feat: Add sensitive info example (#153)

* feat: Add sensitive info example

* Remove site key from async method

* Message adjustments

Author: davidmytton

.trunk/trunk.yaml

@@ -17,14 +17,14 @@ runtimes:
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
   enabled:
-    - [email protected].255
+    - [email protected].257
     - [email protected]
     - git-diff-check
     - [email protected]
-    - osv-scanner@1.8.5
+    - osv-scanner@1.9.0
     - [email protected]
-    - trivy@0.55.2
-    - [email protected].6
+    - trivy@0.56.2
+    - [email protected].8
     - [email protected]
 actions:
   enabled:

README.md

@@ -8,10 +8,11 @@
 # Arcjet example app
 
 [Arcjet](https://arcjet.com) helps developers protect their apps in just a few
-lines of code. This is an example application demonstrating the use of multiple
-features.
+lines of code. Bot detection. Rate limiting. Email validation. Attack
+protection. Data redaction. A developer-first approach to security.
 
-This example is deployed at
+This is an example Next.js application demonstrating the use of multiple
+features. It is deployed at
 [https://example.arcjet.com](https://example.arcjet.com).
 
 ## Features
@@ -28,6 +29,9 @@ This example is deployed at
 - [Attack protection](https://example.arcjet.com/attack) demonstrates Arcjet
   Shield, which detects suspicious behavior, such as SQL injection and
   cross-site scripting attacks.
+- [Sensitive info](https://example.arcjet.com/sensitive-info) protects against
+  clients sending you sensitive information such as PII that you do not wish to
+  handle.
 
 ## Deploy it now
 
@@ -68,7 +72,6 @@ npm run dev
   example](https://github.com/arcjet/arcjet-js/tree/main/examples/nextjs-14-react-hook-form))
 - Client-side validation: [Zod](https://zod.dev/)
 - Security: [Arcjet](https://arcjet.com/)
-- Platform: [Vercel](https://vercel.com/) (see [our integration](https://vercel.com/integrations/arcjet))
 
 [vercel_deploy]: https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Farcjet%2Farcjet-js-example&project-name=arcjet-example&repository-name=arcjet-example&developer-id=oac_1GEcKBuKBilVnjToj1QUwdb8&demo-title=Arcjet%20Example%20&demo-description=Example%20rate%20limiting%2C%20bot%20protection%2C%20email%20verification%20%26%20form%20protection.&demo-url=https%3A%2F%2Fgithub.com%2Farcjet%2Farcjet-js-example&demo-image=https%3A%2F%2Fapp.arcjet.com%2Fimg%2Fexample-apps%2Fvercel%2Fdemo-image.jpg&integration-ids=oac_1GEcKBuKBilVnjToj1QUwdb8&external-id=arcjet-js-example◊
 [vercel_button]: https://vercel.com/button

app/attack/page.tsx

@@ -2,15 +2,14 @@ import VisitDashboard from "@/components/compositions/VisitDashboard";
 import WhatNext from "@/components/compositions/WhatNext";
 import useSiteKey from "@/components/effects/useSiteKey";
 import Divider from "@/components/elements/Divider";
+import styles from "@/components/elements/PageShared.module.scss";
 import type { Metadata } from "next";
 import Link from "next/link";
 
-import styles from "@/components/elements/PageShared.module.scss";
-
 export const metadata: Metadata = {
-  title: "Arcjet attack protection",
+  title: "Attack protection example",
   description:
-    "Arcjet Shield detects suspicious behavior, such as SQL injection and cross-site scripting attacks.",
+    "An example of Arcjet's attack protection for Next.js. Protect Next.js against SQL injection, cross-site scripting, and other attacks.",
 };
 
 export default function IndexPage() {

app/bots/page.tsx

@@ -8,9 +8,8 @@ import Link from "next/link";
 import styles from "@/components/elements/PageShared.module.scss";
 
 export const metadata: Metadata = {
-  title: "Arcjet bot protection example",
-  description:
-    "An example of Arcjet's bot protection configured to block automated clients.",
+  title: "Bot protection example",
+  description: "An example of Arcjet's bot protection for Next.js.",
 };
 
 export default function IndexPage() {

app/layout.tsx

@@ -21,7 +21,6 @@ export const metadata: Metadata = {
     template: `%s - ${siteConfig.name}`,
   },
   description: siteConfig.description,
-
   icons: [
     {
       rel: "icon",

