math-pixel/upload-gltf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: refresh deployment and security guidance

Browse Source
This commit is contained in:
Tom Boullay
2026-05-15 00:26:31 +02:00
parent 3fdbad7bdf
commit 23253c2277
2 changed files with 74 additions and 1950 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+74 -3
View File
@@ -9,23 +9,53 @@ Built for La Fabrik Durable's internal use, but open-sourced for anyone looking
## Stack
- [**Next.js 16** (App Router)](https://nextjs.org/docs/app/getting-started/installation) + [React 19](https://react.dev/learn/creating-a-react-app) + [TypeScript](https://www.typescriptlang.org/docs/)
- [**Next.js 16.2.5** (App Router)](https://nextjs.org/docs/app/getting-started/installation) + [React 19](https://react.dev/learn/creating-a-react-app) + [TypeScript](https://www.typescriptlang.org/docs/)
- [**Three.js**](https://threejs.org/docs/#manual/en/introduction/Creating-a-scene) ([React Three Fiber](https://r3f.docs.pmnd.rs/getting-started/introduction) + [Drei](https://drei.docs.pmnd.rs/getting-started/introduction)) for 3D preview
- [**Tailwind CSS**](https://v3.tailwindcss.com/docs/installation) for styling
- [**Octokit**](https://github.com/octokit/rest.js/#readme) for pushing via the GitHub API
- [**Nextcloud WebDAV**](https://docs.nextcloud.com/server/latest/developer_manual/client_apis/WebDAV/index.html) for Drive archiving with automatic versioning
- [**Sharp**](https://sharp.pixelplumbing.com/install/) for server-side texture compression
- [**Coolify** (Docker)](https://coolify.io/docs/applications/build-packs/dockerfile) for hosting
- [**npm lockfile + Coolify** (Docker)](https://coolify.io/docs/applications/build-packs/dockerfile) for hosting
## Usage
### Development
```bash
npm ci
npm run dev
```
The app runs on `http://localhost:3000` with hot reload. The upload API routes are available under `http://localhost:3000/api/upload/*`
Use npm for this repo. `package-lock.json` is the source of truth for local installs and Coolify builds; no pnpm/yarn lockfile should be committed here.
### Dependency and security policy
The project pins `next` to `16.2.5` to include the May 2026 WebSocket SSRF fix (`CVE-2026-44578` / `GHSA-c4j6-fc7j-m34r`). Do not loosen this back to `^16.2.4` or any range that can resolve below `16.2.5`.
This repo also keeps install-time package scripts disabled by default through `.npmrc` and Docker:
```bash
npm ci --ignore-scripts --no-audit --no-fund
```
When a dependency update is needed, prefer a lockfile-only update in a clean environment with no `.env`, no GitHub token, and no cloud credentials:
```bash
mkdir -p /tmp/npm-clean-home /tmp/npm-clean-cache
env -i \
HOME=/tmp/npm-clean-home \
PATH="$PATH" \
npm_config_userconfig=/tmp/npm-clean-home/.npmrc \
npm_config_cache=/tmp/npm-clean-cache \
npm_config_ignore_scripts=true \
npm_config_audit=false \
npm_config_fund=false \
npm install <package>@<version> --package-lock-only --ignore-scripts --no-audit --no-fund --save-exact
```
The May 2026 TanStack incident affected malicious package versions published to npm, not the npm CLI itself. This repo does not depend on `@tanstack/*`, but other projects should be checked for `@tanstack/setup`, `github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c`, `router_init.js`, `tanstack_runner.js`, and the fake unscoped package `tanstack@2.0.4` through `2.0.7`.
## How it works
1. The user enters their access key
@@ -198,7 +228,7 @@ docker-entrypoint.sh # Upload temp setup + Blender availability check
```bash
git clone https://github.com/La-Fabrik-Durable/upload-GLTF.git
cd upload-GLTF
npm install
npm ci
```
## Configuration
@@ -234,6 +264,16 @@ NEXTCLOUD_BASE_PATH=Models
### Production (Coolify / Docker)
Coolify must build this repository with the included `Dockerfile`. The dependency stage copies `.npmrc` and runs `npm ci --ignore-scripts --no-audit --no-fund`, so the deployed dependency tree comes from `package-lock.json`.
After a security patch:
1. Push the commit to both remotes.
2. In Coolify, trigger a rebuild with cache disabled when possible.
3. Confirm the build logs show `npm ci --ignore-scripts --no-audit --no-fund`.
4. Confirm the app starts and the upload flow still reaches staging, Drive, and Git.
5. Rotate secrets in Coolify, then redeploy once more with the new values.
```bash
docker build -t upload-gltf .
docker run -p 3000:3000 \
@@ -247,6 +287,37 @@ docker run -p 3000:3000 \
The Docker image runs the Next.js app, Blender Draco compression, and server-side asset preparation in a single container. The `docker-entrypoint.sh` script creates the upload temp directory and reports Blender availability before launching the app.
### Secret rotation
Rotate secrets after patching if the previous deployment exposed a vulnerable Next.js version, if a suspicious dependency install happened on a machine with credentials, or if you cannot prove the install host was clean.
Recommended order:
1. Generate a new fine-grained `GITHUB_TOKEN` limited to the target model repository with `Contents: Read and write`.
2. Generate a new long random `UPLOAD_SECRET_KEY`.
3. Regenerate the Nextcloud public share token or password when possible.
4. Update the variables in Coolify.
5. Redeploy the patched image.
6. Revoke the old GitHub token and old Nextcloud share credentials after the new deployment is healthy.
Do not commit real `.env` files. `.dockerignore` excludes `.env` and `.env.*`, while keeping `.env.example` as documentation.
### Publishing to remotes
This repo is mirrored to GitHub and Gitea:
```bash
git remote -v
git push origin main
git push gitea main
```
If your local git config has the `pushall` alias, it should be equivalent to:
```bash
git push origin main && git push gitea main
```
## Supported Formats
| Type | Extensions |
pnpm-lock.yaml
Generated
-1947
View File
File diff suppressed because it is too large Load Diff