diff options
author | Ricardo <ricardo@cino.io> | 2023-10-13 14:12:03 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-13 13:12:03 +0100 |
commit | e503468660a13760010a94ecda5f0625c6f47f87 (patch) | |
tree | fa532f54fc5f091de08d55405ec6339bd2440a02 /config/shield.ts | |
parent | 1.3.16 [skip ci] (diff) | |
download | ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.tar.gz ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.tar.zst ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.zip |
Server re-build with latest AdonisJS framework & Typescript (#47)
* chore: setup first basis structure
* chore: ensure styling is loaded correctly
* chore: comply to new routing syntax by replace . with / in routes/resource locations
* chore: add login controller
* chore: correctly use views with slash instead of dot
* chore: working login + tests
* chore: clean up tests
* chore: add password-forgot endpoint and matching test
* chore: add delete page test
* chore: add logout test
* chore: add reset-password route and tests
* chore: remove obsolete comment
* chore: add account-page and tests
* chore: add data page & first step of the test
* chore: add transfer/import data feature and tests
* chore: add export and basic test
* chore: add all static api routes with tests
* Regenerate 'pnpm-lock.json' and fix bad merge conflict
WIP:
- Tests have been commented out since they dont work
- Server doesn't start
* easier dev and test runs
* - remove --require-pragma from reformat-files so formatting works properly
- run pnpm reformat-files over codebase
- remove .json files from .eslintignore
- add invalid.json file to .eslintignore
- configure prettier properly in eslint config
- add type jsdoc to prettier config
- run adonis generate:manifest command to regenerate ace-manifest.json
- specify volta in package.json
- introduce typecheck npm script
- remove unused .mjs extension from npm scripts
- install missing type definition dependencies
- add pnpm.allowedDeprecatedVersions to package.json
- fix invalid extends in tsconfig.json causing TS issues throughout codebase
- remove @ts-ignore throughout codebase which is not relevant anymore
- enable some of the tsconfig options
- remove outdated eslint-disable from codebase
- change deprecated faker.company.companyName() to faker.company.name()
- fix TS issues inside transfer.spec.ts
* - update to latest node and pnpm versions
- upgrade all non-major dependencies to latest
- install missing @types/luxon dependency
- add cuid to pnpm.allowedDeprecatedVersions
- add esModuleInterop config option to tsconfig
- migrate more deprecated faker methods to new ones
- add more temporary ts-ignore to code
* - update eslint config
- remove trailingComma: all since default in prettier v3
- add typecheck command to prepare-code npm script
- upgrade various dependencies to latest major version
- update tsconfig to include only useful config options
- disable some lint issues and fix others
* - add test command to prepare-code
- disable strictPropertyInitialization flag in tsconfig which creates issues with adonis models
- update precommit hook to excute pnpm prepare-code
- remove ts-ignore statements from all models
* fix node and pnpm dependency update
* add cross env (so that we can develop on windows)
* add signup endpoint (TODO: JWT auth)
* Add login endpoint
* Add me and updateMe endpoints
* Add service endpoint
* refactor: change endpoints to use jwt
* add recipes endpoint
* add workspaces endpoint
* fix web controllors for login and post import
* Update node deps
* Change auth middleware (for web) and exempt api from CSRF
* Add import endpoint (franz import)
* Fix export/import logic
* Fix service and workspace data in user/data
* Fix partial lint
* chore: workaround lint issues
* fix: migration naming had two .
* Sync back node with recipes repo
* Temporarily ignore typescript
* Fix adonisrc to handle public folder static assets
* Fix issue with production database
* add Legacy Password Provider
* Fix lint errors
* Fix issue on login errors frontend
* add Legacy Password Provider
* Fix issue with customIcons
* Fix issue with auth tokens
* Update 'node' to '18.18.0'
* make docker work
* improve docker entrypoint (test api performance)
* Add migration database script
* NODE_ENV on recipes
* prefer @ts-expect-error over @ts-ignore
* small fixes
* Update 'pnpm' to '8.7.6'
* fix error catch
* Automatically generate JWT Public and Private keys
* Use custom Adonis5-jwt
* Update code to use secret (old way, no breaking changes)
* Normalize appKey
* Trick to make JWT tokens on client work with new version
* Fix error with new JWT logic
* Change migration and how we store JWT
* Fix 500 response code (needs to be 401)
* Improve logic and fix bugs
* Fix build and entrypoint logic
* Catch error if appKey changes
* Add newToken logic
* Fix lint (ignore any errors)
* Add build for PRs
* pnpm reformat-files result
* Fix some tests
* Fix reset password not working (test failing)
* Restore csrfTokens (disabled by accident)
* Fix pnpm start command with .env
* Disable failing tests on the transfer endpoint (TODO)
* Add tests to PR build
* Fix build
