fix(client): avoid exposing sensitive config when using --build-static

Fixes #119

Author: harlan-zw

packages/client/types.d.ts

@@ -1,4 +1,4 @@
-import type { ResolvedUserConfig, RuntimeSettings } from '@unlighthouse/core'
+import type { ClientOptionsPayload, ScanMeta } from '@unlighthouse/core'
 import type { UnlighthouseRouteReport } from '@unlighthouse/core'
 
 declare global {
@@ -10,6 +10,6 @@ declare global {
     /**
      * Data provided for offline / demo mode.
      */
-    __unlighthouse_payload: { options: ResolvedUserConfig & RuntimeSettings; scanMeta: ScanMeta; reports: UnlighthouseRouteReport[] }
+    __unlighthouse_payload: { options: ClientOptionsPayload; scanMeta: ScanMeta; reports: UnlighthouseRouteReport[] }
   }
 }

packages/core/src/build.ts

@@ -1,8 +1,15 @@
 import { dirname, join, resolve } from 'node:path'
 import fs from 'fs-extra'
 import { withLeadingSlash, withTrailingSlash } from 'ufo'
+import { pick } from 'lodash-es'
 import { useLogger, useUnlighthouse } from './unlighthouse'
-import type { GenerateClientOptions, ResolvedUserConfig, RuntimeSettings, ScanMeta, UnlighthouseContext, UnlighthouseRouteReport } from './types'
+import type {
+  ClientOptionsPayload,
+  GenerateClientOptions,
+  ScanMeta,
+  UnlighthouseContext,
+  UnlighthouseRouteReport,
+} from './types'
 import { createScanMeta } from './data'
 
 /**
@@ -32,13 +39,35 @@ export async function generateClient(options: GenerateClientOptions = {}, unligh
     .replace(/(href|src)="\/assets\/(.*?)"/gm, `$1="${prefix}assets/$2"`)
   await fs.writeFile(resolve(runtimeSettings.generatedClientPath, 'index.html'), indexHTML, 'utf-8')
 
-  const staticData: { options: ResolvedUserConfig & RuntimeSettings; scanMeta: ScanMeta; reports: UnlighthouseRouteReport[] } = {
+  const staticData: { options: ClientOptionsPayload; scanMeta: ScanMeta; reports: UnlighthouseRouteReport[] } = {
     reports: [],
     scanMeta: createScanMeta(),
-    options: { ...runtimeSettings, ...resolvedConfig },
+    // need to be selective about what options we put here to avoid exposing anything sensitive
+    options: pick({
+      ...runtimeSettings,
+      ...resolvedConfig,
+    }, [
+      'client',
+      'site',
+      'websocketUrl',
+      'lighthouseOptions',
+      'scanner',
+      'routerPrefix',
+      'websocketUrl',
+      'apiUrl',
+    ]),
+  }
+  // avoid exposing sensitive cookie / header options
+  staticData.options.lighthouseOptions = { onlyCategories: resolvedConfig.lighthouseOptions.onlyCategories }
+  if (options.static) {
+    staticData.reports = worker.reports().map((r) => {
+      return {
+        ...r,
+        // avoid exposing user paths
+        artifactPath: '',
+      }
+    })
   }
-  if (options.static)
-    staticData.reports = worker.reports()
 
   await fs.writeFile(
     join(runtimeSettings.generatedClientPath, 'assets', 'payload.js'),

packages/core/src/types.ts

@@ -488,6 +488,9 @@ export interface ResolvedUserConfig {
   }
 }
 
+export type ClientOptionsPayload = Pick<ResolvedUserConfig, 'client' | 'site' | 'lighthouseOptions' | 'scanner' | 'routerPrefix'>
+& Pick<RuntimeSettings, 'websocketUrl' | 'apiUrl'>
+
 export type DeepPartial<T> = T extends Function ? T : (T extends object ? { [P in keyof T]?: DeepPartial<T[P]>; } : T)
 export type UserConfig = DeepPartial<ResolvedUserConfig>