zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9cbe6652a14803487c04064262ccdd934c374a8b
myeasycms-v2/tooling/scripts/src/checks.mjs
Giancarlo Buomprisco 7ebff31475 Next.js Supabase V3 (#463) 
Version 3 of the kit:
- Radix UI replaced with Base UI (using the Shadcn UI patterns)
- next-intl replaces react-i18next
- enhanceAction deprecated; usage moved to next-safe-action
- main layout now wrapped with [locale] path segment
- Teams only mode
- Layout updates
- Zod v4
- Next.js 16.2
- Typescript 6
- All other dependencies updated
- Removed deprecated Edge CSRF
- Dynamic Github Action runner
2026-03-24 13:40:38 +08:00

116 lines
3.0 KiB
JavaScript
Raw Blame History

import { readFileSync, readdirSync } from 'fs';
import * as path from 'path';
const whitelist = {
STRIPE_SECRET_KEY: [/sk_test_*/],
STRIPE_WEBHOOK_SECRET: [/whsec_*/],
EMAIL_PASSWORD: ['password'],
SUPABASE_DB_WEBHOOK_SECRET: ['WEBHOOKSECRET'],
SUPABASE_SERVICE_ROLE_KEY: [/qQwv8Hdp7fsn3W0YpN81IU/],
};
// List of sensitive environment variables that should not be in .env files
const sensitiveEnvVars = [
'STRIPE_SECRET_KEY',
'STRIPE_WEBHOOK_SECRET',
'LEMON_SQUEEZY_SECRET_KEY',
'LEMON_SQUEEZY_SIGNING_SECRET',
'KEYSTATIC_GITHUB_TOKEN',
'SUPABASE_DB_WEBHOOK_SECRET',
'SUPABASE_SERVICE_ROLE_KEY',
'EMAIL_PASSWORD',
'CAPTCHA_SECRET_TOKEN',
];
// Files to check
const envFiles = ['.env', '.env.development', '.env.production'];
function checkEnvFiles(rootPath) {
let hasSecrets = false;
envFiles.forEach((file) => {
try {
const envPath = path.join(process.cwd(), rootPath, file);
const contents = readFileSync(envPath, 'utf8');
const lines = contents.split('\n');
lines.forEach((line, index) => {
// Skip empty lines and comments
if (!line || line.startsWith('#')) return;
// Check if line contains any sensitive vars
sensitiveEnvVars.forEach((secret) => {
if (line.startsWith(`${secret}=`)) {
// Extract the value
const value = line.split('=')[1].trim().replace(/["']/g, '');
// Skip if value is whitelisted
if (isValueWhitelisted(secret, value)) {
return;
}
console.error(
`⚠️ Secret key "${secret}" found in ${file} on line ${index + 1}`,
);
hasSecrets = true;
}
});
});
} catch (err) {
// File doesn't exist, skip
if (err.code === 'ENOENT') return;
throw err;
}
});
if (hasSecrets) {
console.error('\n❌ Error: Secret keys found in environment files');
console.error(
'\nPlease remove sensitive information from .env files and store them securely:',
);
console.error('- Use environment variables in your CI/CD system');
console.error('- For local development, use .env.local (git ignored)');
process.exit(1);
} else {
const appName = rootPath.split('/').pop();
console.log(
`✅ No secret keys found in staged environment files for the app ${appName}`,
);
}
}
const apps = readdirSync('../../apps');
apps.forEach((app) => {
checkEnvFiles(`../../apps/${app}`);
});
function isValueWhitelisted(key, value) {
if (!(key in whitelist)) {
return false;
}
const whiteListedValue = whitelist[key];
if (whiteListedValue instanceof RegExp) {
return whiteListedValue.test(value);
}
if (Array.isArray(whiteListedValue)) {
return whiteListedValue.some((allowed) => {
if (allowed instanceof RegExp) {
return allowed.test(value);
}
return allowed.trim() === value.trim();
});
}
return whiteListedValue.trim() === value.trim();
}
Reference in New Issue View Git Blame Copy Permalink