aboutsummaryrefslogtreecommitdiffstats
path: root/config/shield.ts
diff options
context:
space:
mode:
authorLibravatar Ricardo <ricardo@cino.io>2023-10-13 14:12:03 +0200
committerLibravatar GitHub <noreply@github.com>2023-10-13 13:12:03 +0100
commite503468660a13760010a94ecda5f0625c6f47f87 (patch)
treefa532f54fc5f091de08d55405ec6339bd2440a02 /config/shield.ts
parent1.3.16 [skip ci] (diff)
downloadferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.tar.gz
ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.tar.zst
ferdium-server-e503468660a13760010a94ecda5f0625c6f47f87.zip
Server re-build with latest AdonisJS framework & Typescript (#47)
* chore: setup first basis structure * chore: ensure styling is loaded correctly * chore: comply to new routing syntax by replace . with / in routes/resource locations * chore: add login controller * chore: correctly use views with slash instead of dot * chore: working login + tests * chore: clean up tests * chore: add password-forgot endpoint and matching test * chore: add delete page test * chore: add logout test * chore: add reset-password route and tests * chore: remove obsolete comment * chore: add account-page and tests * chore: add data page & first step of the test * chore: add transfer/import data feature and tests * chore: add export and basic test * chore: add all static api routes with tests * Regenerate 'pnpm-lock.json' and fix bad merge conflict WIP: - Tests have been commented out since they dont work - Server doesn't start * easier dev and test runs * - remove --require-pragma from reformat-files so formatting works properly - run pnpm reformat-files over codebase - remove .json files from .eslintignore - add invalid.json file to .eslintignore - configure prettier properly in eslint config - add type jsdoc to prettier config - run adonis generate:manifest command to regenerate ace-manifest.json - specify volta in package.json - introduce typecheck npm script - remove unused .mjs extension from npm scripts - install missing type definition dependencies - add pnpm.allowedDeprecatedVersions to package.json - fix invalid extends in tsconfig.json causing TS issues throughout codebase - remove @ts-ignore throughout codebase which is not relevant anymore - enable some of the tsconfig options - remove outdated eslint-disable from codebase - change deprecated faker.company.companyName() to faker.company.name() - fix TS issues inside transfer.spec.ts * - update to latest node and pnpm versions - upgrade all non-major dependencies to latest - install missing @types/luxon dependency - add cuid to pnpm.allowedDeprecatedVersions - add esModuleInterop config option to tsconfig - migrate more deprecated faker methods to new ones - add more temporary ts-ignore to code * - update eslint config - remove trailingComma: all since default in prettier v3 - add typecheck command to prepare-code npm script - upgrade various dependencies to latest major version - update tsconfig to include only useful config options - disable some lint issues and fix others * - add test command to prepare-code - disable strictPropertyInitialization flag in tsconfig which creates issues with adonis models - update precommit hook to excute pnpm prepare-code - remove ts-ignore statements from all models * fix node and pnpm dependency update * add cross env (so that we can develop on windows) * add signup endpoint (TODO: JWT auth) * Add login endpoint * Add me and updateMe endpoints * Add service endpoint * refactor: change endpoints to use jwt * add recipes endpoint * add workspaces endpoint * fix web controllors for login and post import * Update node deps * Change auth middleware (for web) and exempt api from CSRF * Add import endpoint (franz import) * Fix export/import logic * Fix service and workspace data in user/data * Fix partial lint * chore: workaround lint issues * fix: migration naming had two . * Sync back node with recipes repo * Temporarily ignore typescript * Fix adonisrc to handle public folder static assets * Fix issue with production database * add Legacy Password Provider * Fix lint errors * Fix issue on login errors frontend * add Legacy Password Provider * Fix issue with customIcons * Fix issue with auth tokens * Update 'node' to '18.18.0' * make docker work * improve docker entrypoint (test api performance) * Add migration database script * NODE_ENV on recipes * prefer @ts-expect-error over @ts-ignore * small fixes * Update 'pnpm' to '8.7.6' * fix error catch * Automatically generate JWT Public and Private keys * Use custom Adonis5-jwt * Update code to use secret (old way, no breaking changes) * Normalize appKey * Trick to make JWT tokens on client work with new version * Fix error with new JWT logic * Change migration and how we store JWT * Fix 500 response code (needs to be 401) * Improve logic and fix bugs * Fix build and entrypoint logic * Catch error if appKey changes * Add newToken logic * Fix lint (ignore any errors) * Add build for PRs * pnpm reformat-files result * Fix some tests * Fix reset password not working (test failing) * Restore csrfTokens (disabled by accident) * Fix pnpm start command with .env * Disable failing tests on the transfer endpoint (TODO) * Add tests to PR build * Fix build * Remove unnecessary assertStatus * Add typecheck * hash password on UserFactory (fix build) * Add JWT_USE_PEM true by default (increase security) * fix name of github action --------- Co-authored-by: Vijay A <vraravam@users.noreply.github.com> Co-authored-by: Balaji Vijayakumar <kuttibalaji.v6@gmail.com> Co-authored-by: MCMXC <16797721+mcmxcdev@users.noreply.github.com> Co-authored-by: André Oliveira <oliveira.andrerodrigues95@gmail.com>
Diffstat (limited to 'config/shield.ts')
-rw-r--r--config/shield.ts243
1 files changed, 243 insertions, 0 deletions
diff --git a/config/shield.ts b/config/shield.ts
new file mode 100644
index 0000000..3566e1c
--- /dev/null
+++ b/config/shield.ts
@@ -0,0 +1,243 @@
1/**
2 * Config source: https://git.io/Jvwvt
3 *
4 * Feel free to let us know via PR, if you find something broken in this config
5 * file.
6 */
7
8import Env from '@ioc:Adonis/Core/Env';
9import { ShieldConfig } from '@ioc:Adonis/Addons/Shield';
10
11/*
12|--------------------------------------------------------------------------
13| Content Security Policy
14|--------------------------------------------------------------------------
15|
16| Content security policy filters out the origins not allowed to execute
17| and load resources like scripts, styles and fonts. There are wide
18| variety of options to choose from.
19*/
20export const csp: ShieldConfig['csp'] = {
21 /*
22 |--------------------------------------------------------------------------
23 | Enable/disable CSP
24 |--------------------------------------------------------------------------
25 |
26 | The CSP rules are disabled by default for seamless onboarding.
27 |
28 */
29 enabled: false,
30
31 /*
32 |--------------------------------------------------------------------------
33 | Directives
34 |--------------------------------------------------------------------------
35 |
36 | All directives are defined in camelCase and here is the list of
37 | available directives and their possible values.
38 |
39 | https://content-security-policy.com
40 |
41 | @example
42 | directives: {
43 | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com']
44 | }
45 |
46 */
47 directives: {},
48
49 /*
50 |--------------------------------------------------------------------------
51 | Report only
52 |--------------------------------------------------------------------------
53 |
54 | Setting `reportOnly=true` will not block the scripts from running and
55 | instead report them to a URL.
56 |
57 */
58 reportOnly: false,
59};
60
61/*
62|--------------------------------------------------------------------------
63| CSRF Protection
64|--------------------------------------------------------------------------
65|
66| CSRF Protection adds another layer of security by making sure, actionable
67| routes does have a valid token to execute an action.
68|
69*/
70export const csrf: ShieldConfig['csrf'] = {
71 /*
72 |--------------------------------------------------------------------------
73 | Enable/Disable CSRF
74 |--------------------------------------------------------------------------
75 */
76 enabled: Env.get('NODE_ENV') === 'production',
77
78 /*
79 |--------------------------------------------------------------------------
80 | Routes to Ignore
81 |--------------------------------------------------------------------------
82 |
83 | Define an array of route patterns that you want to ignore from CSRF
84 | validation. Make sure the route patterns are started with a leading
85 | slash. Example:
86 |
87 | `/foo/bar`
88 |
89 | Also you can define a function that is evaluated on every HTTP Request.
