fix: env vars public exposition

[andostronaut]

This is an automated pull request for branch develop

Summary by CodeRabbit

• New Features
  • Added support for new environment variables, enhancing configuration flexibility.
• Bug Fixes
  • Updated the default value for the API token in the settings page to use the encrypted key, improving security.
• Documentation
  • Updated environment variable declarations to reflect changes in public and private access levels.

[coderabbitai]

Walkthrough

The pull request introduces several changes across multiple files to manage environment variables and update component behavior in a Next.js application. The next.config.mjs file now includes an env property with CRYPTO_PASSPHRASE and POCKETBASE_URL. The page.tsx file modifies the initialization of the apiToken field to use settings.encryptedKey instead of settings.apiToken. Additionally, the ProcessEnv interface in env.d.ts is updated to remove the public-facing NEXT_PUBLIC_POCKETBASE_URL and add the private POCKETBASE_URL. The pocketbase.ts file reflects this change by using the new environment variable for initialization.

Changes

File	Change Summary
next.config.mjs	Added env property with CRYPTO_PASSPHRASE and POCKETBASE_URL to nextConfig object.
src/app/(studio)/studio/settings/page.tsx	Updated apiToken initialization from settings.apiToken to settings.encryptedKey.
src/env.d.ts	Removed NEXT_PUBLIC_POCKETBASE_URL and added POCKETBASE_URL in ProcessEnv interface.
src/lib/pocketbase.ts	Changed initialization of pocketbase from process.env.NEXT_PUBLIC_POCKETBASE_URL to process.env.POCKETBASE_URL.

Possibly related PRs

• feat: create settings page and save user settings #224: The changes in this PR also involve modifications to the next.config.mjs file, specifically related to environment variables, including the addition of NEXT_PUBLIC_CRYPTO_PASSPHRASE, which is relevant to the main PR's focus on environment variables.
• fix: env vars exposition and ui improvement #228: This PR modifies the .env.example file to add CRYPTO_PASSPHRASE and remove NEXT_PUBLIC_CRYPTO_PASSPHRASE, which directly relates to the changes made in the main PR regarding environment variable management in next.config.mjs.

🐰 In the garden, changes bloom,
New secrets whisper, dispelling gloom.
With keys encrypted, safe and sound,
In the code, new paths are found.
A hop, a skip, through variables bright,
Our app now dances in the light! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

src/app/(studio)/studio/settings/page.tsx (2)

Line range hint 155-167: Review the form submission security flow.

The onSubmit handler correctly encrypts the API token before saving to PocketBase. However, consider adding these security enhancements:

1. Clear the unencrypted token from memory after encryption
2. Add input sanitization before encryption

Consider implementing these security patterns:

const onSubmit = async (data: z.infer<typeof FormSchema>) => {
  try {
    // Sanitize input
    const sanitizedToken = sanitizeInput(data.apiToken);
    // Encrypt
    const encryptedKey = encrypt(sanitizedToken);
    // Clear sensitive data
    data.apiToken = '';
    
    // Continue with your existing save logic...
  } catch (error) {
    // Handle encryption errors
    toast.error('Failed to secure your API token');
  }
}

---

Line range hint 301-316: Enhance API token field security.

The API token input field should implement additional security measures:

1. Use type="password" instead of type="text"
2. Add autoComplete="off"
3. Consider implementing a "show/hide" toggle

 <Input
   id='apiToken'
-  type='text'
+  type='password'
+  autoComplete='off'
   placeholder='Enter API Token'
   onChange={field.onChange}
   defaultValue={settings.apiToken}
 />

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 27b2ed4 and 4f14daf.

