chore: bump version to 1.10.4

- Standardized indentation and formatting in `sentry.client.config.ts`, `sentry.server.config.ts`, and `sentry.edge.config.ts` for consistency.

.env.example

@@ -42,6 +42,8 @@ DOMAIN_NAME=localhost
 
 ENABLE_CORS=false
 CORS_DOMAIN_NAME=localhost
+SENTRY_DSN=
+NEXT_PUBLIC_SENTRY_DSN=
 
 # Media Limits (in KB)
 MAX_IMAGE_SIZE_KB=512

.gitea/workflows/ci.yml

@@ -106,3 +106,5 @@ jobs:
           MAIL_FROM: ${{ secrets.MAIL_FROM }}
           DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
           NEXT_PUBLIC_API_URL: ${{ secrets.NEXT_PUBLIC_API_URL }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+          NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.NEXT_PUBLIC_SENTRY_DSN }}

backend/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@memegoat/backend",
-	"version": "1.9.7",
+	"version": "1.10.4",
 	"description": "",
 	"author": "",
 	"private": true,

backend/src/auth/auth.service.ts

@@ -103,10 +103,9 @@ export class AuthService {
 	}
 
 	async login(dto: LoginDto, userAgent?: string, ip?: string) {
-		this.logger.log(`Login attempt for email: ${dto.email}`);
-		const { email, password } = dto;
-
-		const emailHash = await this.hashingService.hashEmail(email);
+		const emailHash = await this.hashingService.hashEmail(dto.email);
+		this.logger.log(`Login attempt for email hash: ${emailHash}`);
+		const { password } = dto;
 		const user = await this.usersService.findByEmailHash(emailHash);
 
 		if (!user) {

backend/src/common/filters/http-exception.filter.spec.ts

@@ -0,0 +1,90 @@
+import { ArgumentsHost, HttpException, HttpStatus } from "@nestjs/common";
+import { Test, TestingModule } from "@nestjs/testing";
+import * as Sentry from "@sentry/nestjs";
+import { AllExceptionsFilter } from "./http-exception.filter";
+
+jest.mock("@sentry/nestjs", () => ({
+	captureException: jest.fn(),
+	withScope: jest.fn((callback) => {
+		const scope = {
+			setUser: jest.fn(),
+			setTag: jest.fn(),
+			setExtra: jest.fn(),
+		};
+		callback(scope);
+		return scope;
+	}),
+}));
+
+describe("AllExceptionsFilter", () => {
+	let filter: AllExceptionsFilter;
+
+	beforeEach(async () => {
+		const module: TestingModule = await Test.createTestingModule({
+			providers: [AllExceptionsFilter],
+		}).compile();
+
+		filter = module.get<AllExceptionsFilter>(AllExceptionsFilter);
+	});
+
+	it("should hash the IP address and send it to Sentry for 500 errors", () => {
+		const mockResponse = {
+			status: jest.fn().mockReturnThis(),
+			json: jest.fn().mockReturnThis(),
+		};
+		const mockRequest = {
+			url: "/test",
+			method: "GET",
+			ip: "127.0.0.1",
+			user: { sub: "user-123" },
+		};
+		const mockArgumentsHost = {
+			switchToHttp: () => ({
+				getResponse: () => mockResponse,
+				getRequest: () => mockRequest,
+			}),
+		} as ArgumentsHost;
+
+		const exception = new Error("Internal Server Error");
+
+		filter.catch(exception, mockArgumentsHost);
+
+		expect(mockResponse.status).toHaveBeenCalledWith(
+			HttpStatus.INTERNAL_SERVER_ERROR,
+		);
+		expect(Sentry.withScope).toHaveBeenCalled();
+
+		// Vérifier que captureException a été appelé (via withScope)
+		expect(Sentry.captureException).toHaveBeenCalledWith(exception);
+	});
+
+	it("should include hashed IP in logs", () => {
+		const loggerSpy = jest.spyOn((filter as any).logger, "warn");
+		const mockResponse = {
+			status: jest.fn().mockReturnThis(),
+			json: jest.fn().mockReturnThis(),
+		};
+		const mockRequest = {
+			url: "/test",
+			method: "GET",
+			ip: "1.2.3.4",
+		};
+		const mockArgumentsHost = {
+			switchToHttp: () => ({
+				getResponse: () => mockResponse,
+				getRequest: () => mockRequest,
+			}),
+		} as ArgumentsHost;
+
+		const exception = new HttpException("Bad Request", HttpStatus.BAD_REQUEST);
+
+		filter.catch(exception, mockArgumentsHost);
+
+		expect(mockResponse.status).toHaveBeenCalledWith(HttpStatus.BAD_REQUEST);
+
+		// L'IP 1.2.3.4 hachée en SHA256 contient un hash de 64 caractères
+		const logCall = loggerSpy.mock.calls[0][0];
+		expect(logCall).toMatch(/[a-f0-9]{64}/);
+		expect(logCall).not.toContain("1.2.3.4");
+	});
+});

backend/src/common/filters/http-exception.filter.ts

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import {
 	ArgumentsHost,
 	Catch,
@@ -39,6 +40,11 @@ export class AllExceptionsFilter implements ExceptionFilter {
 		const userId = request.user?.sub || request.user?.id;
 		const userPart = userId ? `[User: ${userId}] ` : "";
 
