Skip to content
Open
Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
f2fc11b
feat(i18n): localize Peers, Access Control, Groups modules to Chinese
sakuradairong Jun 18, 2026
bd2c5ce
feat(i18n): localize Users, Service Users, Groups main pages
sakuradairong Jun 18, 2026
c4469af
feat(i18n): localize DNS, Reverse Proxy, Settings, Posture Checks, Ne…
sakuradairong Jun 18, 2026
27fe310
feat(docker): containerize localized dashboard
sakuradairong Jun 18, 2026
da01b5b
feat(i18n): expand Chinese localization and fix env substitution
sakuradairong Jun 18, 2026
bb6c304
feat(i18n): localize remaining reverse proxy, table headers and modal…
sakuradairong Jun 18, 2026
21e4ceb
fix(server): add comment explaining single-locale /zh fallback logic
sakuradairong Jun 18, 2026
4bd5eda
fix(i18n): address CodeRabbit review — localize confirmation dialogs,…
sakuradairong Jun 18, 2026
6c363b6
fix(i18n): localize RestrictedAccess component and add restrictedAcce…
sakuradairong Jun 18, 2026
98a7923
feat(i18n): cookie-based locale detection with English default and sw…
sakuradairong Jun 20, 2026
c05a3ee
fix(i18n): localize remaining hardcoded UI strings across settings an…
sakuradairong Jun 20, 2026
96f15d7
fix(i18n): localize remaining hardcoded titles in user detail, peers …
sakuradairong Jun 20, 2026
2dc523c
fix(i18n): localize Cancel button text across 25 modal components
sakuradairong Jun 20, 2026
77b413d
fix(i18n): localize aria-label attributes across 12 components
sakuradairong Jun 20, 2026
50c2ffa
fix(i18n): localize Danger Zone account deletion text
sakuradairong Jun 20, 2026
5c4df7a
merge: resolve conflict with origin/main (IdentityProviderModal logou…
sakuradairong Jun 20, 2026
d894c74
fix(i18n): localize Settings tab sub-categories (forms, labels, help …
sakuradairong Jun 20, 2026
bddc357
fix(i18n): localize Resource Access Control, Peer Expiration, Peer Se…
sakuradairong Jun 20, 2026
055252d
Merge remote-tracking branch 'origin/main' into localize-zh-v2.39.0
sakuradairong Jun 23, 2026
312c32f
fix(i18n): localize Peer sections and Posture Checks components
sakuradairong Jun 23, 2026
dc9c9d9
fix(i18n): localize RouteModal, SetupKeyModal, CreateAccessTokenModal
sakuradairong Jun 23, 2026
8e40fd8
fix(i18n): localize IdentityProviderModal, ChangePasswordModal, Creat…
sakuradairong Jun 23, 2026
acf427d
fix(i18n): localize groups sections, DNS records, route modals, rever…
sakuradairong Jun 23, 2026
fcb1e8c
fix(i18n): localize UserInviteModal and team/user page
sakuradairong Jun 23, 2026
0ccc0f9
fix(i18n): localize AuthenticationTab
sakuradairong Jun 23, 2026
c0fe4d0
fix(i18n): localize PeerMultiSelect and add route keys
sakuradairong Jun 23, 2026
c8eec5a
fix(i18n): add accessControlGroups and autoApply keys
sakuradairong Jun 23, 2026
11ca0c6
Merge remote-tracking branch 'origin/main' into localize-zh-v2.39.0
sakuradairong Jun 23, 2026
e89c56b
fix(i18n): commit remaining locale changes for team/user, PeerMultiSe…
sakuradairong Jun 23, 2026
9cd0d6c
fix(i18n): convert PeersTable columns to useTranslations
sakuradairong Jun 23, 2026
249da77
fix(i18n): convert UsersTable columns to useTranslations
sakuradairong Jun 23, 2026
722c9fb
fix(i18n): localize AccessTokensTable and SetupKeysTable columns
sakuradairong Jun 23, 2026
f9326f6
fix(i18n): localize PeerSSHToggle and PeerEditIPModal
sakuradairong Jun 23, 2026
fdc7af1
fix(i18n): localize peer SSH, edit IP, routes, access tokens and setu…
sakuradairong Jun 23, 2026
9bbbeea
i18n: localize notifications module (channels, modals, events)
sakuradairong Jun 23, 2026
3b870a0
i18n: localize reverse-proxy terminated service badge
sakuradairong Jun 23, 2026
9d1cd3e
i18n: localize invoices module (tab, table, action cells, type cells)
sakuradairong Jun 23, 2026
1e0b124
i18n: localize webhooks module (general, headers, auth, config)
sakuradairong Jun 23, 2026
3cb8244
i18n: add survey and aws marketplace translation keys
sakuradairong Jun 23, 2026
a6f46b1
i18n: localize critical UI components into Chinese
Jun 23, 2026
46d20e5
i18n: localize remaining UI strings in users module
Jun 24, 2026
3bb1a61
i18n: localize Peers, Activity, Setup Keys modules
Jun 24, 2026
5eb928f
i18n: localize Routes, DNS, Networks, Access Control modules
Jun 24, 2026
2bd2e03
i18n: add untranslated English string baseline
Jun 24, 2026
2ce9f90
Merge remote-tracking branch 'origin/main' into localize-zh-v2.39.0
sakuradairong Jun 24, 2026
7e4e2f0
fix(i18n): resolve build/type errors, sync main, and address CodeRabb…
sakuradairong Jun 24, 2026
d9b9bb5
i18n: remove unused navigation and routing modules
Jun 26, 2026
43a9649
i18n: add IntlMessages type augmentation for next-intl
Jun 26, 2026
1514a48
i18n: localize dashboard page metadata titles
Jun 26, 2026
92dc5b2
i18n: add translation keys for onboarding, posture checks and routes
Jun 26, 2026
b13b7de
i18n: localize onboarding intent, completion and demo-call screens
Jun 26, 2026
fdcf641
i18n: localize posture checks table and action components
Jun 26, 2026
083b5db
i18n: replace string concatenations with message interpolation
Jun 26, 2026
9bb8d2f
fix(i18n): use users namespace for admin label in service users table
Jun 26, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 9 additions & 20 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,24 +1,13 @@
FROM alpine:3.14
FROM node:22-alpine

RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
nginx curl supervisor certbot-nginx && \
rm -rf /var/cache/apk/* && mkdir -p /run/nginx
WORKDIR /usr/share/nginx/html

STOPSIGNAL SIGINT
EXPOSE 80
EXPOSE 443
ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]
# Copy build files
COPY out/ /usr/share/nginx/html/

WORKDIR /usr/share/nginx/html
# copy configuration files
COPY docker/default.conf /etc/nginx/http.d/default.conf
COPY docker/nginx.conf /etc/nginx/nginx.conf
COPY docker/init_cert.sh /usr/local/init_cert.sh
COPY docker/init_react_envs.sh /usr/local/init_react_envs.sh
RUN chmod +x /usr/local/init_cert.sh && rm /etc/crontabs/root
RUN chmod +x /usr/local/init_react_envs.sh
# Copy server script
COPY docker/server.js /server.js

EXPOSE 80

# configure supervisor
COPY docker/supervisord.conf /etc/supervisord.conf
# copy build files
COPY out/ /usr/share/nginx/html/
CMD ["node", "/server.js"]
Comment on lines +1 to +13

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Container runs as root user, which is a security risk.

The container runs the Node.js server as root by default. If the server is compromised, an attacker gains root privileges inside the container. Add a non-root user and switch to it before running the application.

