From d4d55dd33868189d3deec4e56ef442c27a071733 Mon Sep 17 00:00:00 2001 From: David Mytton Date: Mon, 30 Sep 2024 19:34:02 +0100 Subject: [PATCH] fix: Correct Next.js sensitive info examples (#98) * fix: Correct Next.js sensitive info examples * Dont use a real ID --- .../sensitive-info/quick-start/nextjs.mdx | 37 ++++++++----------- .../quick-start/nextjs/PerRouteApp.js | 24 +++++------- .../quick-start/nextjs/PerRouteApp.ts | 24 +++++------- .../quick-start/nextjs/PerRoutePages.js | 12 +----- .../quick-start/nextjs/PerRoutePages.ts | 14 ++----- .../reference/nextjs/ErrorsApp.js | 2 +- .../reference/nextjs/ErrorsApp.ts | 2 +- .../reference/nextjs/PerRouteApp.js | 2 +- .../reference/nextjs/PerRouteApp.ts | 2 +- 9 files changed, 43 insertions(+), 76 deletions(-) diff --git a/src/content/docs/sensitive-info/quick-start/nextjs.mdx b/src/content/docs/sensitive-info/quick-start/nextjs.mdx index b2313aae..38a92627 100644 --- a/src/content/docs/sensitive-info/quick-start/nextjs.mdx +++ b/src/content/docs/sensitive-info/quick-start/nextjs.mdx @@ -100,36 +100,31 @@ it in middleware to protect every route, but we'll start with a single route. -### 4. Start app +### 4. Test sending personal info -Start your app and load `http://localhost:3000`. Refresh the page and you will -see the requests showing up in the [Arcjet dashboard](https://app.arcjet.com). - -### 5. Test sending personal info - -To see Arcjet Sensitive Information detection in action, try making a request -with a blocked entity in the body of the request. For example if you have configured -Arcjet to block requests containing email addresses then try and send an email address. +To see Arcjet Sensitive Information detection in action, start your app and try +making a request with an email address in the body of the request: ```sh -curl -v http://localhost:3000 --data "My email address is test@example.com" +curl -v http://localhost:3000/api/arcjet --data "My email address is test@example.com" ``` You should see this in your logs ```text -Rule Result ArcjetRuleResult { - ruleId: '', +Arcjet decision ArcjetDenyDecision { + id: '', // This will contain the Arcjet request ID ttl: 0, - state: 'RUN', - conclusion: 'DENY', - reason: ArcjetSensitiveInfoReason { - type: 'SENSITIVE_INFO', - denied: [ { start: 5, end: 21, identifiedType: 'EMAIL' } ], - allowed: [] - } -}, -Conclusion ALLOW + results: [ + ArcjetRuleResult { + ruleId: '', + ttl: 0, + state: 'RUN', + conclusion: 'DENY', + reason: [ArcjetSensitiveInfoReason] + } + ], +... ``` The final conclusion is `ALLOW` even though the rule result conclusion is diff --git a/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.js b/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.js index 2b3048d1..5014c0e5 100644 --- a/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.js +++ b/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.js @@ -13,28 +13,22 @@ const aj = arcjet({ ], }); -export async function GET(req) { +export async function POST(req) { const decision = await aj.protect(req); - - for (const result of decision.results) { - console.log("Rule Result", result); - } - - console.log("Conclusion", decision.conclusion); + console.log("Arcjet decision", decision); if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return NextResponse.json( { - error: "The requests body contains unexpected sensitive information", - // Useful for debugging, but don't return it to the client in - // production - //reason: decision.reason, + error: "Sensitive Information Identified", + reason: decision.reason, + }, + { + status: 400, }, - { status: 400 }, ); } - return NextResponse.json({ - message: "Hello world", - }); + const message = await req.text(); + return NextResponse.json({ message: `You said: ${message}` }); } diff --git a/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.ts b/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.ts index 9469b979..83425cd1 100644 --- a/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.ts +++ b/src/snippets/sensitive-info/quick-start/nextjs/PerRouteApp.ts @@ -13,28 +13,22 @@ const aj = arcjet({ ], }); -export async function GET(req: Request) { +export async function POST(req: Request) { const decision = await aj.protect(req); - - for (const result of decision.results) { - console.log("Rule Result", result); - } - - console.log("Conclusion", decision.conclusion); + console.log("Arcjet decision", decision); if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return NextResponse.json( { - error: "The requests body contains unexpected sensitive