-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: run dist with environment variables kyb-app #2645
base: dev
Are you sure you want to change the base?
Changes from all commits
10936ef
e5c465e
67ba0f0
79908d6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,46 @@ | ||||||||||||||||||
#!/usr/bin/env sh | ||||||||||||||||||
|
||||||||||||||||||
if [[ -z "$VITE_DOMAIN" ]] | ||||||||||||||||||
then | ||||||||||||||||||
VITE_DOMAIN="http://localhost:3000" | ||||||||||||||||||
fi | ||||||||||||||||||
|
||||||||||||||||||
if [[ -z "$VITE_API_KEY" ]] | ||||||||||||||||||
then | ||||||||||||||||||
VITE_API_KEY="secret" | ||||||||||||||||||
fi | ||||||||||||||||||
Comment on lines
+8
to
+11
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Security: Avoid hardcoding default API key Using a hardcoded default API key ("secret") could be dangerous if accidentally used in non-local environments. Consider:
- VITE_API_KEY="secret"
+ VITE_API_KEY=$(openssl rand -hex 16) 📝 Committable suggestion
Suggested change
🧰 Tools🪛 Shellcheck[warning] 8-8: In POSIX sh, [[ ]] is undefined. (SC3010) |
||||||||||||||||||
|
||||||||||||||||||
if [[ -z "$VITE_ENVIRONMENT_NAME" ]] | ||||||||||||||||||
then | ||||||||||||||||||
VITE_ENVIRONMENT_NAME=local | ||||||||||||||||||
fi | ||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
if [[ -z "$VITE_DEFAULT_EXAMPLE_TOKEN" ]] | ||||||||||||||||||
then | ||||||||||||||||||
VITE_DEFAULT_EXAMPLE_TOKEN=12345678-1234-1234-1234-123456789012 | ||||||||||||||||||
fi | ||||||||||||||||||
|
||||||||||||||||||
if [[ -z "$VITE_SENTRY_AUTH_TOKEN" ]] | ||||||||||||||||||
then | ||||||||||||||||||
VITE_SENTRY_AUTH_TOKEN="" | ||||||||||||||||||
fi | ||||||||||||||||||
|
||||||||||||||||||
if [[ -z "$VITE_SENTRY_DSN" ]] | ||||||||||||||||||
then | ||||||||||||||||||
VITE_SENTRY_DSN="" | ||||||||||||||||||
fi | ||||||||||||||||||
Comment on lines
+3
to
+32
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Add validation and logging for environment variables The script silently falls back to defaults without any validation or logging, which could mask configuration issues. Consider adding:
+log_default() {
+ echo "Warning: $1 not set, using default value: $2"
+}
if [ -z "$VITE_DOMAIN" ]
then
+ log_default "VITE_DOMAIN" "http://localhost:3000"
VITE_DOMAIN="http://localhost:3000"
+elif ! echo "$VITE_DOMAIN" | grep -qE '^https?://'
+then
+ echo "Error: VITE_DOMAIN must start with http:// or https://"
+ exit 1
fi
🧰 Tools🪛 Shellcheck[warning] 3-3: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 8-8: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 13-13: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 19-19: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 24-24: In POSIX sh, [[ ]] is undefined. (SC3010) [warning] 29-29: In POSIX sh, [[ ]] is undefined. (SC3010) |
||||||||||||||||||
|
||||||||||||||||||
cat << EOF > /usr/share/nginx/html/config.js | ||||||||||||||||||
globalThis.env = { | ||||||||||||||||||
VITE_API_URL: "$VITE_DOMAIN/api/v1/", | ||||||||||||||||||
VITE_API_KEY: "$VITE_API_KEY", | ||||||||||||||||||
VITE_ENVIRONMENT_NAME: "$VITE_ENVIRONMENT_NAME", | ||||||||||||||||||
VITE_DEFAULT_EXAMPLE_TOKEN: "$VITE_DEFAULT_EXAMPLE_TOKEN", | ||||||||||||||||||
VITE_SENTRY_AUTH_TOKEN: "$VITE_SENTRY_AUTH_TOKEN", | ||||||||||||||||||
VITE_SENTRY_DSN: "$VITE_SENTRY_DSN", | ||||||||||||||||||
} | ||||||||||||||||||
EOF | ||||||||||||||||||
Comment on lines
+34
to
+43
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Security: Reconsider config file location and format Writing configuration with sensitive values to Consider:
cat << EOF > /usr/share/nginx/html/config.js
globalThis.env = {
VITE_API_URL: "$VITE_DOMAIN/api/v1/",
- VITE_API_KEY: "$VITE_API_KEY",
VITE_ENVIRONMENT_NAME: "$VITE_ENVIRONMENT_NAME",
- VITE_DEFAULT_EXAMPLE_TOKEN: "$VITE_DEFAULT_EXAMPLE_TOKEN",
- VITE_SENTRY_AUTH_TOKEN: "$VITE_SENTRY_AUTH_TOKEN",
VITE_SENTRY_DSN: "$VITE_SENTRY_DSN",
}
EOF
+
+# Add security headers to nginx config
+cat << EOF > /etc/nginx/conf.d/security-headers.conf
+add_header Content-Security-Policy "default-src 'self';" always;
+add_header X-Content-Type-Options "nosniff" always;
+EOF
|
||||||||||||||||||
|
||||||||||||||||||
# Handle CMD command | ||||||||||||||||||
exec "$@" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
declare global { | ||
export var env: { [key: string]: any }; | ||
} | ||
Comment on lines
+1
to
+3
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Consider improving type safety and documentation While the implementation works, there are several improvements that could make it more robust and maintainable:
Consider this improved implementation: +/**
+ * Global environment configuration interface.
