 @@ export function middleware(request: NextRequest): NextResponse {
|
|
|
29
114
|
const isProtectedPath = protectedPaths.some((path) => pathname.startsWith(path));
|
|
30
115
|
|
|
31
116
|
if (isProtectedPath) {
|
|
32
|
-
// No access_token AND no auth_session — truly unauthenticated
|
|
117
|
+
// No access_token AND no auth_session — truly unauthenticated.
|
|
33
118
|
if (!accessToken && !authSession) {
|
|
34
119
|
const loginUrl = new URL('/login', request.url);
|
|
35
120
|
loginUrl.searchParams.set('from', pathname);
|
|
36
|
-
|
|
121
|
+
const redirect = NextResponse.redirect(loginUrl);
|
|
122
|
+
redirect.headers.set('content-security-policy', cspHeader);
|
|
123
|
+
return applySecurityHeaders(redirect);
|
|
37
124
|
}
|
|
125
|
+
}
|
|
38
126
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
127
|
+
// Single .next() response carrying the propagated request headers, the CSP
|
|
128
|
+
// (also on the response, for the browser), and the static security headers.
|
|
129
|
+
const response = NextResponse.next({ request: { headers: requestHeaders } });
|
|
130
|
+
response.headers.set('content-security-policy', cspHeader);
|
|
131
|
+
applySecurityHeaders(response);
|
|
44
132
|
|
|
45
|
-
|
|
133
|
+
if (isProtectedPath) {
|
|
134
|
+
// No access_token BUT auth_session exists — session is alive, let through
|
|
135
|
+
// so client-side can do getMe() → 401 → refresh → retry.
|
|
136
|
+
// (response already passes through; nothing extra needed here.)
|
|
137
|
+
|
|
138
|
+
// Expired access_token — delete stale cookie, let through for client refresh.
|
|
46
139
|
if (accessToken && isTokenExpired(accessToken)) {
|
|
47
|
-
const response = NextResponse.next();
|
|
48
140
|
response.cookies.delete('access_token');
|
|
49
|
-
return response;
|
|
50
141
|
}
|
|
51
|
-
|
|
52
|
-
return NextResponse.next();
|
|
53
142
|
}
|
|
54
143
|
|
|
55
|
-
return
|
|
144
|
+
return response;
|
|
56
145
|
}
|
|
57
146
|
|
|
58
147
|
export const config = {
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
'/admin/:path*',
|
|
63
|
-
],
|
|
148
|
+
// Apply security headers site-wide, but skip Next's static assets and the
|
|
149
|
+
// favicon (no CSP needed on immutable static files / images).
|
|
150
|
+
matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
|
|
64
151
|
};
|