V2: embeds and CSP (#2885)

Author: SamyPesse

.github/workflows/ci.yaml

@@ -235,6 +235,7 @@ jobs:
         runs-on: ubuntu-latest
         name: Visual Testing
         needs: deploy
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -259,6 +260,7 @@ jobs:
         runs-on: ubuntu-latest
         name: Visual Testing v2
         needs: deploy-v2-vercel
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -284,6 +286,7 @@ jobs:
         runs-on: ubuntu-latest
         name: Visual Testing Customers
         needs: deploy
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -309,6 +312,7 @@ jobs:
         runs-on: ubuntu-latest
         name: Visual Testing Customers v2
         needs: deploy-v2-vercel
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -351,6 +355,7 @@ jobs:
     format:
         runs-on: ubuntu-latest
         name: Format
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -364,6 +369,7 @@ jobs:
     test:
         runs-on: ubuntu-latest
         name: Test
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -378,6 +384,7 @@ jobs:
         # CI to check that the repository builds correctly on a machine without the credentials
         runs-on: ubuntu-latest
         name: Build (Open Source)
+        timeout-minutes: 6
         env:
             NPM_TOKEN_READONLY: ''
         steps:
@@ -393,6 +400,7 @@ jobs:
     typecheck:
         runs-on: ubuntu-latest
         name: Typecheck
+        timeout-minutes: 6
         steps:
             - name: Checkout
               uses: actions/checkout@v4

bun.lock

@@ -7,7 +7,7 @@
         "turbo": "^2.4.4",
         "vercel": "^39.3.0"
     },
-    "packageManager": "[email protected].3",
+    "packageManager": "[email protected].4",
     "overrides": {
         "@codemirror/state": "6.4.1",
         "react": "18.3.1",

package.json

@@ -1,6 +1,6 @@
 import { type ComputedContentSource, GitBookAPI } from '@gitbook/api';
 import { GITBOOK_API_TOKEN, GITBOOK_API_URL, GITBOOK_USER_AGENT } from '@v2/lib/env';
-import { unstable_cacheTag as cacheTag } from 'next/cache';
+import { unstable_cacheLife as cacheLife, unstable_cacheTag as cacheTag } from 'next/cache';
 import {
     getChangeRequestCacheTag,
     getHostnameCacheTag,
@@ -118,6 +118,12 @@ export function createDataFetcher(input: DataFetcherInput = commonInput): GitBoo
                 source: params.source,
             });
         },
+        getEmbedByUrl(params) {
+            return getEmbedByUrl(input, {
+                url: params.url,
+                spaceId: params.spaceId,
+            });
+        },
 
         //
         // API that are not tied to the token
@@ -139,6 +145,8 @@ export function createDataFetcher(input: DataFetcherInput = commonInput): GitBoo
 async function getUserById(input: DataFetcherInput, userId: string) {
     'use cache';
 
+    cacheLife('days');
+
     try {
         const res = await getAPI(input).users.getUserById(userId);
         return res.data;
@@ -160,6 +168,7 @@ async function getSpace(
 ) {
     'use cache';
 
+    cacheLife('days');
     cacheTag(getSpaceCacheTag(params.spaceId));
 
     const res = await getAPI(input).spaces.getSpaceById(params.spaceId, {
@@ -177,6 +186,8 @@ async function getChangeRequest(
 ) {
     'use cache';
 
+    cacheLife('minutes');
+
     try {
         const res = await getAPI(input).spaces.getChangeRequestById(
             params.spaceId,
@@ -203,6 +214,8 @@ async function getRevision(
 ) {
     'use cache';
 
+    cacheLife('max');
+
     const res = await getAPI(input).spaces.getRevisionById(params.spaceId, params.revisionId, {
         metadata: params.metadata,
     });
@@ -219,6 +232,8 @@ async function getRevisionPages(
 ) {
     'use cache';
 
+    cacheLife('max');
+
     const res = await getAPI(input).spaces.listPagesInRevisionById(
         params.spaceId,
         params.revisionId,
@@ -239,6 +254,8 @@ async function getRevisionFile(
 ) {
     'use cache';
 
