Remove SSR related configuration from client app

[strawburster]

References

• Fixes Limit configuration available publicly in config.json #5030
• Related to Limit configuration available publicly in config.json #5045

Description

Split the configuration. config.server.ts now filters sensitive keys (rest.ssrBaseUrl, cache.serverSide, ui.rateLimiter, ui.useProxies) before writing to assets/config.json. The server process retains the full configuration via the return value of buildAppConfig

This PR is provided (cage-free) by The Library Code

Instructions for Reviewers

Build and run the angular app, look at the network inspector for the download of the config.json. Verify that the sensitive keys like rest.ssrBaseUrl or ui.useProxies are not included in the json response.

List of changes in this PR:

• src/config/app-config.interface.ts: add new pure function for returning a filtered AppConfig from a non-filtered one
• src/config/config.server.ts: use the new limiting function

Checklist

This checklist provides a reminder of what we are going to look for when reviewing your PR. You do not need to complete this checklist prior creating your PR (draft PRs are always welcome).
However, reviewers may request that you complete any actions in this list if you have not done so. If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!

• My PR is created against the main branch of code (unless it is a backport or is fixing an issue specific to an older branch).
• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & specs/tests), or I have provided reasons as to why that's not possible.
• My PR passes ESLint validation using npm run lint
• My PR doesn't introduce circular dependencies (verified via npm run check-circ-deps)
• My PR includes TypeDoc comments for all new (or modified) public methods and classes. It also includes TypeDoc for large or complex private methods.
• My PR passes all specs/tests and includes new/updated specs or tests based on the Code Testing Guide.
• My PR aligns with Accessibility guidelines if it makes changes to the user interface.
• My PR uses i18n (internationalization) keys instead of hardcoded English text, to allow for translations.
• My PR includes details on how to test it. I've provided clear instructions to reviewers on how to successfully test this fix or feature.
• If my PR includes new libraries/dependencies (in package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
• If my PR includes new features or configurations, I've provided basic technical documentation in the PR itself.
• If my PR fixes an issue ticket, I've linked them together.

[strawburster]

I thought of a better way to do this on the train...

[strawburster]

It turns out the way I was thinking was a lot more involved, so I moved it to another PR: #5114 . The idea is that if the config definitions were converted to classes, they could have decorators which declare metadata about each property. I think it's a great long-term solution, however this PR does the bare minimum of removing the sensitive details already.

I believe this PR is ready to merge as a short-term solution, and the other needs to be reviewed more.

[strawburster]

I realized that the config was being added to the production ssr server, I've tested manually in production as well now and can't find the sensitive config properties in the html.

[artlowel]

Thanks @strawburster!

I can verify that this works as described.

However, looking at the code, I'm wondering if it really differs from the approach in #5045. If I add a new config property using this PR, it looks like it will still be exposed to the client automatically. Based on your response on #5045, I was expecting an allowlist-style approach where only properties marked explicitly as client-safe are returned. Was that not your goal?