app/page.tsx

@@ -13,6 +13,9 @@ export default function IndexPage() {
     <section className={styles.Content}>
       <div className={styles.Section}>
         <div className="flex max-w-[980px] flex-col items-start gap-6">
+          <h1 className="text-3xl font-extrabold leading-tight tracking-tighter md:text-4xl">
+            Arcjet Next.js example app
+          </h1>
           <p className="max-w-[700px] text-lg">
             <Link
               href="https://arcjet.com"
@@ -21,12 +24,12 @@ export default function IndexPage() {
             >
               Arcjet
             </Link>{" "}
-            helps developers protect their apps in just a few lines of code.
-            Implement rate limiting, bot protection, email verification &
-            defense against common attacks.
+            helps developers protect their apps in just a few lines of code. Bot
+            detection. Rate limiting. Email validation. Attack protection. Data
+            redaction. A developer-first approach to security.
           </p>
           <p className="max-w-[700px] text-secondary-foreground">
-            This application shows of the key features of Arcjet. The code is{" "}
+            This is an example Next.js application using Arcjet. The code is{" "}
             <Link
               href="https://github.com/arcjet/arcjet-js-example"
               target="_blank"
@@ -66,6 +69,12 @@ export default function IndexPage() {
             >
               Attack protection
             </Link>
+            <Link
+              href="/sensitive-info"
+              className={buttonVariants({ variant: "default" })}
+            >
+              Sensitive info
+            </Link>
           </div>
         </div>
       </div>

app/rate-limiting/page.tsx

@@ -12,16 +12,13 @@ import Link from "next/link";
 import styles from "@/components/elements/PageShared.module.scss";
 
 export const metadata: Metadata = {
-  title: "Arcjet rate limit example",
-  description:
-    "An example of Arcjet's rate limiting with different limits depending on authentication.",
+  title: "Rate limiting example",
+  description: "An example of Arcjet's rate limiting for Next.js.",
 };
 
 export default async function IndexPage() {
   const session = await auth();
 
-  const { siteKey } = useSiteKey();
-
   return (
     <section className={styles.Content}>
       <div className={styles.Section}>
@@ -80,8 +77,6 @@ export default async function IndexPage() {
         </p>
 
         {session?.user ? <SignOut /> : <SignIn />}
-
-        {siteKey && <VisitDashboard />}
       </div>
 
       <Divider />
@@ -113,7 +108,7 @@ export default async function IndexPage() {
 
       <Divider />
 
-      <WhatNext deployed={siteKey != null} />
+      <WhatNext />
     </section>
   );
 }

app/sensitive-info/page.tsx

@@ -0,0 +1,87 @@
+import { SupportForm } from "@/components/SuppportForm";
+import VisitDashboard from "@/components/compositions/VisitDashboard";
+import WhatNext from "@/components/compositions/WhatNext";
+import useSiteKey from "@/components/effects/useSiteKey";
+import Divider from "@/components/elements/Divider";
+import styles from "@/components/elements/PageShared.module.scss";
+import type { Metadata } from "next";
+import Link from "next/link";
+
+export const metadata: Metadata = {
+  title: "Sensitive info detection example",
+  description:
+    "An example of Arcjet's sensitive info detection for Next.js. Detect credit card numbers and other PII with Next.js.",
+};
+
+export default function IndexPage() {
+  const { siteKey } = useSiteKey();
+
+  return (
+    <section className={styles.Content}>
+      <div className={styles.Section}>
+        <h1 className="text-3xl font-extrabold leading-tight tracking-tighter md:text-4xl">
+          Arcjet sensitive info detection example
+        </h1>
+        <p className="max-w-[700px] text-lg">
+          This form uses{" "}
+          <Link
+            href="https://docs.arcjet.com/sensitive-info/concepts"
+            className="font-bold decoration-1 underline-offset-2 hover:underline"
+          >
+            Arcjet&apos;s sensitive info detection
+          </Link>{" "}
+          feature which is configured to detect credit card numbers. It can be
+          configured to detect other types of sensitive information and custom
+          patterns.
+        </p>
+        <p className="max-w-[700px] text-secondary-foreground">
+          The request is analyzed entirely on your server so no sensitive
+          information is sent to Arcjet.
+        </p>
+      </div>
+
+      <Divider />
+
+      <div className={styles.Section}>
+        <h2 className="text-xl font-bold">Try it</h2>
+
+        <div className="flex gap-4">
+          <SupportForm />
+        </div>
+
+        {siteKey && <VisitDashboard />}
+      </div>
+
+      <Divider />
+
+      <div className={styles.Section}>
+        <h2 className="text-xl font-bold">See the code</h2>
+        <p className="text-secondary-foreground">
+          The{" "}
+          <Link
+            href="https://github.com/arcjet/arcjet-js-example/blob/main/app/sensitive-info/test/route.ts"
+            target="_blank"
+            rel="noreferrer"
+            className="font-bold decoration-1 underline-offset-2 hover:underline"
+          >
+            API route
+          </Link>{" "}
+          imports a{" "}
+          <Link
+            href="https://github.com/arcjet/arcjet-js-example/blob/main/lib/arcjet.ts"
+            target="_blank"
+            rel="noreferrer"
+            className="font-bold decoration-1 underline-offset-2 hover:underline"
+          >
+            centralized Arcjet client
+          </Link>{" "}
+          which sets base rules.
+        </p>
+      </div>
+
+      <Divider />
+
+      <WhatNext deployed={siteKey != null} />
+    </section>
+  );
+}