🔒 Proposed fix to run as non-root user
 FROM node:22-alpine
 
 WORKDIR /usr/share/nginx/html
 
 # Copy build files
 COPY out/ /usr/share/nginx/html/
 
 # Copy server script
 COPY docker/server.js /server.js
 
+# Create non-root user and set ownership
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nodejs -u 1001 -G nodejs && \
+    chown -R nodejs:nodejs /usr/share/nginx/html /server.js
+
+USER nodejs
+
 EXPOSE 80
 
 CMD ["node", "/server.js"]

Note: Port 80 is a privileged port (<1024). If you switch to a non-root user, you'll need to either use a higher port (e.g., 8080) or grant CAP_NET_BIND_SERVICE capability.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM node:22-alpine
RUN apk add --no-cache bash curl less ca-certificates git tzdata zip gettext \
nginx curl supervisor certbot-nginx && \
rm -rf /var/cache/apk/* && mkdir -p /run/nginx
WORKDIR /usr/share/nginx/html
STOPSIGNAL SIGINT
EXPOSE 80
EXPOSE 443
ENTRYPOINT ["/usr/bin/supervisord","-c","/etc/supervisord.conf"]
# Copy build files
COPY out/ /usr/share/nginx/html/
WORKDIR /usr/share/nginx/html
# copy configuration files
COPY docker/default.conf /etc/nginx/http.d/default.conf
COPY docker/nginx.conf /etc/nginx/nginx.conf
COPY docker/init_cert.sh /usr/local/init_cert.sh
COPY docker/init_react_envs.sh /usr/local/init_react_envs.sh
RUN chmod +x /usr/local/init_cert.sh && rm /etc/crontabs/root
RUN chmod +x /usr/local/init_react_envs.sh
# Copy server script
COPY docker/server.js /server.js
EXPOSE 80
# configure supervisor
COPY docker/supervisord.conf /etc/supervisord.conf
# copy build files
COPY out/ /usr/share/nginx/html/
\ No newline at end of file
CMD ["node", "/server.js"]
FROM node:22-alpine
WORKDIR /usr/share/nginx/html
# Copy build files
COPY out/ /usr/share/nginx/html/
# Copy server script
COPY docker/server.js /server.js
# Create non-root user and set ownership
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001 -G nodejs && \
chown -R nodejs:nodejs /usr/share/nginx/html /server.js
USER nodejs
EXPOSE 80
CMD ["node", "/server.js"]
🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/Dockerfile` around lines 1 - 13, The Dockerfile runs the Node.js
server as root which is a security vulnerability. Create a non-root user in the
Dockerfile using RUN commands to add a new user and group, then add a USER
directive before the CMD instruction to switch to this non-root user.
Additionally, you will need to adjust the EXPOSE port from 80 to a higher
unprivileged port like 8080 (since port 80 requires root privileges), and update
the server.js script to listen on the new port instead.

Source: Linters/SAST tools

138 changes: 138 additions & 0 deletions docker/server.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
const http = require('http');
const fs = require('fs');
const path = require('path');
const root = path.resolve('/usr/share/nginx/html');

const MIME = {
'.html': 'text/html', '.css': 'text/css', '.js': 'application/javascript',
'.json': 'application/json', '.png': 'image/png', '.jpg': 'image/jpeg',
'.svg': 'image/svg+xml', '.ico': 'image/x-icon', '.wasm': 'application/wasm',
'.ttf': 'font/ttf', '.woff': 'font/woff', '.woff2': 'font/woff2',
'.txt': 'text/plain', '.xml': 'text/xml'
};

// Replace both placeholder styles used by generated assets and templates.
const ENV_KEYS = [
'USE_AUTH0',
'AUTH_AUDIENCE',
'AUTH_AUTHORITY',
'AUTH_CLIENT_ID',
'AUTH_CLIENT_SECRET',
'AUTH_SUPPORTED_SCOPES',
'NETBIRD_MGMT_API_ENDPOINT',
'NETBIRD_MGMT_GRPC_API_ENDPOINT',
'NETBIRD_HOTJAR_TRACK_ID',
'NETBIRD_GOOGLE_ANALYTICS_ID',
'NETBIRD_GOOGLE_TAG_MANAGER_ID',
'AUTH_REDIRECT_URI',
'AUTH_SILENT_REDIRECT_URI',
'NETBIRD_TOKEN_SOURCE',
'NETBIRD_DRAG_QUERY_PARAMS',
'NETBIRD_WASM_PATH',
'AUTH0_DOMAIN',
'AUTH0_CLIENT_ID',
'AUTH0_AUDIENCE',
];

function substituteEnv(content) {
let changed = false;
for (const key of ENV_KEYS) {
const val = process.env[key] || '';
for (const pattern of ['$$' + key, '$' + key]) {
if (content.includes(pattern)) {
content = content.split(pattern).join(val);
changed = true;
}
}
}
return { content, changed };
}

function walkDir(dir) {
try {
const entries = fs.readdirSync(dir, { withFileTypes: true });
for (const entry of entries) {
const full = path.join(dir, entry.name);
if (entry.isDirectory()) walkDir(full);
else if (entry.isFile() && /\.(js|html|txt|json)$/.test(entry.name)) {
const result = substituteEnv(fs.readFileSync(full, 'utf8'));
if (result.changed) fs.writeFileSync(full, result.content, 'utf8');
}
}
} catch (e) {
console.warn('Failed to substitute environment variables:', e);
}
}

console.log('Substituting environment variables...');
try {
const tmpl = path.join(root, 'OidcTrustedDomains.js.tmpl');
if (fs.existsSync(tmpl)) {
const result = substituteEnv(fs.readFileSync(tmpl, 'utf8'));
fs.writeFileSync(path.join(root, 'OidcTrustedDomains.js'), result.content, 'utf8');
}
} catch (e) {
console.warn('Failed to create OidcTrustedDomains.js:', e);
}

walkDir(root);
console.log('Environment substitution complete.');

function isFile(p) {
try { return fs.statSync(p).isFile(); } catch(e) { return false; }
}

function safePath(p) {
const abs = path.resolve(root, '.' + p);
return abs === root || abs.startsWith(root + path.sep) ? abs : null;
}

function resolvePath(url) {
let p = url.split('?')[0];
if (!p.startsWith('/')) p = '/' + p;
if (p === '/' || p.endsWith('/')) p += 'index.html';
const abs = safePath(p);
if (abs && isFile(abs)) return abs;
// Try .html suffix (Next.js static export uses path.html)
const asHtml = safePath(p + '.html');
if (asHtml && isFile(asHtml)) return asHtml;
// Try path/index.html
const asDirIndex = safePath(p + '/index.html');
if (asDirIndex && isFile(asDirIndex)) return asDirIndex;
// Single-locale build: the static export places pages under /zh/.
// Fall back to /zh so that paths like /networks still resolve when the
// user navigates directly to a non-prefixed URL.
if (!p.startsWith('/zh')) {
const zh = safePath('/zh' + p);
if (zh && isFile(zh)) return zh;
const zhHtml = safePath('/zh' + p + '.html');
if (zhHtml && isFile(zhHtml)) return zhHtml;
const zhDirIndex = safePath('/zh' + p + '/index.html');
if (zhDirIndex && isFile(zhDirIndex)) return zhDirIndex;
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
return null;
}

http.createServer((req, res) => {
const filePath = resolvePath(req.url);
if (filePath) {
const ext = path.extname(filePath);
fs.readFile(filePath, (err, data) => {
if (err) { send404(res); return; }
res.writeHead(200, {
'Content-Type': MIME[ext] || 'application/octet-stream',
'Cache-Control': ['.html', '.js'].includes(ext) ? 'no-store, no-cache, must-revalidate, max-age=0' : 'public, max-age=3600'
});
res.end(data);
});
} else {
send404(res);
}
}).listen(80, () => console.log('NetBird Dashboard running on port 80'));

function send404(res) {
fs.readFile(path.join(root, '404.html'), (err, data) => {
res.writeHead(404, {'Content-Type': 'text/html', 'Cache-Control': 'no-store'});
res.end(err ? '404 Not Found' : data);
});
}
6 changes: 5 additions & 1 deletion next.config.js
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
const createNextIntlPlugin = require('next-intl/plugin');

const withNextIntl = createNextIntlPlugin('./src/i18n/request.ts');

/** @type {import('next').NextConfig} */
const nextConfig = {
output: "export",
Expand All @@ -12,4 +16,4 @@ const nextConfig = {
},
};

module.exports = nextConfig;
module.exports = withNextIntl(nextConfig);
Loading