+    cacheLife('max');
+
     try {
         const res = await getAPI(input).spaces.getFileInRevisionById(
             params.spaceId,
@@ -265,8 +282,9 @@ async function getRevisionPageByPath(
 ) {
     'use cache';
 
-    const encodedPath = encodeURIComponent(params.path);
+    cacheLife('max');
 
+    const encodedPath = encodeURIComponent(params.path);
     try {
         const res = await getAPI(input).spaces.getPageInRevisionByPath(
             params.spaceId,
@@ -293,6 +311,8 @@ async function getDocument(
 ) {
     'use cache';
 
+    cacheLife('max');
+
     const res = await getAPI(input).spaces.getDocumentById(params.spaceId, params.documentId);
     return res.data;
 }
@@ -306,6 +326,9 @@ async function getComputedDocument(
 ) {
     'use cache';
 
+    // TODO: we need to resolve dependencies and pass them in the cache key
+    cacheLife('days');
+
     const res = await getAPI(input).spaces.getComputedDocument(params.spaceId, {
         source: params.source,
     });
@@ -322,6 +345,8 @@ async function getReusableContent(
 ) {
     'use cache';
 
+    cacheLife('max');
+
     try {
         const res = await getAPI(input).spaces.getReusableContentInRevisionById(
             params.spaceId,
@@ -348,6 +373,7 @@ async function getLatestOpenAPISpecVersionContent(
     'use cache';
 
     cacheTag(getOpenAPISpecCacheTag(params.organizationId, params.slug));
+    cacheLife('days');
 
     try {
         const res = await getAPI(input).orgs.getLatestOpenApiSpecVersionContent(
@@ -378,6 +404,7 @@ async function getPublishedContentByUrl(
 
     const hostname = new URL(url).hostname;
     cacheTag(getHostnameCacheTag(hostname));
+    cacheLife('days');
 
     const res = await getAPI(input).urls.getPublishedContentByUrl({
         url,
@@ -401,7 +428,10 @@ async function getPublishedContentSite(
     }
 ) {
     'use cache';
+
     cacheTag(getSiteCacheTag(params.siteId));
+    cacheLife('days');
+
     const res = await getAPI(input).orgs.getPublishedContentSite(
         params.organizationId,
         params.siteId,
@@ -423,6 +453,9 @@ async function getSiteRedirectBySource(
 ) {
     'use cache';
 
+    cacheTag(getSiteCacheTag(params.siteId));
+    cacheLife('days');
+
     try {
         const res = await getAPI(input).orgs.getSiteRedirectBySource(
             params.organizationId,
@@ -449,6 +482,22 @@ async function getSiteRedirectBySource(
     }
 }
 
+async function getEmbedByUrl(
+    input: DataFetcherInput,
+    params: {
+        url: string;
+        spaceId: string;
+    }
+) {
+    'use cache';
+
+    cacheLife('weeks');
+
+    const api = getAPI(input);
+    const res = await api.spaces.getEmbedByUrlInSpace(params.spaceId, { url: params.url });
+    return res.data;
+}
+
 function getAPI(input: DataFetcherInput) {
     const { apiEndpoint, apiToken } = input;
     const api = new GitBookAPI({

packages/gitbook-v2/src/lib/data/api.ts

@@ -121,4 +121,9 @@ export interface GitBookDataFetcher {
         siteShareKey: string | undefined;
         source: string;
     }): Promise<{ redirect: api.SiteRedirect | null; target: string } | null>;
+
+    /**
+     * Get an embed by its URL.
+     */
+    getEmbedByUrl(params: { url: string; spaceId: string }): Promise<api.Embed>;
 }

packages/gitbook-v2/src/lib/data/types.ts

@@ -36,3 +36,9 @@ export const GITBOOK_USER_AGENT = process.env.GITBOOK_USER_AGENT ?? 'GitBook-Ope
 export const GITBOOK_DISABLE_TRACKING = Boolean(
     !!process.env.GITBOOK_DISABLE_TRACKING || process.env.NODE_ENV !== 'production'
 );
+
+/**
+ * Hostname serving the integrations.
+ */
+export const GITBOOK_INTEGRATIONS_HOST =
+    process.env.GITBOOK_INTEGRATIONS_HOST ?? 'integrations.gitbook.com';

packages/gitbook-v2/src/lib/env.ts

@@ -1,7 +1,8 @@
 import { GitBookAPIError } from '@gitbook/api';
-import { NextResponse } from 'next/server';
 import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
 
