chore: use explicit deployment URLs for versions for security

measuredco · Dec 13, 2023 · f03701c · f03701c
1 parent 60298ec
commit f03701c
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 53 deletions.
diff --git a/apps/docs/components/ReleaseSwitcher/index.tsx b/apps/docs/components/ReleaseSwitcher/index.tsx
@@ -5,6 +5,8 @@ import { getClassNameFactory } from "@/core/lib";
 
 import styles from "./styles.module.css";
 
+const BASE_URL = process.env.NEXT_PUBLIC_BASE_URL || "https://puckeditor.com";
+
 const { version } = packageJson;
 
 const getClassName = getClassNameFactory("ReleaseSwitcher", styles);
@@ -31,14 +33,11 @@ export const ReleaseSwitcher = () => {
   ]);
 
   useEffect(() => {
-    fetch("/api/releases").then(async (res) => {
+    fetch(`${BASE_URL}/api/releases`).then(async (res) => {
       const { releases } = await res.json();
-
-      if (releases.length === 0) return;
-
-      const releaseOptions = releases.map((release) => ({
-        label: release.name.split("releases/")[1],
-        value: release.name.split("releases/v")[1], // remove the leading `v`
+      const releaseOptions = Object.keys(releases).map((key) => ({
+        label: key,
+        value: key,
       }));
 
       releaseOptions[0].label = `${releaseOptions[0].label} (latest)`;
@@ -54,7 +53,7 @@ export const ReleaseSwitcher = () => {
       value={currentValue}
       onChange={(e) => {
         const newHref = e.currentTarget.value
-          ? `https://puckeditor.com/v/${e.currentTarget.value}`
+          ? `/v/${e.currentTarget.value}`
           : "https://puckeditor.com";
 
         if (window.parent) {

diff --git a/apps/docs/package.json b/apps/docs/package.json
@@ -16,7 +16,6 @@
     "typescript": "^4.5.3"
   },
   "dependencies": {
-    "lru-cache": "^10.1.0",
     "next": "^13.5.4",
     "nextra": "^2.13.2",
     "nextra-theme-docs": "^2.13.2",

diff --git a/apps/docs/pages/api/releases.ts b/apps/docs/pages/api/releases.ts
@@ -1,41 +1,13 @@
 import type { NextApiRequest, NextApiResponse } from "next";
-import { LRUCache } from "lru-cache";
 
-type ResponseData = {
-  releases: object;
-};
-
-const cache = new LRUCache({
-  ttl: 1000 * 60 * 2, // 2 minutes
-  ttlAutopurge: true,
-});
+import releases from "../../releases.json";
 
 /**
  * Proxy GitHub and rely on Next.js cache to prevent rate limiting
  */
 export default async function handler(
   req: NextApiRequest,
-  res: NextApiResponse<ResponseData>
+  res: NextApiResponse
 ) {
-  const cached = cache.get("releases");
-
-  if (cached) {
-    res.status(200).json({ releases: cached });
-
-    return;
-  }
-
-  const data = [{ name: "releases/v0.12.0", protected: false }];
-
-  const releases: { name: string; protected: boolean }[] = data
-    .filter(
-      (item) =>
-        item.name.indexOf("releases") === 0 &&
-        item.name.indexOf(`v0.11.`) === -1 // Filter out any release branches before v0.12.0
-    )
-    .reverse();
-
   res.status(200).json({ releases });
-
-  cache.set("releases", releases);
 }
diff --git a/apps/docs/pages/v/[[...fullPath]].tsx b/apps/docs/pages/v/[[...fullPath]].tsx
@@ -1,22 +1,33 @@
-import { useEffect } from "react";
+import { useEffect, useState } from "react";
 
 export type Message = {
   type: "routeChange";
   url?: string;
   title: string;
 };
 
-export default function Version({ path, version = "" }) {
-  const versionSlug = version.replace(/\./g, "");
+const BASE_URL = process.env.NEXT_PUBLIC_BASE_URL || "https://puckeditor.com";
 
-  const base =
-    version === "canary"
-      ? `https://puck-docs-git-main-measured.vercel.app`
-      : `https://puck-docs-git-releases-v${versionSlug}-measured.vercel.app`;
+export default function Version({ path, version = "" }) {
+  const [base, setBase] = useState("");
 
   const src = `${base}/${path}`;
 
   useEffect(() => {
+    fetch(`${BASE_URL}/api/releases`).then(async (res) => {
+      const { releases } = await res.json();
+
+      setBase(
+        version === "canary"
+          ? `https://puck-docs-git-main-measured.vercel.app`
+          : releases[version]
+      );
+    });
+  }, [version]);
+
+  useEffect(() => {
+    if (!base) return;
+
     const handleMessageReceived = (event: MessageEvent) => {
       if (event.data.type === "routeChange") {
         if (event.origin !== base) {
@@ -42,7 +53,9 @@ export default function Version({ path, version = "" }) {
     window.addEventListener("message", handleMessageReceived);
 
     return () => window.removeEventListener("message", handleMessageReceived);
-  }, []);
+  }, [base, version]);
+
+  if (!base) return <div />;
 
   return (
     <iframe

diff --git a/turbo.json b/turbo.json
@@ -4,7 +4,8 @@
   "globalEnv": [
     "NEXT_PUBLIC_PLAUSIBLE_DATA_DOMAIN",
     "NEXT_PUBLIC_IS_LATEST",
-    "NEXT_PUBLIC_IS_CANARY"
+    "NEXT_PUBLIC_IS_CANARY",
+    "NEXT_PUBLIC_BASE_URL"
   ],
   "pipeline": {
     "build": {

diff --git a/yarn.lock b/yarn.lock
@@ -8484,11 +8484,6 @@ lower-case@^1.1.0, lower-case@^1.1.1, lower-case@^1.1.2:
   resolved "https://registry.yarnpkg.com/lower-case/-/lower-case-1.1.4.tgz#9a2cabd1b9e8e0ae993a4bf7d5875c39c42e8eac"
   integrity sha512-2Fgx1Ycm599x+WGpIYwJOvsjmXFzTSc34IwDWALRA/8AopUKAVPwfJ+h5+f85BCp0PWmmJcWzEpxOpoXycMpdA==
 
-lru-cache@^10.1.0:
-  version "10.1.0"
-  resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-10.1.0.tgz#2098d41c2dc56500e6c88584aa656c84de7d0484"
-  integrity sha512-/1clY/ui8CzjKFyjdvwPWJUYKiFVXG2I2cY0ssG7h4+hwk+XOIX7ZSG9Q7TW8TW3Kp3BUSqgFWBLgL4PJ+Blag==
-
 lru-cache@^4.0.1:
   version "4.1.5"
   resolved "https://registry.yarnpkg.com/lru-cache/-/lru-cache-4.1.5.tgz#8bbe50ea85bed59bc9e33dcab8235ee9bcf443cd"