GH-223 Fix lot of issues reported by internal audit.

[vLuckyyy]

No description provided.

[netlify]

✅ Deploy Preview for eternalcodeteam-website ready!

Name	Link
🔨 Latest commit	ac9247d
🔍 Latest deploy log	https://app.netlify.com/projects/eternalcodeteam-website/deploys/698e38145df4ad000855a0cc
😎 Deploy Preview	https://deploy-preview-223--eternalcodeteam-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 83 (🔴 down 6 from production) Accessibility: 94 (🔴 down 2 from production) Best Practices: 83 (🔴 down 17 from production) SEO: 100 (no change from production) PWA: 90 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[gemini-code-assist]

Summary of Changes

Hello @vLuckyyy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses several issues identified during an internal audit, focusing on enhancing the application's security, performance, and overall robustness. Key changes include the implementation of stricter data validation and sanitization for API endpoints, the introduction of caching strategies to optimize data retrieval, and the establishment of standardized error handling and loading states. Additionally, the build fetching mechanism was refactored into a dedicated API route, and comprehensive security headers were added to the Next.js configuration. The privacy policy and cookie consent features were also removed, simplifying the application's data handling posture. These updates collectively aim to create a more secure, efficient, and maintainable application.

Highlights

• Enhanced API Security and Data Validation: Implemented robust input validation using Zod for API routes and introduced image URL sanitization and host whitelisting for the OG image generation API, significantly improving security against malformed requests and potential exploits.
• Improved Caching and Performance: Integrated revalidate and tags options for Modrinth API fetches and introduced an in-memory caching mechanism with a Time-To-Live (TTL) for the search index API, leading to faster response times and reduced external API calls.
• Centralized Error Handling and Loading States: Added dedicated app/error.tsx, app/global-error.tsx, and app/loading.tsx components to provide consistent and user-friendly error messages and loading indicators across the application.
• Refactored Build Fetching Logic: Migrated the build fetching logic from a direct client-side call to a new dedicated API route (app/api/builds/route.ts), improving data fetching patterns, enabling server-side caching, and enhancing maintainability.
• Removed Privacy Policy and Cookie Consent Features: The privacy policy page, its associated layout and OpenGraph image, the cookie consent modal component, and related cookie utility hooks were removed from the application.
• Enhanced Application Security Headers: Configured next.config.mjs to include comprehensive security headers such as Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, X-Frame-Options, Permissions-Policy, and Strict-Transport-Security, bolstering the application's defense against various web vulnerabilities.
• Codebase Organization and Maintenance: Centralized project configuration into a new lib/builds/projects.ts file and updated build scripts in package.json to include check and test commands, streamlining development workflows and improving code quality.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .gitignore
  • Added 'nul' to the ignore list.
• app/api/builds/builds.ts
  • Imported 'Project' type from a new centralized location.
  • Removed the 'Project' interface and 'PROJECTS' array, relocating them to 'lib/builds/projects.ts'.
  • Added caching options (revalidate and tags) to Modrinth API fetch requests.
• app/api/builds/route.ts
  • Added a new API route for fetching project builds.
  • Implemented Zod schema for query parameter validation.
  • Integrated logic to fetch stable or dev builds based on query parameters.
  • Included Cache-Control headers for API responses.
• app/api/docs/search-index/route.ts
  • Updated 'fs' import to 'node:fs/promises' for asynchronous file operations.
  • Introduced an in-memory caching mechanism for the search index with a configurable TTL.
  • Converted file reading and search index generation functions to be asynchronous.
  • Added Cache-Control headers to the search index API response.
• app/api/og/route.tsx
  • Added Zod schema for validating OpenGraph image query parameters.
  • Implemented 'sanitizeText' function to clean input text.
  • Introduced 'normalizeImageUrl' function with host whitelisting for image URLs.
  • Refactored the GET handler to use validated and sanitized inputs, returning 400 for invalid requests.
• app/builds/page.tsx
  • Removed direct imports of build fetching functions and project data from 'app/api/builds/builds.ts'.
  • Imported 'BuildTab', 'PROJECTS', and 'Project' from 'lib/builds/projects.ts'.
  • Updated the type of 'activeTab' to 'BuildTab'.
  • Introduced a 'refreshNonce' state to explicitly trigger data refetches.
  • Refactored the data fetching useEffect to call the new '/api/builds' endpoint and included an AbortController for request cancellation.
• app/error.tsx
  • Added a new client-side error boundary component.
• app/global-error.tsx
  • Added a new global error boundary component for critical application errors.
• app/layout.tsx
  • Removed the 'CookieConsentModal' import and component usage.
• app/loading.tsx
  • Added a new loading component to display during data fetching.
• app/privacy-policy/layout.tsx
  • Removed the privacy policy layout file.
• app/privacy-policy/opengraph-image.tsx
  • Removed the OpenGraph image generation file for the privacy policy.
• app/privacy-policy/page.tsx
  • Removed the privacy policy page content.
• app/robots.ts
  • Removed '/notification-generator/' from the disallowed paths in robots.txt.
• app/sitemap.ts
  • Removed '/projects/multification' entry from the sitemap.
• components/builds/build-controls.tsx
  • Updated imports for 'Project' and 'BuildTab' to use the centralized 'lib/builds/projects.ts'.
• components/builds/build-table.tsx
  • Updated the import for 'Project' to use the centralized 'lib/builds/projects.ts'.
• components/cookie-consent-modal.tsx
  • Removed the cookie consent modal component.
• components/footer/footer.tsx
  • Removed the 'Privacy Policy' link from the footer navigation.
• components/ui/error-boundary.tsx
  • Removed a TODO comment regarding error tracking.
• hooks/use-cookie-consent.ts
  • Removed the cookie consent management hook.
• lib/builds/projects.ts
  • Added a new file to centralize 'Project' interface and 'PROJECTS' array definitions.
• lib/cookie-utils.ts
  • Removed cookie utility functions.
• next.config.mjs
  • Defined Content Security Policy (CSP) and other security headers.
  • Configured Next.js to apply these security headers globally.
  • Imported 'withBundleAnalyzer' for bundle analysis.
  • Added 'bundlePagesRouterDependencies' and 'serverExternalPackages' configurations.
• package.json
  • Updated the 'build' script to run format and lint checks before building.
  • Added new 'check' and 'test' scripts for comprehensive code quality checks.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant improvements in security, performance, and code structure, including the addition of security headers, hardening of API endpoints with zod validation, and implementation of caching. It also refactors build-related logic and uses modern React features. However, a critical vulnerability was identified: the new Content Security Policy (CSP) uses 'unsafe-inline' for scripts and styles, which significantly weakens its protection against Cross-Site Scripting (XSS) attacks. While other changes like SSRF protection are well-implemented, addressing the CSP configuration is crucial.