PrivateCoffee/tldraw
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
tldraw/apps/dotcom
History
Mime Čuvalo 6ba3fb0722
csp: followup fixes/dx/tweaks (#4159) 
couple interesting things here as followups to the CSP work.
- first of all, again, good call on doing the report-only to start with
@SomeHats 🤘
- I combed through all the Sentry logs, looking for issues. a lot of
them were browser extensions and could be ignored.
- there were some other ones that needed fixing up though.

fixes in this PR:
- [x] CSP emulation in dev: make sure it's running in development so
that we can catch things locally. this is done via the meta tag.
- [x] `connect-src` add `blob`: this was breaking copy/export as svg/png
- [x] image testing: expand list of pasted image extensions to include
avif and some others
- [x] image pasting: this didn't really work in the first place because
typically even with CSP disabled, you'll mainly run into CORS issues. I
think it's a pretty crap user experience. So, I moved this logic to
actually be in the URL unfurling. Lemme know what you think! I don't
think we should proxy the actual image data - that sounds ... intense 😬
even though it would produce a better user experience technically.
- [x] investigated `manifest-src` errors: but it actually seems fine?
Weird thing here is that `manifest-src` isn't explicitly in the CSP so
it falls back to the `default-src` of `self` which is fine. Trying it on
tldraw.com it seems just fine with no errors but inexplicably some users
are hitting these errors. I'm guessing maybe it's an ad-blocker type
behavior maybe.
- [x] `font-src` add `data`: I'm actually unsure if this is quite
necessary but I _think_ embedded fonts in SVGs are causing the problem.
However, I can't reproduce this, I just don't mind adding this.


Before / After for pasting image URLs (not a CSP issue, to be clear, but
a CORS issue)

## Before
<img width="448" alt="Screenshot 2024-07-12 at 17 59 42"
src="https://github.com/user-attachments/assets/e8ce267b-48fd-49cd-b0f7-0fd20c0b9a1d">

## After
<img width="461" alt="Screenshot 2024-07-12 at 18 00 06"
src="https://github.com/user-attachments/assets/9956590d-fe37-4708-bc26-0c454f8151b4">

### Change type

- [ ] `bugfix`
- [ ] `improvement`
- [ ] `feature`
- [ ] `api`
- [x] `other`

### Release notes

- Security: more CSP work on dotcom
2024-07-16 14:20:38 +00:00
..
public seo: take 2 (#2817) 2024-02-15 11:28:43 +00:00
scripts csp: followup fixes/dx/tweaks (#4159) 2024-07-16 14:20:38 +00:00
src csp: followup fixes/dx/tweaks (#4159) 2024-07-16 14:20:38 +00:00
styles [3/5] Automatically enable multiplayer UI when using demo sync (#4119) 2024-07-10 15:46:09 +00:00
.gitignore [dotcom] Delete service worker, cache tldraw assets (#2552) 2024-01-19 15:31:01 +00:00
CHANGELOG.md unbrivate, dot com in (#2475) 2024-01-16 14:38:05 +00:00
decs.d.ts unbrivate, dot com in (#2475) 2024-01-16 14:38:05 +00:00
index.html head: rm mask-icon (#4160) 2024-07-12 17:26:39 +00:00
package.json [4/5] sync -> sync-core, sync-react -> sync (#4123) 2024-07-10 16:09:10 +00:00
README.md [dx] Allow vscode to search inside md files by default (#3105) 2024-03-11 14:08:04 +00:00
sentry-release-name.ts unbrivate, dot com in (#2475) 2024-01-16 14:38:05 +00:00
sentry.client.config.ts Initial bemo worker setup (#4017) 2024-07-01 11:35:23 +00:00
sentry.properties unbrivate, dot com in (#2475) 2024-01-16 14:38:05 +00:00
setupTests.js introduce images.tldraw.xyz image optimisation worker (#4069) 2024-07-08 16:25:53 +00:00
tsconfig.json [4/5] sync -> sync-core, sync-react -> sync (#4123) 2024-07-10 16:09:10 +00:00
version.ts sdk: wires up tldraw to have licensing mechanisms (#4021) 2024-07-11 11:49:18 +00:00
vite.config.ts sdk: wires up tldraw to have licensing mechanisms (#4021) 2024-07-11 11:49:18 +00:00

README.md

Project overview

This project is a Next.js application which contains the tldraw free as well as the tldraw pro applications. We are currently using the Next.js 13 option of having both pages (tldraw free) and app (tldraw pro) directory inside the same app. We did this since the free offering is the continuation of a Next.js version 12 app and it allowed us to combine it with the new App router option from Next.js 13 for tldraw pro without having to do a full migration to App router.

We also split the supabase into two projects:

  • tldraw-v2 for tldraw free where we mainly store the snapshots data
  • tldraw-pro for tldraw pro which holds all the relational data that the pro version requires

On top of that we also use R2 for storing the documents data.

How to run the project

Tldraw pro

The development of tldraw pro happens against a local supabase instance. To set that up, you'll first need to install & start docker.

Once docker is started & you've run yarn to install tldraw's dependencies, the rest should be handled automatically. Running yarn dev-app will:

  1. Start a local instance of supabase
  2. Run any database migrations
  3. Update your .env.local file with credentials for your local supabase instance
  4. Start tldraw

The supabase local development docs are a good reference. When working on tldraw, the supabase command is available by running yarn supabase in the apps/app directory e.g. yarn supabase status.

When you're finished, we don't stop supabase because it takes a while each time we start and stop it. Run yarn supabase stop to stop it manually.

If you write any new database migrations, you can apply those with yarn supabase migration up.

Some helpers

  1. You can see your db schema at the Studio URL printed out in the step 2.
  2. If you ever need to reset your local supabase instance you can run supabase db reset in the root of apps/app project.
  3. The production version of Supabase sends out emails for certain events (email confirmation link, password reset link, etc). In local development you can find these emails at the Inbucket URL printed out in the step 2.

Tldraw free

The development of tldraw free happens against the production supabase instance. We only store snapshots data to one of the three tables, depending on the environment. The tables are:

  • snapshots - for production
  • snapshots_staging - for staging
  • snapshots_dev - for development

For local development you need to add the following env variables to .env.local:

  • SUPABASE_URL - use the production supabase url
  • SUPABASE_KEY - use the production supabase anon key

Once you have the environment variables set up you can run yarn dev-app from the root folder of our repo to start developing.

Running database tests

You need to have a psql client installed. You can then run yarn test-supabase to run db tests.

Sending emails

We are using Resend for sending emails. It allows us to write emails as React components. Emails live in a separate app apps/tl-emails.

Right now we are only using Resend via Supabase, but in the future we will probably also include Resend in our application and send emails directly.

The development workflow is as follows:

1. Creating / updating an email template

To start the development server for email run yarn dev-email from the root folder of our repo. You can then open http://localhost:3333 to see the result. This allows for quick local development of email templates.

Any images you want to use in the email should be uploaded to supabase to the email bucket.

Supabase provides some custom params (like the magic link url) that we can insert into our email, check their website for more info.

2. Generating the html version of the email

Once you are happy with the email template you can run yarn build-email from the root folder of our repo. This will generate the html version of the email and place it in apps/tl-emails/out folder.

3. Updating the template in Supabase

Once you have the html version of the email you can copy it into the Supabase template editor. You can find the templates here.