+import { getContentSecurityPolicy } from '@/lib/csp';
 import { removeTrailingSlash } from '@/lib/paths';
 import { getPublishedContentByURL } from '@v2/lib/data';
 import { MiddlewareHeaders } from '@v2/lib/middleware';
@@ -13,12 +14,16 @@ export const config = {
 type URLWithMode = { url: URL; mode: 'url' | 'url-host' };
 
 export async function middleware(request: NextRequest) {
-    const extracted = extractURL(request);
-    if (extracted) {
-        return serveSiteByURL(request, extracted);
-    }
+    try {
+        const extracted = extractURL(request);
+        if (extracted) {
+            return serveSiteByURL(request, extracted);
+        }
 
-    return NextResponse.next();
+        return NextResponse.next();
+    } catch (error) {
+        return serveErrorResponse(error as Error);
+    }
 }
 
 /**
@@ -35,14 +40,6 @@ async function serveSiteByURL(request: NextRequest, urlWithMode: URLWithMode) {
     });
 
     if (result.error) {
-        if (result.error instanceof GitBookAPIError) {
-            return NextResponse.json(
-                {
-                    error: result.error.message,
-                },
-                { status: result.error.code }
-            );
-        }
         throw result.error;
     }
 
@@ -68,9 +65,28 @@ async function serveSiteByURL(request: NextRequest, urlWithMode: URLWithMode) {
         encodeURIComponent(removeTrailingSlash(data.pathname) || '/'),
     ].join('/');
 
-    return NextResponse.rewrite(new URL(`/${route}`, request.url), {
+    const response = NextResponse.rewrite(new URL(`/${route}`, request.url), {
         headers: requestHeaders,
     });
+
+    // Add Content Security Policy header
+    response.headers.set('content-security-policy', getContentSecurityPolicy());
+
+    return response;
+}
+
+/**
+ * Serve an error response.
+ */
+function serveErrorResponse(error: Error) {
+    if (error instanceof GitBookAPIError) {
+        return NextResponse.json(
+            { error: error.message },
+            { status: 500, headers: { 'content-type': 'application/json' } }
+        );
+    }
+
+    throw error;
 }
 
 /**

packages/gitbook-v2/src/middleware.ts

@@ -37,7 +37,6 @@
         "assert-never": "^1.2.1",
         "bun-types": "^1.1.20",
         "classnames": "^2.5.1",
-        "content-security-policy-merger": "^1.0.0",
         "framer-motion": "^10.16.14",
         "js-cookie": "^3.0.5",
         "jsontoxml": "^1.0.1",

packages/gitbook/package.json

@@ -7,7 +7,6 @@ import {
     generateSiteLayoutMetadata,
     generateSiteLayoutViewport,
 } from '@/components/SiteLayout';
-import { getContentSecurityPolicyNonce } from '@/lib/csp';
 import { getSiteContentPointer } from '@/lib/pointer';
 import { shouldTrackEvents } from '@/lib/tracking';
 import { fetchV1ContextForSitePointer } from '@/lib/v1';
@@ -21,14 +20,12 @@ export const dynamic = 'force-dynamic';
 export default async function ContentLayout(props: { children: React.ReactNode }) {
     const { children } = props;
 
-    const nonce = await getContentSecurityPolicyNonce();
     const context = await fetchLayoutData();
     const queryStringTheme = await getThemeFromMiddleware();
 
     return (
         <SiteLayout
             context={context}
-            nonce={nonce}
             forcedTheme={queryStringTheme}
             withTracking={await shouldTrackEvents()}
         >