archetecture security fix

This commit is contained in:
root
2026-06-11 03:22:12 -04:00
parent 6def9993da
commit 9483750161
3126 changed files with 177194 additions and 37211 deletions
+86
View File
@@ -0,0 +1,86 @@
/** @type {import('next').NextConfig} */
const securityHeaders = [
{ key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
{
key: 'Content-Security-Policy',
value: [
"default-src 'self'",
"script-src 'self' 'unsafe-inline'",
"style-src 'self' 'unsafe-inline'",
"img-src 'self' data: blob: https:",
"font-src 'self' data:",
"connect-src 'self' https: wss:",
"frame-ancestors 'none'",
"base-uri 'self'",
"form-action 'self'",
"object-src 'none'",
].join('; '),
},
]
const toStoragePattern = (rawUrl) => {
try {
const u = new URL(rawUrl.replace(/\/api\/v1\/?$/, ''))
return {
protocol: u.protocol.replace(':', ''),
hostname: u.hostname,
...(u.port ? { port: u.port } : {}),
pathname: '/storage/**',
}
} catch {
return null
}
}
const storagePatterns = [
process.env.API_INTERNAL_URL ?? 'http://localhost:4000',
process.env.API_URL,
process.env.NEXT_PUBLIC_API_URL,
]
.filter(Boolean)
.map(toStoragePattern)
.filter(Boolean)
.filter((p, i, arr) => arr.findIndex((q) => q.hostname === p.hostname && q.port === p.port) === i)
// In Docker dev the dashboard app runs on port 3001 while the marketplace proxy
// is served from port 3000. When DASHBOARD_ASSET_PREFIX is set, Next should emit
// absolute chunk URLs so /dashboard pages load their own JS/CSS from port 3001.
const assetPrefix = process.env.DASHBOARD_ASSET_PREFIX || undefined
const nextConfig = {
basePath: '/dashboard',
...(assetPrefix ? { assetPrefix } : {}),
images: {
remotePatterns: [
{
protocol: 'https',
hostname: 'res.cloudinary.com',
},
...storagePatterns,
],
},
transpilePackages: ['@rentaldrivego/types'],
async headers() {
return [
{
source: '/:path*',
headers: securityHeaders,
},
]
},
async rewrites() {
const apiOrigin = (process.env.API_INTERNAL_URL ?? process.env.API_URL ?? 'http://localhost:4000').replace(/\/api\/v1\/?$/, '')
return [
{
source: '/api/:path*',
destination: `${apiOrigin}/api/:path*`,
},
]
},
}
module.exports = nextConfig