-
Notifications
You must be signed in to change notification settings - Fork 1
/
app.js
149 lines (121 loc) · 4.43 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
const path = require('path');
const express = require('express');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
const hpp = require('hpp');
const cookieParser = require('cookie-parser');
const compression = require('compression');
const cors = require('cors');
const tourRouter = require('./Routes/tourRoutes');
const userRouter = require('./Routes/userRoutes');
const reviewRouter = require('./Routes/reviewRoutes');
const bookingRouter = require('./Routes/bookingRoutes');
const bookingController = require('./controllers/bookingController');
const viewRouter = require('./Routes/viewRoutes');
const globalErrorHandler = require('./controllers/errorController');
const AppError = require('./utilities/appError');
/*********************************************************************/
//Start Express App
const app = express();
// app.enable('trust proxy');
//Setting up Pug as the template engine
app.set('view engine', 'pug');
app.set('views', path.join(__dirname, 'views'));
/****************************************************************/
// 1) Global Middlewares
//Implement CORS
app.use(cors()); //Access Controll Allow Origin * , works for simple requests (get & post)
app.options('*', cors());
//accessing all static files inside public folder
app.use(express.static(path.join(__dirname, 'public')));
// Set Security HTTP Headers
// Further HELMET configuration for Security Policy (CSP)
const scriptSrcUrls = ['https://unpkg.com/', 'https://tile.openstreetmap.org'];
const styleSrcUrls = [
'https://unpkg.com/',
'https://tile.openstreetmap.org',
'https://fonts.googleapis.com/'
];
const connectSrcUrls = ['https://unpkg.com', 'https://tile.openstreetmap.org'];
const fontSrcUrls = ['fonts.googleapis.com', 'fonts.gstatic.com'];
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: [],
connectSrc: ["'self'", ...connectSrcUrls],
scriptSrc: ["'self'", ...scriptSrcUrls, 'data:', 'https://*.cloudflare.com', 'https://*.stripe.com'],
styleSrc: ["'self'", "'unsafe-inline'", ...styleSrcUrls],
workerSrc: ["'self'", 'blob:'],
objectSrc: [],
imgSrc: ["'self'", 'blob:', 'data:', 'https:'],
fontSrc: ["'self'", ...fontSrcUrls]
}
})
);
//Development Loging
if (process.env.NODE_ENV === 'development') {
app.use(morgan('dev'));
}
// Limit requests from same IP to application
const limiter = rateLimit({
max: 100,
windowMs: 2 * 60 * 60 * 1000,
message: "Too many requests from this IP, please try again in a couple of hours!",
});
app.use('/api', limiter);
app.post('/webhook-checkout', express.raw({type: 'application/json'}) , bookingController.webhookCheckout)
//----------------------------------------------------------
//Body Parser, reading data from body into req.body
app.use(express.json({limit: '50kb'})); //express.json() is an express middleware that permits using the request body
//Cookie Parser, reading data from sent cookie
app.use(cookieParser());
//formData Parsing, reading data sent from a submitted form
app.use(express.urlencoded({
extended: true,
limit: '10kb',
}));
//----------------------------------------------------------
//Data Sanitization against NoSQL query injection
app.use(mongoSanitize());
//Data Sanitization against XSS
app.use(xss());
//Prevent parameter Pollution
app.use(
hpp({
whitelist: [
'name',
'duration',
'maxGroupSize',
'ratingsAverage',
'ratingsQuantity',
'price',
],
}),
);
//compressing all texts send to clients
app.use(compression());
//Public Test middleware
app.use((req, res, next) => {
req.requestTime = new Date().toString();
next();
});
/****************************************************************/
//3) Routes
//Mounting our Routers
app.use('/', viewRouter);
app.use('/api/v1/users', userRouter);
app.use('/api/v1/tours', tourRouter);
app.use('/api/v1/reviews', reviewRouter);
app.use('/api/v1/bookings', bookingRouter);
app.all('*', (req, res, next) => {
next(new AppError(`Can't find ${req.originalUrl} on this server!`, 404));
})
app.use(globalErrorHandler);
/****************************************************************/
//3) Starting server
module.exports = app;
// "watch:js": "parcel watch ./public/js/index.js --out-dir ./public/js --out-file bundle.js",
// "build:js": "parcel watch ./public/js/index.js --out-dir ./public/js --out-file bundle.js"