information", - // Useful for debugging, but don't return it to the client in - // production - //reason: decision.reason, + error: "Sensitive Information Identified", + reason: decision.reason, + }, + { + status: 400, }, - { status: 400 }, ); } - return NextResponse.json({ - message: "Hello world", - }); + const message = await req.text(); + return NextResponse.json({ message: `You said: ${message}` }); } diff --git a/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.js b/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.js index bcde3276..39f4bb90 100644 --- a/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.js +++ b/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.js @@ -14,20 +14,12 @@ const aj = arcjet({ export default async function handler(req, res) { const decision = await aj.protect(req); - - for (const result of decision.results) { - console.log("Rule Result", result); - } - - console.log("Conclusion", decision.conclusion); + console.log("Arcjet decision", decision); if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return res.status(400).json({ - error: "The requests body contains unexpected sensitive information", + error: "The request body contains unexpected sensitive information", }); - // Returning the reason is useful for debugging, but don't return it to the - // client in production - // .json({ error: "You are suspicious!", reason: decision.reason }); } res.status(200).json({ name: "Hello world" }); diff --git a/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.ts b/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.ts index 0d98c408..4b208a27 100644 --- a/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.ts +++ b/src/snippets/sensitive-info/quick-start/nextjs/PerRoutePages.ts @@ -18,20 +18,12 @@ export default async function handler( res: NextApiResponse, ) { const decision = await aj.protect(req); + console.log("Arcjet decision", decision); - for (const result of decision.results) { - console.log("Rule Result", result); - } - - console.log("Conclusion", decision.conclusion); - - if (decision.isDenied() && decision.reason.isShield()) { + if (decision.isDenied() && decision.reason.isSensitiveInfo()) { return res.status(400).json({ - error: "The requests body contains unexpected sensitive information", + error: "The request body contains unexpected sensitive information", }); - // Returning the reason is useful for debugging, but don't return it to the - // client in production - // .json({ error: "You are suspicious!", reason: decision.reason }); } res.status(200).json({ name: "Hello world" }); diff --git a/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.js b/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.js index 4e10384b..90328d1d 100644 --- a/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.js +++ b/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.js @@ -11,7 +11,7 @@ const aj = arcjet({ ], }); -export async function GET(req) { +export async function POST(req) { const decision = await aj.protect(req); if (decision.isErrored()) { diff --git a/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.ts b/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.ts index 98205f57..a7c68f51 100644 --- a/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.ts +++ b/src/snippets/sensitive-info/reference/nextjs/ErrorsApp.ts @@ -11,7 +11,7 @@ const aj = arcjet({ ], }); -export async function GET(req: Request) { +export async function POST(req: Request) { const decision = await aj.protect(req); if (decision.isErrored()) { diff --git a/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.js b/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.js index d5798154..e3fa59ce 100644 --- a/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.js +++ b/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.js @@ -11,7 +11,7 @@ const aj = arcjet({ ], }); -export async function GET(req) { +export async function POST(req) { const decision = await aj.protect(req); if (decision.isDenied() && decision.reason.isSensitiveInfo()) { diff --git a/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.ts b/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.ts index cb147381..41f89853 100644 --- a/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.ts +++ b/src/snippets/sensitive-info/reference/nextjs/PerRouteApp.ts @@ -11,7 +11,7 @@ const aj = arcjet({ ], }); -export async function GET(req: Request) { +export async function POST(req: Request) { const decision = await aj.protect(req); if (decision.isDenied() && decision.reason.isSensitiveInfo()) {