* Remove unnecessary assertStatus
* Add typecheck
* hash password on UserFactory (fix build)
* Add JWT_USE_PEM true by default (increase security)
* fix name of github action
---------
Co-authored-by: Vijay A <vraravam@users.noreply.github.com>
Co-authored-by: Balaji Vijayakumar <kuttibalaji.v6@gmail.com>
Co-authored-by: MCMXC <16797721+mcmxcdev@users.noreply.github.com>
Co-authored-by: André Oliveira <oliveira.andrerodrigues95@gmail.com>
Diffstat (limited to 'config/shield.ts')
-rw-r--r-- | config/shield.ts | 243 |
1 files changed, 243 insertions, 0 deletions
diff --git a/config/shield.ts b/config/shield.ts new file mode 100644 index 0000000..3566e1c --- /dev/null +++ b/config/shield.ts | |||
@@ -0,0 +1,243 @@ | |||
1 | /** | ||
2 | * Config source: https://git.io/Jvwvt | ||
3 | * | ||
4 | * Feel free to let us know via PR, if you find something broken in this config | ||
5 | * file. | ||
6 | */ | ||
7 | |||
8 | import Env from '@ioc:Adonis/Core/Env'; | ||
9 | import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'; | ||
10 | |||
11 | /* | ||
12 | |-------------------------------------------------------------------------- | ||
13 | | Content Security Policy | ||
14 | |-------------------------------------------------------------------------- | ||
15 | | | ||
16 | | Content security policy filters out the origins not allowed to execute | ||
17 | | and load resources like scripts, styles and fonts. There are wide | ||
18 | | variety of options to choose from. | ||
19 | */ | ||
20 | export const csp: ShieldConfig['csp'] = { | ||
21 | /* | ||
22 | |-------------------------------------------------------------------------- | ||
23 | | Enable/disable CSP | ||
24 | |-------------------------------------------------------------------------- | ||
25 | | | ||
26 | | The CSP rules are disabled by default for seamless onboarding. | ||
27 | | | ||
28 | */ | ||
29 | enabled: false, | ||
30 | |||
31 | /* | ||
32 | |-------------------------------------------------------------------------- | ||
33 | | Directives | ||
34 | |-------------------------------------------------------------------------- | ||
35 | | | ||
36 | | All directives are defined in camelCase and here is the list of | ||
37 | | available directives and their possible values. | ||
38 | | | ||
39 | | https://content-security-policy.com | ||
40 | | | ||
41 | | @example | ||
42 | | directives: { | ||
43 | | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com'] | ||
44 | | } | ||
45 | | | ||
46 | */ | ||
47 | directives: {}, | ||
48 | |||
49 | /* | ||
50 | |-------------------------------------------------------------------------- | ||
51 | | Report only | ||
52 | |-------------------------------------------------------------------------- | ||
53 | | | ||
54 | | Setting `reportOnly=true` will not block the scripts from running and | ||
55 | | instead report them to a URL. | ||
56 | | | ||
57 | */ | ||
58 | reportOnly: false, | ||
59 | }; | ||
60 | |||
61 | /* | ||
62 | |-------------------------------------------------------------------------- | ||
63 | | CSRF Protection | ||
64 | |-------------------------------------------------------------------------- | ||
65 | | | ||
66 | | CSRF Protection adds another layer of security by making sure, actionable | ||
67 | | routes does have a valid token to execute an action. | ||
68 | | | ||
69 | */ | ||
70 | export const csrf: ShieldConfig['csrf'] = { | ||
71 | /* | ||
72 | |-------------------------------------------------------------------------- | ||
73 | | Enable/Disable CSRF | ||
74 | |-------------------------------------------------------------------------- | ||
75 | */ | ||
76 | enabled: Env.get('NODE_ENV') === 'production', | ||
77 | |||
78 | /* | ||
79 | |-------------------------------------------------------------------------- | ||
80 | | Routes to Ignore | ||
81 | |-------------------------------------------------------------------------- | ||
82 | | | ||
83 | | Define an array of route patterns that you want to ignore from CSRF | ||
84 | | validation. Make sure the route patterns are started with a leading | ||
85 | | slash. Example: | ||
86 | | | ||
87 | | `/foo/bar` | ||
88 | | | ||
89 | | Also you can define a function that is evaluated on every HTTP Request. | ||
90 | | ``` | ||
91 | | exceptRoutes: ({ request }) => request.url().includes('/api') | ||
92 | | ``` | ||
93 | | | ||
94 | */ | ||
95 | exceptRoutes: ctx => { | ||
96 | // ignore all routes starting with /v1/ (api) | ||
97 | return ( | ||
98 | ctx.request.url().includes('/v1/') || | ||
99 | ctx.request.url().includes('/import') | ||
100 | ); | ||
101 | }, | ||
102 | |||
103 | /* | ||
104 | |-------------------------------------------------------------------------- | ||
105 | | Enable Sharing Token Via Cookie | ||
106 | |-------------------------------------------------------------------------- | ||
107 | | | ||
108 | | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` | ||
109 | | cookie that frontend frameworks can read and return back as a | ||
110 | | `X-XSRF-TOKEN` header. | ||
111 | | | ||
112 | | The cookie has `httpOnly` flag set to false, so it is little insecure and | ||
