[fix] minio exposing current bucket contents publically

docker-compose.yml

@@ -108,14 +108,16 @@ services:
       MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID}
       MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY}
 
-  createbuckets:
-    image: minio/mc
-    entrypoint: >
-      /bin/sh -c " /usr/bin/mc config host add plane-minio http://plane-minio:9000 \$AWS_ACCESS_KEY_ID \$AWS_SECRET_ACCESS_KEY; /usr/bin/mc mb plane-minio/\$AWS_S3_BUCKET_NAME; /usr/bin/mc anonymous set download plane-minio/\$AWS_S3_BUCKET_NAME; exit 0; "
+  configure-minio:
+    build:
+      context: .
+      dockerfile: ./minio/Dockerfile.minio
+    entrypoint: /usr/local/bin/minio.sh ${AWS_ACCESS_KEY_ID} ${AWS_SECRET_ACCESS_KEY} ${AWS_S3_BUCKET_NAME}
     env_file:
       - .env
     depends_on:
       - plane-minio
+
 
   # Comment this if you already have a reverse proxy running
   proxy:

minio.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+AWS_ACCESS_KEY_ID=$1
+AWS_SECRET_ACCESS_KEY=$2
+AWS_S3_BUCKET_NAME=$3
+
+/usr/bin/mc config host add plane-minio http://plane-minio:9000 $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY; 
+
+/usr/bin/mc mb $AWS_S3_BUCKET_NAME; 
+/usr/bin/mc anonymous set download $AWS_S3_BUCKET_NAME;
+
+# Create the policy JSON file
+cat <<EOF > policy.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Action": [
+          "s3:ListBucket"
+        ],
+        "Effect": "Deny",
+        "Resource": [
+          "arn:aws:s3:::uploads/*"
+        ]
+      },
+      {
+        "Action": [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject"
+        ],
+        "Effect": "Allow",
+        "Resource": [
+          "arn:aws:s3:::uploads/*"
+        ]
+      }
+    ]
+}
+EOF
+
+# Create and apply the policy
+/usr/bin/mc admin policy create plane-minio blocking-file-listing policy.json
+# /usr/bin/mc admin policy attach plane-minio read-only-policy user
+
+/usr/bin/mc admin service restart plane-minio
+
+exit 0;

minio/Dockerfile.minio

@@ -0,0 +1,7 @@
+FROM minio/mc
+
+# Copy the setup script
+COPY minio.sh /usr/local/bin/
+
+# Set the execute permission for the setup script
+RUN chmod +x /usr/local/bin/minio.sh

nginx/nginx.conf.template

@@ -11,6 +11,11 @@ http {
 
         client_max_body_size ${FILE_SIZE_LIMIT};
 
+        add_header X-Content-Type-Options    "nosniff" always;
+        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+        add_header Permissions-Policy        "interest-cohort=()" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
         location / {
             proxy_pass http://web:3000/;
         }
@@ -20,11 +25,12 @@ http {
         }
 
         location /spaces/ {
+            rewrite ^/spaces/?$ /spaces/login break;
             proxy_pass http://space:3000/spaces/;
         }
 
         location /${BUCKET_NAME}/ {
             proxy_pass http://plane-minio:9000/uploads/;
         }
     }
-}
+}

space/components/accounts/sign-in.tsx

@@ -33,15 +33,15 @@ export const SignInView = observer(() => {
   const onSignInSuccess = (response: any) => {
     const isOnboarded = response?.user?.onboarding_step?.profile_complete || false;
 
-    const nextPath = router.asPath.includes("next_path") ? router.asPath.split("/?next_path=")[1] : "/";
+    const nextPath = router.asPath.includes("next_path") ? router.asPath.split("/?next_path=")[1] : "/login";
 
     userStore.setCurrentUser(response?.user);
 
     if (!isOnboarded) {
       router.push(`/onboarding?next_path=${nextPath}`);
       return;
     }
-    router.push((nextPath ?? "/").toString());
+    router.push((nextPath ?? "/login").toString());
   };
 
   const handleGoogleSignIn = async ({ clientId, credential }: any) => {

space/components/views/index.ts

@@ -1 +1 @@
-export * from "./home";
+export * from "./login";

space/components/views/home.tsx → space/components/views/login.tsx

@@ -4,7 +4,7 @@ import { useMobxStore } from "lib/mobx/store-provider";
 // components
 import { SignInView, UserLoggedIn } from "components/accounts";
 
-export const HomeView = observer(() => {
+export const LoginView = observer(() => {
   const { user: userStore } = useMobxStore();
 
   if (!userStore.currentUser) return <SignInView />;

space/pages/login/index.tsx

@@ -0,0 +1,8 @@
+import React from "react";
+
+// components
+import { LoginView } from "components/views";
+
+const LoginPage = () => <LoginView />;
+
+export default LoginPage;