+		const ip = request.ip || "unknown";
+		const hashedIp = createHash("sha256")
+			.update(ip as string)
+			.digest("hex");
+
 		const errorResponse = {
 			statusCode: status,
 			timestamp: new Date().toISOString(),
@@ -51,14 +57,20 @@ export class AllExceptionsFilter implements ExceptionFilter {
 		};
 
 		if (status === HttpStatus.INTERNAL_SERVER_ERROR) {
-			Sentry.captureException(exception);
+			Sentry.withScope((scope) => {
+				scope.setUser({
+					id: userId,
+					ip_address: hashedIp,
+				});
+				Sentry.captureException(exception);
+			});
 			this.logger.error(
-				`${userPart}${request.method} ${request.url} - Error: ${exception instanceof Error ? exception.message : "Unknown error"}`,
+				`${userPart}${hashedIp} ${request.method} ${request.url} - Error: ${exception instanceof Error ? exception.message : "Unknown error"}`,
 				exception instanceof Error ? exception.stack : "",
 			);
 		} else {
 			this.logger.warn(
-				`${userPart}${request.method} ${request.url} - Status: ${status} - Message: ${JSON.stringify(message)}`,
+				`${userPart}${hashedIp} ${request.method} ${request.url} - Status: ${status} - Message: ${JSON.stringify(message)}`,
 			);
 		}
 

backend/src/common/middlewares/crawler-detection.middleware.ts

@@ -1,3 +1,4 @@
+import { createHash } from "node:crypto";
 import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Inject, Injectable, Logger, NestMiddleware } from "@nestjs/common";
 import type { Cache } from "cache-manager";
@@ -48,11 +49,15 @@ export class CrawlerDetectionMiddleware implements NestMiddleware {
 		const { method, url, ip } = req;
 		const userAgent = req.get("user-agent") || "unknown";
 
+		const hashedIp = createHash("sha256")
+			.update(ip as string)
+			.digest("hex");
+
 		// Vérifier si l'IP est bannie
 		try {
 			const isBanned = await this.cacheManager.get(`banned_ip:${ip}`);
 			if (isBanned) {
-				this.logger.warn(`Banned IP attempt: ${ip} -> ${method} ${url}`);
+				this.logger.warn(`Banned IP attempt: ${hashedIp} -> ${method} ${url}`);
 				res.status(403).json({
 					message: "Access denied: Your IP has been temporarily banned.",
 				});
@@ -60,7 +65,7 @@ export class CrawlerDetectionMiddleware implements NestMiddleware {
 			}
 		} catch (error) {
 			this.logger.error(
-				`Error checking ban status for IP ${ip}: ${error.message}`,
+				`Error checking ban status for IP ${hashedIp}: ${error.message}`,
 			);
 			// On continue même en cas d'erreur Redis pour ne pas bloquer les utilisateurs légitimes
 		}
@@ -76,14 +81,14 @@ export class CrawlerDetectionMiddleware implements NestMiddleware {
 
 				if (isSuspiciousPath || isBotUserAgent) {
 					this.logger.warn(
-						`Potential crawler detected: [${ip}] ${method} ${url} - User-Agent: ${userAgent}`,
+						`Potential crawler detected: [${hashedIp}] ${method} ${url} - User-Agent: ${userAgent}`,
 					);
 
 					// Bannir l'IP pour 24h via Redis
 					try {
 						await this.cacheManager.set(`banned_ip:${ip}`, true, 86400000);
 					} catch (error) {
-						this.logger.error(`Error banning IP ${ip}: ${error.message}`);
+						this.logger.error(`Error banning IP ${hashedIp}: ${error.message}`);
 					}
 				}
 			}

backend/src/health.controller.spec.ts

@@ -1,8 +1,13 @@
 import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Test, TestingModule } from "@nestjs/testing";
+import * as Sentry from "@sentry/nestjs";
 import { DatabaseService } from "./database/database.service";
 import { HealthController } from "./health.controller";
 
+jest.mock("@sentry/nestjs", () => ({
+	getClient: jest.fn(),
+}));
+
 describe("HealthController", () => {
 	let controller: HealthController;
 
