diff options
author | 2023-10-13 14:12:03 +0200 | |
---|---|---|
committer | 2023-10-13 13:12:03 +0100 | |
commit | e503468660a13760010a94ecda5f0625c6f47f87 (patch) | |
tree | fa532f54fc5f091de08d55405ec6339bd2440a02 /config/shield.js | |
parent | 1.3.16 [skip ci] (diff) | |
download | ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.tar.gz ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.tar.zst ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.zip |
Server re-build with latest AdonisJS framework & Typescript (#47)
* chore: setup first basis structure
* chore: ensure styling is loaded correctly
* chore: comply to new routing syntax by replace . with / in routes/resource locations
* chore: add login controller
* chore: correctly use views with slash instead of dot
* chore: working login + tests
* chore: clean up tests
* chore: add password-forgot endpoint and matching test
* chore: add delete page test
* chore: add logout test
* chore: add reset-password route and tests
* chore: remove obsolete comment
* chore: add account-page and tests
* chore: add data page & first step of the test
* chore: add transfer/import data feature and tests
* chore: add export and basic test
* chore: add all static api routes with tests
* Regenerate 'pnpm-lock.json' and fix bad merge conflict
WIP:
- Tests have been commented out since they dont work
- Server doesn't start
* easier dev and test runs
* - remove --require-pragma from reformat-files so formatting works properly
- run pnpm reformat-files over codebase
- remove .json files from .eslintignore
- add invalid.json file to .eslintignore
- configure prettier properly in eslint config
- add type jsdoc to prettier config
- run adonis generate:manifest command to regenerate ace-manifest.json
- specify volta in package.json
- introduce typecheck npm script
- remove unused .mjs extension from npm scripts
- install missing type definition dependencies
- add pnpm.allowedDeprecatedVersions to package.json
- fix invalid extends in tsconfig.json causing TS issues throughout codebase
- remove @ts-ignore throughout codebase which is not relevant anymore
- enable some of the tsconfig options
- remove outdated eslint-disable from codebase
- change deprecated faker.company.companyName() to faker.company.name()
- fix TS issues inside transfer.spec.ts
* - update to latest node and pnpm versions
- upgrade all non-major dependencies to latest
- install missing @types/luxon dependency
- add cuid to pnpm.allowedDeprecatedVersions
- add esModuleInterop config option to tsconfig
- migrate more deprecated faker methods to new ones
- add more temporary ts-ignore to code
* - update eslint config
- remove trailingComma: all since default in prettier v3
- add typecheck command to prepare-code npm script
- upgrade various dependencies to latest major version
- update tsconfig to include only useful config options
- disable some lint issues and fix others
* - add test command to prepare-code
- disable strictPropertyInitialization flag in tsconfig which creates issues with adonis models
- update precommit hook to excute pnpm prepare-code
- remove ts-ignore statements from all models
* fix node and pnpm dependency update
* add cross env (so that we can develop on windows)
* add signup endpoint (TODO: JWT auth)
* Add login endpoint
* Add me and updateMe endpoints
* Add service endpoint
* refactor: change endpoints to use jwt
* add recipes endpoint
* add workspaces endpoint
* fix web controllors for login and post import
* Update node deps
* Change auth middleware (for web) and exempt api from CSRF
* Add import endpoint (franz import)
* Fix export/import logic
* Fix service and workspace data in user/data
* Fix partial lint
* chore: workaround lint issues
* fix: migration naming had two .
* Sync back node with recipes repo
* Temporarily ignore typescript
* Fix adonisrc to handle public folder static assets
* Fix issue with production database
* add Legacy Password Provider
* Fix lint errors
* Fix issue on login errors frontend
* add Legacy Password Provider
* Fix issue with customIcons
* Fix issue with auth tokens
* Update 'node' to '18.18.0'
* make docker work
* improve docker entrypoint (test api performance)
* Add migration database script
* NODE_ENV on recipes
* prefer @ts-expect-error over @ts-ignore
* small fixes
* Update 'pnpm' to '8.7.6'
* fix error catch
* Automatically generate JWT Public and Private keys
* Use custom Adonis5-jwt
* Update code to use secret (old way, no breaking changes)
* Normalize appKey
* Trick to make JWT tokens on client work with new version
* Fix error with new JWT logic
* Change migration and how we store JWT
* Fix 500 response code (needs to be 401)
* Improve logic and fix bugs
* Fix build and entrypoint logic
* Catch error if appKey changes
* Add newToken logic
* Fix lint (ignore any errors)
* Add build for PRs
* pnpm reformat-files result
* Fix some tests
* Fix reset password not working (test failing)
* Restore csrfTokens (disabled by accident)
* Fix pnpm start command with .env
* Disable failing tests on the transfer endpoint (TODO)
* Add tests to PR build
* Fix build
* Remove unnecessary assertStatus
* Add typecheck
* hash password on UserFactory (fix build)
* Add JWT_USE_PEM true by default (increase security)
* fix name of github action
---------
Co-authored-by: Vijay A <vraravam@users.noreply.github.com>
Co-authored-by: Balaji Vijayakumar <kuttibalaji.v6@gmail.com>
Co-authored-by: MCMXC <16797721+mcmxcdev@users.noreply.github.com>
Co-authored-by: André Oliveira <oliveira.andrerodrigues95@gmail.com>
Diffstat (limited to 'config/shield.js')
-rw-r--r-- | config/shield.js | 144 |
1 files changed, 0 insertions, 144 deletions
