Cookies validation and Security Guidelines (#242)

* Add OTP and security guidelines documentation and additional checks on client-provided values - Introduced additional checks on client-provided values such as cookies - Introduced a new OTP API documentation outlining the creation and verification of OTP tokens for sensitive operations. - Added comprehensive security guidelines for writing secure code in Next.js, covering client and server components, environment variables, authentication, and error handling. These additions enhance the project's security posture and provide clear instructions for developers on implementing secure practices. * Add OTP API documentation and enhance security guidelines - Introduced comprehensive documentation for the OTP API, detailing the creation and verification of OTP tokens for sensitive operations. - Enhanced security guidelines for Next.js, emphasizing the importance of input validation, environment variable management, and error handling. - Implemented additional checks for client-provided values to improve overall security posture. These updates provide clear instructions for developers and strengthen the project's security framework.
2025-04-22 05:44:55 +07:00
parent 1327a8efb7
commit e193c94f06
7 changed files with 325 additions and 34 deletions
--- a/apps/web/lib/i18n/i18n.server.ts
+++ b/apps/web/lib/i18n/i18n.server.ts
@@ -1,7 +1,11 @@
+import 'server-only';
+
 import { cache } from 'react';

 import { cookies, headers } from 'next/headers';

+import { z } from 'zod';
+
 import {
  initializeServerI18n,
  parseAcceptLanguageHeader,
@@ -32,13 +36,13 @@ const priority = featuresFlagConfig.languagePriority;
 */
 async function createInstance() {
  const cookieStore = await cookies();
-  const cookie = cookieStore.get(I18N_COOKIE_NAME)?.value;
+  const langCookieValue = cookieStore.get(I18N_COOKIE_NAME)?.value;

  let selectedLanguage: string | undefined = undefined;

  // if the cookie is set, use the language from the cookie
-  if (cookie) {
-    selectedLanguage = getLanguageOrFallback(cookie);
+  if (langCookieValue) {
+    selectedLanguage = getLanguageOrFallback(langCookieValue);
  }

  // if not, check if the language priority is set to user and
@@ -56,10 +60,15 @@ async function createInstance() {

 export const createI18nServerInstance = cache(createInstance);

+/**
+ * @name getPreferredLanguageFromBrowser
+ * Get the user's preferred language from the accept-language header.
+ */
 async function getPreferredLanguageFromBrowser() {
  const headersStore = await headers();
  const acceptLanguage = headersStore.get('accept-language');

+  // no accept-language header, return
  if (!acceptLanguage) {
    return;
  }
@@ -67,16 +76,23 @@ async function getPreferredLanguageFromBrowser() {
  return parseAcceptLanguageHeader(acceptLanguage, languages)[0];
 }

-function getLanguageOrFallback(language: string | undefined) {
-  let selectedLanguage = language;
+/**
+ * @name getLanguageOrFallback
+ * Get the language or fallback to the default language.
+ * @param selectedLanguage
+ */
+function getLanguageOrFallback(selectedLanguage: string | undefined) {
+  const language = z
+    .enum(languages as [string, ...string[]])
+    .safeParse(selectedLanguage);

-  if (!languages.includes(language ?? '')) {
-    console.warn(
-      `Language "${language}" is not supported. Falling back to "${languages[0]}"`,
-    );
-
-    selectedLanguage = languages[0];
+  if (language.success) {
+    return language.data;
  }

-  return selectedLanguage;
+  console.warn(
+    `The language passed is invalid. Defaulted back to "${languages[0]}"`,
+  );
+
+  return languages[0];
 }