feat: whyrating - initial project from turbostarter boilerplate

2026-02-04 01:54:52 +01:00
commit 5cdc07cd39
1618 changed files with 338230 additions and 0 deletions
--- a/apps/web/next.config.ts
+++ b/apps/web/next.config.ts
@@ -0,0 +1,123 @@
+import type { NextConfig } from "next";
+
+import env from "./env.config";
+
+const INTERNAL_PACKAGES = [
+  "@turbostarter/analytics-web",
+  "@turbostarter/api",
+  "@turbostarter/auth",
+  "@turbostarter/billing",
+  "@turbostarter/cms",
+  "@turbostarter/email",
+  "@turbostarter/db",
+  "@turbostarter/i18n",
+  "@turbostarter/monitoring-web",
+  "@turbostarter/shared",
+  "@turbostarter/storage",
+  "@turbostarter/ui",
+  "@turbostarter/ui-web",
+];
+
+// Security headers for production
+const securityHeaders = [
+  {
+    key: "X-DNS-Prefetch-Control",
+    value: "on",
+  },
+  {
+    key: "Strict-Transport-Security",
+    value: "max-age=63072000; includeSubDomains; preload",
+  },
+  {
+    key: "X-Frame-Options",
+    value: "SAMEORIGIN",
+  },
+  {
+    key: "X-Content-Type-Options",
+    value: "nosniff",
+  },
+  {
+    key: "X-XSS-Protection",
+    value: "1; mode=block",
+  },
+  {
+    key: "Referrer-Policy",
+    value: "strict-origin-when-cross-origin",
+  },
+  {
+    key: "Permissions-Policy",
+    value: "camera=(), microphone=(), geolocation=(), interest-cohort=()",
+  },
+  // Content-Security-Policy - configured for development flexibility
+  // In production, tighten 'unsafe-inline' and 'unsafe-eval' as needed
+  {
+    key: "Content-Security-Policy",
+    value: [
+      "default-src 'self'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://challenges.cloudflare.com",
+      "style-src 'self' 'unsafe-inline'",
+      "img-src 'self' data: blob: https: http:",
+      "font-src 'self' data:",
+      "connect-src 'self' https://api.stripe.com https://*.sentry.io wss:",
+      "frame-src 'self' https://js.stripe.com https://hooks.stripe.com https://challenges.cloudflare.com",
+      "object-src 'none'",
+      "base-uri 'self'",
+      "form-action 'self'",
+      "frame-ancestors 'self'",
+      "upgrade-insecure-requests",
+    ].join("; "),
+  },
+];
+
+const config: NextConfig = {
+  reactStrictMode: true,
+  output: "standalone",
+  // Type checking runs during build — fix type errors instead of skipping them
+  serverExternalPackages: [
+    "better-sqlite3",
+    "@mapbox/node-pre-gyp",
+  ],
+  turbopack: {
+    rules: {
+      "*.svg": {
+        loaders: ["@svgr/webpack"],
+        as: "*.js",
+      },
+    },
+  },
+
+  images: {
+    remotePatterns: [
+      {
+        hostname: "images.unsplash.com",
+      },
+    ],
+  },
+
+  /** Enables hot reloading for local packages without a build step */
+  transpilePackages: INTERNAL_PACKAGES,
+  experimental: {
+    optimizePackageImports: INTERNAL_PACKAGES,
+  },
+
+  // Apply security headers only in production
+  // CSP with upgrade-insecure-requests breaks Next.js client-side navigation in dev
+  async headers() {
+    if (process.env.NODE_ENV !== "production") {
+      return [];
+    }
+    return [
+      {
+        // Apply to all routes
+        source: "/:path*",
+        headers: securityHeaders,
+      },
+    ];
+  },
+};
+
+const withBundleAnalyzer = require("@next/bundle-analyzer")({
+  enabled: env.ANALYZE,
+});
+
+export default withBundleAnalyzer(config);