+ * Initialized at runtime via config.js and provides access to environment variables.
+ * @example
+ * // Access API URL
+ * globalThis.env.VITE_API_URL
+ */
declare global {
- export var env: { [key: string]: any };
+ export interface EnvConfig {
+ VITE_API_URL: string;
+ // Add other expected environment variables with their specific types
+ }
+
+ export var env: Readonly<EnvConfig>;
}
💡 Codebase verification Environment variable access patterns need standardization The codebase shows inconsistent patterns for accessing environment variables:
Key issues:
🔗 Analysis chainVerify environment variable usage across the application Let's ensure all environment variable accesses are consistent with this global declaration. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Search for environment variable access patterns
echo "Checking direct process.env usage (should be replaced with globalThis.env):"
rg "process\.env\." apps/kyb-app/
echo -e "\nChecking import.meta.env usage (should be used only during initialization):"
rg "import\.meta\.env" apps/kyb-app/
echo -e "\nChecking globalThis.env usage (preferred pattern):"
rg "globalThis\.env" apps/kyb-app/
Length of output: 3090 |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,6 +7,7 @@ | |
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" /> | ||
<meta name="viewport" content="width=device-width, initial-scale=1.0" /> | ||
<title>KYB - Collection Flow</title> | ||
<script type="text/javascript" src="/config.js"></script> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. wrong path There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No in the dist index.html and config.js stay in the same directory There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 💡 Codebase verification Security: Environment variables exposed in public config.js require attention The following sensitive variables are being exposed in the publicly accessible config.js:
Recommendations:
🔗 Analysis chainSecurity: Review environment variable exposure. Since Let's check what environment variables are being exposed: Let me gather more specific information about the environment variables being exposed in the config.js file. 🏁 Scripts executedThe following scripts were executed for the analysis: Script: #!/bin/bash
# Description: Check for potential sensitive environment variables in the configuration
# Expected: Only safe, public variables should be exposed
# Search for environment variable assignments in entrypoint.sh
rg -A 5 "globalThis.env = {"
# Look for potentially sensitive patterns in environment variable names
rg -i "key|token|secret|password|credential" apps/kyb-app/
Length of output: 15749 Script: #!/bin/bash
# Check the actual content of config.js to see what variables are exposed
cat apps/kyb-app/public/config.js
# Also check entrypoint.sh to see how the config is generated
cat apps/kyb-app/entrypoint.sh
Length of output: 1523 |
||
</head> | ||
<body> | ||
<div id="root"></div> | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
globalThis.env = { | ||
VITE_API_URL: import.meta.env.VITE_API_URL || 'http://google.com', | ||
VITE_KYB_DEFINITION_ID: | ||
import.meta.env.VITE_KYB_DEFINITION_ID || 'kyb_parent_kyc_session_example', | ||
VITE_API_KEY: import.meta.env.VITE_API_KEY || 'secret', | ||
VITE_ENVIRONMENT_NAME: import.meta.env.VITE_ENVIRONMENT_NAME || 'local', | ||
VITE_DEFAULT_EXAMPLE_TOKEN: | ||
import.meta.env.VITE_DEFAULT_EXAMPLE_TOKEN || '12345678-1234-1234-1234-123456789012', | ||
Comment on lines
+7
to
+8
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Remove default authentication token The default example token should not be included in the source code, even as a fallback. This could lead to unintended authentication if the environment variable is not properly set. - VITE_DEFAULT_EXAMPLE_TOKEN:
- import.meta.env.VITE_DEFAULT_EXAMPLE_TOKEN || '12345678-1234-1234-1234-123456789012',
+ VITE_DEFAULT_EXAMPLE_TOKEN: '{{VITE_DEFAULT_EXAMPLE_TOKEN}}',
|
||
VITE_SENTRY_AUTH_TOKEN: import.meta.env.VITE_SENTRY_AUTH_TOKEN || '', | ||
VITE_SENTRY_DSN: import.meta.env.VITE_SENTRY_DSN || '', | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix shell compatibility issues
The script uses
#!/usr/bin/env sh
but contains bash-specific[[
syntax. This will fail in containers with only POSIX sh.Either: