-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.js
131 lines (111 loc) · 3.8 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
const express = require('express');
const morgan = require('morgan');
const tourRouter = require('./routes/tourRoutes');
const userRouter = require('./routes/userRoutes');
const reviewRouter = require('./routes/reviewRoutes');
const bookingRouter = require('./routes/bookingRoutes');
const viewRouter = require('./routes/viewRoutes');
const AppError = require('./utils/appError');
const globalErrorHandler = require('./controllers/errorController');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
const hpp = require('hpp');
const cookieParser = require('cookie-parser');
const cors = require('cors');
const compression = require('compression');
const app = express();
/*app.use(function (req, res, next) {
res.setHeader('Access-Control-Allow-Origin', 'http://localhost:8000');
// Request methods you wish to allow
/*res.setHeader(
'Access-Control-Allow-Methods',
'GET, POST, OPTIONS, PUT, PATCH, DELETE'
);
// Request headers you wish to allow
res.setHeader(
'Access-Control-Allow-Headers',
'X-Requested-With,content-type'
);*/
// Set to true if you need the website to include cookies in the requests sent
// to the API (e.g. in case you use sessions)
/*res.setHeader('Access-Control-Allow-Credentials', true);
// Pass to next layer of middleware
next();
});
app.use(cors({ origin: 'http://localhost:8000' }));*/
app.use(function (req, res, next) {
res.setHeader('Access-Control-Allow-Credentials', true);
next();
});
app.use(cors(/* { credentials: true, origin: 'http://localhost:8000' } */));
app.options('*', cors());
app.set('view engine', 'pug');
app.set('views', `${__dirname}/views`);
// MIDDLEWARES
// Set security HTTP headers
app.use(
helmet({
crossOriginEmbedderPolicy: false,
crossOriginResourcePolicy: {
allowOrigins: ['*'],
},
contentSecurityPolicy: {
directives: {
defaultSrc: ['*'],
scriptSrc: ["* data: 'unsafe-eval' 'unsafe-inline' blob:"],
},
},
})
);
// Development logging
if (process.env.NODE_ENV === 'development') app.use(morgan('dev'));
// Body parser, reading date from body into req.body
app.use(express.json({ limit: '10kb' }));
// Data sanitization against NoSQL query injection
app.use(mongoSanitize());
// Data sanitization against XSS
app.use(xss()); // prevent dangerous of html and javascript code in the request
// Prevent paramete pollution by preventing for example writing sort twice
app.use(
hpp({
whitelist: [
'duration',
'ratingsQuantity',
'ratingsAverage',
'maxGroupSize',
'difficulty',
'price',
], // keep multiple durations and all of these
})
);
// Serving static files
app.use(express.static(`${__dirname}/public`));
app.use(cookieParser());
// Write down the date and log the headers
app.use(compression());
app.use((req, res, next) => {
req.requestTime = new Date().toLocaleString();
next();
});
// Limit requests from sam IP address
const limiter = rateLimit({
max: 100,
windowMs: 60 * 60 * 1000, // Ms: milliseconds, this will allow the same IP address to perform only 100 request per hour
message:
'Too many requests from this IP address, please try again in an hour!',
});
app.use('/api', limiter); // limit only api requests
// ROUTES
app.use('/', viewRouter);
app.use('/api/v1/tours', tourRouter);
app.use('/api/v1/users', userRouter);
app.use('/api/v1/reviews', reviewRouter);
app.use('/api/v1/bookings', bookingRouter);
app.all('*', (req, res, next) => {
next(new AppError(`Can't find ${req.originalUrl} on this server`, 404)); // Here will assume that this is an error and skip all middlewares forward to the error handler middleware we defined
});
// Error handler middleware
app.use(globalErrorHandler);
module.exports = app;