diff --git a/config/shield.js b/config/shield.js deleted file mode 100644 index 9849d29..0000000 --- a/config/shield.js +++ /dev/null | |||
@@ -1,144 +0,0 @@ | |||
1 | |||
2 | module.exports = { | ||
3 | /* | ||
4 | |-------------------------------------------------------------------------- | ||
5 | | Content Security Policy | ||
6 | |-------------------------------------------------------------------------- | ||
7 | | | ||
8 | | Content security policy filters out the origins not allowed to execute | ||
9 | | and load resources like scripts, styles and fonts. There are wide | ||
10 | | variety of options to choose from. | ||
11 | */ | ||
12 | csp: { | ||
13 | /* | ||
14 | |-------------------------------------------------------------------------- | ||
15 | | Directives | ||
16 | |-------------------------------------------------------------------------- | ||
17 | | | ||
18 | | All directives are defined in camelCase and here is the list of | ||
19 | | available directives and their possible values. | ||
20 | | | ||
21 | | https://content-security-policy.com | ||
22 | | | ||
23 | | @example | ||
24 | | directives: { | ||
25 | | defaultSrc: ['self', '@nonce', 'cdnjs.cloudflare.com'] | ||
26 | | } | ||
27 | | | ||
28 | */ | ||
29 | directives: { | ||
30 | }, | ||
31 | /* | ||
32 | |-------------------------------------------------------------------------- | ||
33 | | Report only | ||
34 | |-------------------------------------------------------------------------- | ||
35 | | | ||
36 | | Setting `reportOnly=true` will not block the scripts from running and | ||
37 | | instead report them to a URL. | ||
38 | | | ||
39 | */ | ||
40 | reportOnly: false, | ||
41 | /* | ||
42 | |-------------------------------------------------------------------------- | ||
43 | | Set all headers | ||
44 | |-------------------------------------------------------------------------- | ||
45 | | | ||
46 | | Headers staring with `X` have been depreciated, since all major browsers | ||
47 | | supports the standard CSP header. So its better to disable deperciated | ||
48 | | headers, unless you want them to be set. | ||
49 | | | ||
50 | */ | ||
51 | setAllHeaders: false, | ||
52 | |||
53 | /* | ||
54 | |-------------------------------------------------------------------------- | ||
55 | | Disable on android | ||
56 | |-------------------------------------------------------------------------- | ||
57 | | | ||
58 | | Certain versions of android are buggy with CSP policy. So you can set | ||
59 | | this value to true, to disable it for Android versions with buggy | ||
60 | | behavior. | ||
61 | | | ||
62 | | Here is an issue reported on a different package, but helpful to read | ||
63 | | if you want to know the behavior. https://github.com/helmetjs/helmet/pull/82 | ||
64 | | | ||
65 | */ | ||
66 | disableAndroid: true, | ||
67 | }, | ||
68 | |||
69 | /* | ||
70 | |-------------------------------------------------------------------------- | ||
71 | | X-XSS-Protection | ||
72 | |-------------------------------------------------------------------------- | ||
73 | | | ||
74 | | X-XSS Protection saves from applications from XSS attacks. It is adopted | ||
75 | | by IE and later followed by some other browsers. | ||
76 | | | ||
77 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection | ||
78 | | | ||
79 | */ | ||
80 | xss: { | ||
81 | enabled: true, | ||
82 | enableOnOldIE: false, | ||
83 | }, | ||
84 | |||
85 | /* | ||
86 | |-------------------------------------------------------------------------- | ||
87 | | Iframe Options | ||
88 | |-------------------------------------------------------------------------- | ||
89 | | | ||
90 | | xframe defines whether or not your website can be embedded inside an | ||
91 | | iframe. Choose from one of the following options. | ||
92 | | @available options | ||
93 | | DENY, SAMEORIGIN, ALLOW-FROM http://example.com | ||
94 | | | ||
95 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
96 | */ | ||
97 | xframe: 'DENY', | ||
98 | |||
99 | /* | ||
100 | |-------------------------------------------------------------------------- | ||
101 | | No Sniff | ||
102 | |-------------------------------------------------------------------------- | ||
103 | | | ||
104 | | Browsers have a habit of sniffing content-type of a response. Which means | ||
105 | | files with .txt extension containing Javascript code will be executed as | ||
106 | | Javascript. You can disable this behavior by setting nosniff to false. | ||
107 | | | ||
108 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
109 | | | ||
110 | */ | ||
111 | nosniff: true, | ||
112 | |||
113 | /* | ||
114 | |-------------------------------------------------------------------------- | ||
115 | | No Open | ||
116 | |-------------------------------------------------------------------------- | ||
117 | | | ||
118 | | IE users can execute webpages in the context of your website, which is | ||
119 | | a serious security risk. Below option will manage this for you. | ||
120 | | | ||
121 | */ | ||
122 | noopen: true, | ||
123 | |||
124 | /* | ||
125 | |-------------------------------------------------------------------------- | ||
126 | | CSRF Protection | ||
127 | |-------------------------------------------------------------------------- | ||
128 | | | ||
129 | | CSRF Protection adds another layer of security by making sure, actionable | ||
130 | | routes does have a valid token to execute an action. | ||
131 | | | ||
132 | */ | ||
133 | csrf: { | ||
134 | enable: true, | ||
135 | methods: ['POST', 'PUT', 'DELETE'], | ||
136 | filterUris: [], | ||
137 | cookieOptions: { | ||
138 | httpOnly: true, | ||
139 | sameSite: true, | ||
140 | path: '/', | ||
141 | maxAge: 7200, | ||
142 | }, | ||
143 | }, | ||
144 | }; | ||