@@ -37,10 +42,15 @@ describe("HealthController", () => {
 	it("should return ok if database and redis are connected", async () => {
 		mockDb.execute.mockResolvedValue([]);
 		mockCacheManager.set.mockResolvedValue(undefined);
+		(Sentry.getClient as jest.Mock).mockReturnValue({
+			getOptions: () => ({ dsn: "http://dsn" }),
+		});
+
 		const result = await controller.check();
 		expect(result.status).toBe("ok");
 		expect(result.database).toBe("connected");
 		expect(result.redis).toBe("connected");
+		expect(result.sentry).toBe("active");
 	});
 
 	it("should return error if database is disconnected", async () => {
@@ -62,4 +72,19 @@ describe("HealthController", () => {
 		expect(result.redis).toBe("disconnected");
 		expect(result.redisError).toBe("Redis Error");
 	});
+
+	it("should return sentry disabled if client or dsn is missing", async () => {
+		mockDb.execute.mockResolvedValue([]);
+		mockCacheManager.set.mockResolvedValue(undefined);
+		(Sentry.getClient as jest.Mock).mockReturnValue(undefined);
+
+		const result = await controller.check();
+		expect(result.sentry).toBe("disabled");
+
+		(Sentry.getClient as jest.Mock).mockReturnValue({
+			getOptions: () => ({ dsn: undefined }),
+		});
+		const result2 = await controller.check();
+		expect(result2.sentry).toBe("disabled");
+	});
 });

backend/src/health.controller.ts

@@ -1,5 +1,6 @@
 import { CACHE_MANAGER } from "@nestjs/cache-manager";
 import { Controller, Get, Inject } from "@nestjs/common";
+import * as Sentry from "@sentry/nestjs";
 import type { Cache } from "cache-manager";
 import { sql } from "drizzle-orm";
 import { DatabaseService } from "./database/database.service";
@@ -39,6 +40,14 @@ export class HealthController {
 			health.redisError = error.message;
 		}
 
+		// Check Sentry status
+		const sentryClient = Sentry.getClient();
+		if (sentryClient?.getOptions().dsn) {
+			health.sentry = "active";
+		} else {
+			health.sentry = "disabled";
+		}
+
 		return health;
 	}
 }

backend/src/main.ts

@@ -1,6 +1,8 @@
+import { createHash } from "node:crypto";
 import { Logger, ValidationPipe } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
 import { NestFactory } from "@nestjs/core";
+import { NestExpressApplication } from "@nestjs/platform-express";
 import * as Sentry from "@sentry/nestjs";
 import { nodeProfilingIntegration } from "@sentry/profiling-node";
 import helmet from "helmet";
@@ -8,19 +10,44 @@ import { AppModule } from "./app.module";
 import { AllExceptionsFilter } from "./common/filters/http-exception.filter";
 
 async function bootstrap() {
-	const app = await NestFactory.create(AppModule);
+	const app = await NestFactory.create<NestExpressApplication>(AppModule);
 	const configService = app.get(ConfigService);
 	const logger = new Logger("Bootstrap");
 
+	// Activer trust proxy pour récupérer l'IP réelle derrière un reverse proxy
+	app.set("trust proxy", true);
+
 	const sentryDsn = configService.get<string>("SENTRY_DSN");
 	if (sentryDsn) {
-		Sentry.init({
-			dsn: sentryDsn,
-			integrations: [nodeProfilingIntegration()],
-			tracesSampleRate: 1.0,
-			profilesSampleRate: 1.0,
-			sendDefaultPii: false, // RGPD
-		});
+		try {
+			Sentry.init({
+				dsn: sentryDsn,
+				integrations: [Sentry.nestIntegration(), nodeProfilingIntegration()],
+				tracesSampleRate: 1.0,
+				profilesSampleRate: 1.0,
+				sendDefaultPii: false, // RGPD
+				beforeSend(event) {
+					// Hachage de l'IP utilisateur pour Sentry si elle est présente
+					if (event.user?.ip_address) {
+						event.user.ip_address = createHash("sha256")
+							.update(event.user.ip_address)
+							.digest("hex");
+					}
+					return event;
+				},
+			});
+
+			const client = Sentry.getClient();
+			if (client?.getOptions().dsn) {
+				logger.log("Sentry is initialized and connection is active");
+			} else {
+				logger.warn("Sentry initialized but DSN is missing");
+			}
+		} catch (error) {
+			logger.error(`Failed to initialize Sentry: ${error.message}`);
+		}
+	} else {
+		logger.warn("Sentry is disabled (SENTRY_DSN not configured)");
 	}
 