90 | ```
91 | exceptRoutes: ({ request }) => request.url().includes('/api')
92 | ```
93 |
94 */
95 exceptRoutes: ctx => {
96 // ignore all routes starting with /v1/ (api)
97 return (
98 ctx.request.url().includes('/v1/') ||
99 ctx.request.url().includes('/import')
100 );
101 },
102
103 /*
104 |--------------------------------------------------------------------------
105 | Enable Sharing Token Via Cookie
106 |--------------------------------------------------------------------------
107 |
108 | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN`
109 | cookie that frontend frameworks can read and return back as a
110 | `X-XSRF-TOKEN` header.
111 |
112 | The cookie has `httpOnly` flag set to false, so it is little insecure and
113 | can be turned off when you are not using a frontend framework making
114 | AJAX requests.
115 |
116 */
117 enableXsrfCookie: true,
118
119 /*
120 |--------------------------------------------------------------------------
121 | Methods to Validate
122 |--------------------------------------------------------------------------
123 |
124 | Define an array of HTTP methods to be validated for a valid CSRF token.
125 |
126 */
127 methods: ['POST', 'PUT', 'PATCH', 'DELETE'],
128};
129
130/*
131|--------------------------------------------------------------------------
132| DNS Prefetching
133|--------------------------------------------------------------------------
134|
135| DNS prefetching allows browsers to proactively perform domain name
136| resolution in background.
137|
138| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
139|
140*/
141export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = {
142 /*
143 |--------------------------------------------------------------------------
144 | Enable/disable this feature
145 |--------------------------------------------------------------------------
146 */
147 enabled: true,
148
149 /*
150 |--------------------------------------------------------------------------
151 | Allow or Dis-Allow Explicitly
152 |--------------------------------------------------------------------------
153 |
154 | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However
155 | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header.
156 |
157 | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'`
158 | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'`
159 |
160 */
161 allow: true,
162};
163
164/*
165|--------------------------------------------------------------------------
166| Iframe Options
167|--------------------------------------------------------------------------
168|
169| xFrame defines whether or not your website can be embedded inside an
170| iframe. Choose from one of the following options.
171|
172| - DENY
173| - SAMEORIGIN
174| - ALLOW-FROM http://example.com
175|
176| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
177*/
178export const xFrame: ShieldConfig['xFrame'] = {
179 enabled: true,
180 action: 'DENY',
181};
182
183/*
184|--------------------------------------------------------------------------
185| Http Strict Transport Security
186|--------------------------------------------------------------------------
187|
188| A security to ensure that a browser always makes a connection over
189| HTTPS.
190|
191| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
192|
193*/
194export const hsts: ShieldConfig['hsts'] = {
195 enabled: true,
196 /*
197 |--------------------------------------------------------------------------
198 | Max Age
199 |--------------------------------------------------------------------------
200 |
201 | Control, how long the browser should remember that a site is only to be
202 | accessed using HTTPS.
203 |
204 */
205 maxAge: '180 days',
206
207 /*
208 |--------------------------------------------------------------------------
209 | Include Subdomains
210 |--------------------------------------------------------------------------
211 |
212 | Apply rules on the subdomains as well.
213 |
214 */
215 includeSubDomains: true,
216
217 /*
218 |--------------------------------------------------------------------------
219 | Preloading
220 |--------------------------------------------------------------------------
221 |
222 | Google maintains a service to register your domain and it will preload
223 | the HSTS policy. Learn more https://hstspreload.org/
224 |
225 */
226 preload: false,
227};
228
229/*
230|--------------------------------------------------------------------------
231| No Sniff
232|--------------------------------------------------------------------------
233|
234| Browsers have a habit of sniffing content-type of a response. Which means
235| files with .txt extension containing Javascript code will be executed as
236| Javascript. You can disable this behavior by setting nosniff to false.
237|
238| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
239|
240*/
241export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = {
242 enabled: true,
243};
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-07 23:00:59 +0000