📒 Files selected for processing (4)

• next.config.mjs (1 hunks)
• src/app/(studio)/studio/settings/page.tsx (1 hunks)
• src/env.d.ts (1 hunks)
• src/lib/pocketbase.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• src/lib/pocketbase.ts

🔇 Additional comments (3)

src/env.d.ts (2)

11-11: Consider architectural adjustments

Since PocketBase URL is now only accessible server-side, ensure that:

1. All PocketBase operations are moved to API routes or Server Components
2. Client Components make requests through these API routes instead of directly to PocketBase

Let's check for potential architectural impacts:

#!/bin/bash
# Look for PocketBase imports in potential client components
rg "from.*pocketbase" "app/.*/(page|loading|error|layout)\.(ts|tsx|js|jsx)"

# Look for components using PocketBase in client directories
fd -e tsx -e ts --exec grep -l "PocketBase" {} \; components/

---

11-11: Good security improvement!

Moving from NEXT_PUBLIC_POCKETBASE_URL to POCKETBASE_URL prevents exposing the PocketBase URL to client-side JavaScript, which aligns with security best practices for sensitive configuration in Next.js applications.

Let's verify if any client components were depending on the removed public URL:

✅ Verification successful

Security improvement verified - no client-side dependencies found

The verification confirms that:

1. PocketBase is only instantiated server-side in src/lib/pocketbase.ts using the private POCKETBASE_URL
2. No client components are directly using PocketBase or accessing the environment variable
3. The change from NEXT_PUBLIC_POCKETBASE_URL to POCKETBASE_URL is safe as there are no remaining references to the public URL

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for any remaining usage of the old public URL
rg "NEXT_PUBLIC_POCKETBASE_URL" --type ts --type tsx

# Search for direct PocketBase client instantiation in components
ast-grep --pattern 'new PocketBase($$$)'

Length of output: 234

---

Script:

#!/bin/bash
# Search for any usage of PocketBase in client components
rg "PocketBase" --type ts --type tsx -C 2

# Search for any direct usage of POCKETBASE_URL
rg "POCKETBASE_URL" --type ts --type tsx -C 2

# Find all files that might be client components
fd -e tsx -e ts . src/app components

Length of output: 868

---

Script:

#!/bin/bash
# Search for PocketBase usage with correct ripgrep syntax
rg -t typescript -t javascriptreact -t typescriptreact "PocketBase" -C 2

# Search for any direct usage of POCKETBASE_URL with correct syntax
rg -t typescript -t javascriptreact -t typescriptreact "POCKETBASE_URL" -C 2

# Look for any remaining NEXT_PUBLIC references
rg -t typescript -t javascriptreact -t typescriptreact "NEXT_PUBLIC" -C 2

Length of output: 328

---

Script:

#!/bin/bash
# Basic grep through all relevant files
find src -type f \( -name "*.ts" -o -name "*.tsx" \) -exec grep -l "PocketBase\|POCKETBASE_URL\|NEXT_PUBLIC" {} \;

# Get content of any files that match for better context
find src -type f \( -name "*.ts" -o -name "*.tsx" \) -exec sh -c 'if grep -l "PocketBase\|POCKETBASE_URL\|NEXT_PUBLIC" "$1" >/dev/null; then echo "=== $1 ==="; cat "$1"; fi' sh {} \;

Length of output: 848

src/app/(studio)/studio/settings/page.tsx (1)

139-139: Verify the encryption flow and UI behavior.

The change from settings.apiToken to settings.encryptedKey aligns with the security improvements, but there are some considerations:

1. The form's API token input field might show encrypted values to users
2. The encryption flow needs verification to ensure tokens are properly handled

Let's verify the encryption implementation:

✅ Verification successful

The encryption flow and UI behavior are properly implemented

The verification shows a well-structured encryption flow:

1. The form correctly displays the unencrypted API token to users (settings.apiToken in the input field's defaultValue)
2. The token is only encrypted when submitting the form (encrypt(data.apiToken))
3. The encryption is handled by a dedicated crypto module using AES encryption with proper IV, mode, and padding

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check the encryption implementation and token handling
echo "Checking encryption implementation..."
rg -A 5 "encrypt\(" .
echo "Checking token handling in components..."
rg -A 5 "apiToken" .

Length of output: 4352