 	// Sécurité

docker-compose.prod.yml

@@ -104,6 +104,7 @@ services:
       ENABLE_CORS: ${ENABLE_CORS:-true}
       CLAMAV_HOST: memegoat-clamav
       CLAMAV_PORT: 3310
+      SENTRY_DSN: ${SENTRY_DSN}
       MAX_IMAGE_SIZE_KB: 1024
       MAX_GIF_SIZE_KB: 4096
 
@@ -133,6 +134,7 @@ services:
       NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-https://api.memegoat.fr}
       NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-https://memegoat.fr}
       NEXT_PUBLIC_CONTACT_EMAIL: ${MAIL_FROM:-noreply@memegoat.fr}
+      NEXT_PUBLIC_SENTRY_DSN: ${NEXT_PUBLIC_SENTRY_DSN}
     depends_on:
       - backend
 

docker-compose.yml

@@ -98,6 +98,7 @@ services:
       ENABLE_CORS: ${ENABLE_CORS:-true}
       CLAMAV_HOST: clamav
       CLAMAV_PORT: 3310
+      SENTRY_DSN: ${SENTRY_DSN}
 
   clamav:
     image: clamav/clamav:1.4
@@ -121,6 +122,7 @@ services:
     environment:
       NODE_ENV: production
       NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://localhost:3000}
+      NEXT_PUBLIC_SENTRY_DSN: ${NEXT_PUBLIC_SENTRY_DSN}
     depends_on:
       - backend
 

frontend/next.config.ts

@@ -1,3 +1,4 @@
+import { withSentryConfig } from "@sentry/nextjs";
 import type { NextConfig } from "next";
 
 const appUrl = process.env.NEXT_PUBLIC_APP_URL || "https://memegoat.fr";
@@ -29,4 +30,23 @@ const nextConfig: NextConfig = {
 	output: "standalone",
 };
 
-export default nextConfig;
+export default withSentryConfig(nextConfig, {
+	// For all available options, see:
+	// https://github.com/getsentry/sentry-webpack-plugin#options
+
+	org: "yidhra",
+	project: "javascript-nextjs",
+
+	// Only print logs for uploading source maps in CI
+	silent: !process.env.CI,
+
+	// For all available options, see:
+	// https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/
+
+	// Upload a larger set of source maps for prettier stack traces (increases build time)
+	widenClientFileUpload: true,
+
+	// Route browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers.
+	// This can increase your server load as well as your Sentry bill.
+	tunnelRoute: "/monitoring",
+});

frontend/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@memegoat/frontend",
-	"version": "1.9.7",
+	"version": "1.10.4",
 	"private": true,
 	"scripts": {
 		"dev": "next dev",
@@ -38,6 +38,7 @@
 		"@radix-ui/react-toggle": "^1.1.10",
 		"@radix-ui/react-toggle-group": "^1.1.11",
 		"@radix-ui/react-tooltip": "^1.2.8",
+		"@sentry/nextjs": "^10.38.0",
 		"axios": "^1.13.2",
 		"class-variance-authority": "^0.7.1",
 		"clsx": "^2.1.1",

frontend/sentry.client.config.ts

@@ -0,0 +1,22 @@
+import * as Sentry from "@sentry/nextjs";
+
+Sentry.init({
+	dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
+
+	// Ajustez ces valeurs en production
+	tracesSampleRate: 1.0,
+
+	// Replay est activé par défaut
+	replaysSessionSampleRate: 0.1,
+	replaysOnErrorSampleRate: 1.0,
+
+	integrations: [
+		Sentry.replayIntegration({
+			maskAllText: true,
+			blockAllMedia: true,
+		}),
+	],
+
+	// Protection PII
+	sendDefaultPii: false,
+});

frontend/sentry.edge.config.ts

@@ -0,0 +1,11 @@
+import * as Sentry from "@sentry/nextjs";
+
+Sentry.init({
+	dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
+
+	// Ajustez ces valeurs en production
+	tracesSampleRate: 1.0,
+
+	// Protection PII
+	sendDefaultPii: false,
+});

frontend/sentry.server.config.ts

@@ -0,0 +1,22 @@
+import { createHash } from "node:crypto";
+import * as Sentry from "@sentry/nextjs";
+
+Sentry.init({
+	dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
+
+	// Ajustez ces valeurs en production
+	tracesSampleRate: 1.0,
+
+	// Protection PII
+	sendDefaultPii: false,
+
+	beforeSend(event) {
+		// Hachage de l'IP utilisateur pour Sentry si elle est présente
+		if (event.user?.ip_address) {
+			event.user.ip_address = createHash("sha256")
+				.update(event.user.ip_address)
+				.digest("hex");
+		}
+		return event;
+	},
+});

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@memegoat/source",
-  "version": "1.9.7",
+  "version": "1.10.4",
   "description": "",
   "scripts": {
     "version:get": "cmake -P version.cmake GET",