fix: Sentry to be configured on runtime#2581
Open
ludovicm67 wants to merge 1 commit into
Open
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The Sentry configuration — DSN, environment, and CSP host — was intended to be injected at container startup via environment variables, but none of the values were actually being picked up at runtime after the container was built, but was working well in local development setup.
There were two distinct root causes:
NEXT_PUBLIC_*variables are baked in at build timeSENTRY_DSNandSENTRY_ENVwere exported fromenv.tsasprocess.env.NEXT_PUBLIC_SENTRY_DSN/process.env.NEXT_PUBLIC_SENTRY_ENV.Next.js uses webpack's DefinePlugin to statically inline all
NEXT_PUBLIC_*references into the bundle during next build.By the time the container starts, those values are already frozen as undefined — runtime env vars have no effect.
next.config.jsheaders()is evaluated at build time, not at startupWith output: "standalone", Next.js compiles the result of
headers()intoroutes-manifest.jsonduring next build.NEXT_PUBLIC_SENTRY_CSP,CSP_REPORT_ONLY, andPREVENT_SEARCH_BOTSwere all read inside that function — meaning they too were evaluated once at build time and never re-read from the container environment.Fix
SENTRY_DSN/SENTRY_ENV— dropped theNEXT_PUBLIC_prefix and wired them into the existing runtime injection mechanism:api/client-env.tsalready serves a JS snippet that populateswindow.__clientEnv__at request time, andenv.tsreads from it with aprocess.envfallback. These two vars are now included in that flow.SENTRY_CSP/CSP_REPORT_ONLY/PREVENT_SEARCH_BOTS— moved all CSP andX-Robots-Tagheader generation out ofnext.config.jsand into a newmiddleware.ts.Next.js middleware runs on every request and reads
process.envlive, so all these values are picked up correctly from the container environment.The static security headers that have no env var dependency (
X-Content-Type-Options,Referrer-Policy, etc.) remain innext.config.js.Those changes are needed in the deployed instances:
NEXT_PUBLIC_SENTRY_DSN→SENTRY_DSNNEXT_PUBLIC_SENTRY_ENV→SENTRY_ENVNEXT_PUBLIC_SENTRY_CSP→SENTRY_CSPHow to test
Build the image:
docker build --build-arg NEXTAUTH_URL=https://localhost:3000 -t visualize .And start the app:
docker run -e SENTRY_CSP=https://glitchtip.puzzle.ch -e SENTRY_DSN=https://afa6c897392c46cdb1236235120771f4@glitchtip.puzzle.ch/34 -e SENTRY_ENV=dev -e 'WHITELISTED_DATA_SOURCES=["Prod"]' -e NEXTAUTH_SECRET=dummy --rm -p 3000:3000 -it visualizeYou should see in the logs the value of the
SENTRY_DSNin a log line starting with:Sentry DSN:.When you open the homepage at http://localhost:3000/, you should see in the response headers, that the value from
SENTRY_CSPwas injected into thecontent-security-policyheader.Add Sentry integration backwas already there)