113 | | can be turned off when you are not using a frontend framework making | ||
114 | | AJAX requests. | ||
115 | | | ||
116 | */ | ||
117 | enableXsrfCookie: true, | ||
118 | |||
119 | /* | ||
120 | |-------------------------------------------------------------------------- | ||
121 | | Methods to Validate | ||
122 | |-------------------------------------------------------------------------- | ||
123 | | | ||
124 | | Define an array of HTTP methods to be validated for a valid CSRF token. | ||
125 | | | ||
126 | */ | ||
127 | methods: ['POST', 'PUT', 'PATCH', 'DELETE'], | ||
128 | }; | ||
129 | |||
130 | /* | ||
131 | |-------------------------------------------------------------------------- | ||
132 | | DNS Prefetching | ||
133 | |-------------------------------------------------------------------------- | ||
134 | | | ||
135 | | DNS prefetching allows browsers to proactively perform domain name | ||
136 | | resolution in background. | ||
137 | | | ||
138 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control | ||
139 | | | ||
140 | */ | ||
141 | export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { | ||
142 | /* | ||
143 | |-------------------------------------------------------------------------- | ||
144 | | Enable/disable this feature | ||
145 | |-------------------------------------------------------------------------- | ||
146 | */ | ||
147 | enabled: true, | ||
148 | |||
149 | /* | ||
150 | |-------------------------------------------------------------------------- | ||
151 | | Allow or Dis-Allow Explicitly | ||
152 | |-------------------------------------------------------------------------- | ||
153 | | | ||
154 | | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However | ||
155 | | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. | ||
156 | | | ||
157 | | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` | ||
158 | | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` | ||
159 | | | ||
160 | */ | ||
161 | allow: true, | ||
162 | }; | ||
163 | |||
164 | /* | ||
165 | |-------------------------------------------------------------------------- | ||
166 | | Iframe Options | ||
167 | |-------------------------------------------------------------------------- | ||
168 | | | ||
169 | | xFrame defines whether or not your website can be embedded inside an | ||
170 | | iframe. Choose from one of the following options. | ||
171 | | | ||
172 | | - DENY | ||
173 | | - SAMEORIGIN | ||
174 | | - ALLOW-FROM http://example.com | ||
175 | | | ||
176 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options | ||
177 | */ | ||
178 | export const xFrame: ShieldConfig['xFrame'] = { | ||
179 | enabled: true, | ||
180 | action: 'DENY', | ||
181 | }; | ||
182 | |||
183 | /* | ||
184 | |-------------------------------------------------------------------------- | ||
185 | | Http Strict Transport Security | ||
186 | |-------------------------------------------------------------------------- | ||
187 | | | ||
188 | | A security to ensure that a browser always makes a connection over | ||
189 | | HTTPS. | ||
190 | | | ||
191 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security | ||
192 | | | ||
193 | */ | ||
194 | export const hsts: ShieldConfig['hsts'] = { | ||
195 | enabled: true, | ||
196 | /* | ||
197 | |-------------------------------------------------------------------------- | ||
198 | | Max Age | ||
199 | |-------------------------------------------------------------------------- | ||
200 | | | ||
201 | | Control, how long the browser should remember that a site is only to be | ||
202 | | accessed using HTTPS. | ||
203 | | | ||
204 | */ | ||
205 | maxAge: '180 days', | ||
206 | |||
207 | /* | ||
208 | |-------------------------------------------------------------------------- | ||
209 | | Include Subdomains | ||
210 | |-------------------------------------------------------------------------- | ||
211 | | | ||
212 | | Apply rules on the subdomains as well. | ||
213 | | | ||
214 | */ | ||
215 | includeSubDomains: true, | ||
216 | |||
217 | /* | ||
218 | |-------------------------------------------------------------------------- | ||
219 | | Preloading | ||
220 | |-------------------------------------------------------------------------- | ||
221 | | | ||
222 | | Google maintains a service to register your domain and it will preload | ||
223 | | the HSTS policy. Learn more https://hstspreload.org/ | ||
224 | | | ||
225 | */ | ||
226 | preload: false, | ||
227 | }; | ||
228 | |||
229 | /* | ||
230 | |-------------------------------------------------------------------------- | ||
231 | | No Sniff | ||
232 | |-------------------------------------------------------------------------- | ||
233 | | | ||
234 | | Browsers have a habit of sniffing content-type of a response. Which means | ||
235 | | files with .txt extension containing Javascript code will be executed as | ||
236 | | Javascript. You can disable this behavior by setting nosniff to false. | ||
237 | | | ||
238 | | Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options | ||
239 | | | ||
240 | */ | ||
241 | export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { | ||
242 | enabled: true, | ||
243 | }; | ||