app/sensitive-info/schema.ts

@@ -0,0 +1,17 @@
+import { z } from "zod";
+
+// Zod schema for client-side validation of the form fields. Arcjet will do
+// server-side validation as well because you can't trust the client.
+// Client-side validation improves the UX by providing immediate feedback
+// whereas server-side validation is necessary for security.
+export const formSchema = z.object({
+  supportMessage: z
+    .string()
+    .min(5, { message: "Your message must be at least 5 characters." })
+    .max(1000, {
+      message:
+        "Your message is too long. Please shorten it to 1000 characters.",
+    }),
+});
+
+export const emptyFormSchema = z.object({});

app/sensitive-info/submitted/page.tsx

@@ -0,0 +1,29 @@
+import { SupportForm } from "@/components/SuppportForm";
+import VisitDashboard from "@/components/compositions/VisitDashboard";
+import WhatNext from "@/components/compositions/WhatNext";
+import useSiteKey from "@/components/effects/useSiteKey";
+import Divider from "@/components/elements/Divider";
+import Link from "next/link";
+
+import styles from "@/components/elements/PageShared.module.scss";
+
+export default function IndexPage() {
+  const { siteKey } = useSiteKey();
+
+  return (
+    <section className={styles.Content}>
+      <div className={styles.Section}>
+        <h1 className="text-3xl font-extrabold leading-tight tracking-tighter md:text-4xl">
+          Form submitted
+        </h1>
+        <p className="max-w-[700px] text-lg">
+          If this were a real form, your message would have been submitted.
+        </p>
+      </div>
+
+      <Divider />
+
+      <WhatNext deployed={siteKey != null} />
+    </section>
+  );
+}

app/sensitive-info/test/route.ts

@@ -0,0 +1,77 @@
+import { formSchema } from "@/app/sensitive-info/schema";
+import arcjet, { sensitiveInfo, shield } from "@/lib/arcjet";
+import { NextRequest, NextResponse } from "next/server";
+
+// Add rules to the base Arcjet instance outside of the handler function
+const aj = arcjet
+  .withRule(
+    // Arcjet's protectSignup rule is a combination of email validation, bot
+    // protection and rate limiting. Each of these can also be used separately
+    // on other routes e.g. rate limiting on a login route. See
+    // https://docs.arcjet.com/get-started
+    sensitiveInfo({
+      mode: "LIVE", // Will block requests, use "DRY_RUN" to log only
+      deny: ["CREDIT_CARD_NUMBER", "EMAIL"], // Deny requests with credit card numbers
+    }),
+  )
+  // You can chain multiple rules, so we'll include shield
+  .withRule(
+    // Shield detects suspicious behavior, such as SQL injection and cross-site
+    // scripting attacks.
+    shield({
+      mode: "LIVE",
+    }),
+  );
+
+export async function POST(req: NextRequest) {
+  const fingerprint = req.ip!;
+  const decision = await aj.protect(req, { fingerprint });
+
+  console.log("Arcjet decision: ", decision);
+
+  if (decision.isDenied()) {
+    if (decision.reason.isSensitiveInfo()) {
+      const message =
+        "please do not include credit card numbers in your message.";
+
+      return NextResponse.json(
+        { message, reason: decision.reason },
+        { status: 400 },
+      );
+    } else {
+      return NextResponse.json({ message: "Forbidden" }, { status: 403 });
+    }
+  } else if (decision.isErrored()) {
+    console.error("Arcjet error:", decision.reason);
+    if (decision.reason.message == "[unauthenticated] invalid key") {
+      return NextResponse.json(
+        {
+          message:
+            "invalid Arcjet key. Is the ARCJET_KEY environment variable set?",
+        },
+        { status: 500 },
+      );
+    } else {
+      return NextResponse.json(
+        { message: "Internal server error: " + decision.reason.message },
+        { status: 500 },
+      );
+    }
+  }
+
+  const json = await req.json();
+  const data = formSchema.safeParse(json);
+
+  if (!data.success) {
+    const { error } = data;
+
+    return NextResponse.json(
+      { message: "invalid request", error },
+      { status: 400 },
+    );
+  }
+
+  return NextResponse.json({
+    ok: true,
+  });
+}

app/signup/page.tsx

@@ -3,10 +3,17 @@ import VisitDashboard from "@/components/compositions/VisitDashboard";
 import WhatNext from "@/components/compositions/WhatNext";
 import useSiteKey from "@/components/effects/useSiteKey";
 import Divider from "@/components/elements/Divider";
+import type { Metadata } from "next";
 import Link from "next/link";
 
 import styles from "@/components/elements/PageShared.module.scss";
 
+export const metadata: Metadata = {
+  title: "Signup form protection example",
+  description:
+    "An example of Arcjet's signup form protection for Next.js which includes email verification, rate limiting, and bot protection.",
+};
+
 export default function IndexPage() {
   const { siteKey } = useSiteKey();