From e503468660a13760010a94ecda5f0625c6f47f87 Mon Sep 17 00:00:00 2001 From: Ricardo Date: Fri, 13 Oct 2023 14:12:03 +0200 Subject: Server re-build with latest AdonisJS framework & Typescript (#47) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: setup first basis structure * chore: ensure styling is loaded correctly * chore: comply to new routing syntax by replace . with / in routes/resource locations * chore: add login controller * chore: correctly use views with slash instead of dot * chore: working login + tests * chore: clean up tests * chore: add password-forgot endpoint and matching test * chore: add delete page test * chore: add logout test * chore: add reset-password route and tests * chore: remove obsolete comment * chore: add account-page and tests * chore: add data page & first step of the test * chore: add transfer/import data feature and tests * chore: add export and basic test * chore: add all static api routes with tests * Regenerate 'pnpm-lock.json' and fix bad merge conflict WIP: - Tests have been commented out since they dont work - Server doesn't start * easier dev and test runs * - remove --require-pragma from reformat-files so formatting works properly - run pnpm reformat-files over codebase - remove .json files from .eslintignore - add invalid.json file to .eslintignore - configure prettier properly in eslint config - add type jsdoc to prettier config - run adonis generate:manifest command to regenerate ace-manifest.json - specify volta in package.json - introduce typecheck npm script - remove unused .mjs extension from npm scripts - install missing type definition dependencies - add pnpm.allowedDeprecatedVersions to package.json - fix invalid extends in tsconfig.json causing TS issues throughout codebase - remove @ts-ignore throughout codebase which is not relevant anymore - enable some of the tsconfig options - remove outdated eslint-disable from codebase - change deprecated faker.company.companyName() to faker.company.name() - fix TS issues inside transfer.spec.ts * - update to latest node and pnpm versions - upgrade all non-major dependencies to latest - install missing @types/luxon dependency - add cuid to pnpm.allowedDeprecatedVersions - add esModuleInterop config option to tsconfig - migrate more deprecated faker methods to new ones - add more temporary ts-ignore to code * - update eslint config - remove trailingComma: all since default in prettier v3 - add typecheck command to prepare-code npm script - upgrade various dependencies to latest major version - update tsconfig to include only useful config options - disable some lint issues and fix others * - add test command to prepare-code - disable strictPropertyInitialization flag in tsconfig which creates issues with adonis models - update precommit hook to excute pnpm prepare-code - remove ts-ignore statements from all models * fix node and pnpm dependency update * add cross env (so that we can develop on windows) * add signup endpoint (TODO: JWT auth) * Add login endpoint * Add me and updateMe endpoints * Add service endpoint * refactor: change endpoints to use jwt * add recipes endpoint * add workspaces endpoint * fix web controllors for login and post import * Update node deps * Change auth middleware (for web) and exempt api from CSRF * Add import endpoint (franz import) * Fix export/import logic * Fix service and workspace data in user/data * Fix partial lint * chore: workaround lint issues * fix: migration naming had two . * Sync back node with recipes repo * Temporarily ignore typescript * Fix adonisrc to handle public folder static assets * Fix issue with production database * add Legacy Password Provider * Fix lint errors * Fix issue on login errors frontend * add Legacy Password Provider * Fix issue with customIcons * Fix issue with auth tokens * Update 'node' to '18.18.0' * make docker work * improve docker entrypoint (test api performance) * Add migration database script * NODE_ENV on recipes * prefer @ts-expect-error over @ts-ignore * small fixes * Update 'pnpm' to '8.7.6' * fix error catch * Automatically generate JWT Public and Private keys * Use custom Adonis5-jwt * Update code to use secret (old way, no breaking changes) * Normalize appKey * Trick to make JWT tokens on client work with new version * Fix error with new JWT logic * Change migration and how we store JWT * Fix 500 response code (needs to be 401) * Improve logic and fix bugs * Fix build and entrypoint logic * Catch error if appKey changes * Add newToken logic * Fix lint (ignore any errors) * Add build for PRs * pnpm reformat-files result * Fix some tests * Fix reset password not working (test failing) * Restore csrfTokens (disabled by accident) * Fix pnpm start command with .env * Disable failing tests on the transfer endpoint (TODO) * Add tests to PR build * Fix build * Remove unnecessary assertStatus * Add typecheck * hash password on UserFactory (fix build) * Add JWT_USE_PEM true by default (increase security) * fix name of github action --------- Co-authored-by: Vijay A Co-authored-by: Balaji Vijayakumar Co-authored-by: MCMXC <16797721+mcmxcdev@users.noreply.github.com> Co-authored-by: André Oliveira --- config/shield.ts | 243 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 243 insertions(+) create mode 100644 config/shield.ts (limited to 'config/shield.ts') diff --git a/config/shield.ts b/config/shield.ts new file mode 100644 index 0000000..3566e1c --- /dev/null +++ b/config/shield.ts @@ -0,0 +1,243 @@ +/** + * Config source: https://git.io/Jvwvt + * + * Feel free to let us know via PR, if you find something broken in this config + * file. + */ + +import Env from '@ioc:Adonis/Core/Env'; +import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'; + +/* +|-------------------------------------------------------------------------- +| Content Security Policy +|-------------------------------------------------------------------------- +| +| Content security policy filters out the origins not allowed to execute +| and load resources like scripts, styles and fonts. There are wide +| variety of options to choose from. +*/ +export const csp: ShieldConfig['csp'] = { + /* + |-------------------------------------------------------------------------- + | Enable/disable CSP + |-------------------------------------------------------------------------- + | + | The CSP rules are disabled by default for seamless onboarding. + | + */ + enabled: false, + + /* + |-------------------------------------------------------------------------- + | Directives + |-------------------------------------------------------------------------- + | + | All directives are defined in camelCase and here is the list of + | available directives and their possible values. + | + | https://content-security-policy.com + | + | @example + | directives: { + | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com'] + | } + | + */ + directives: {}, + + /* + |-------------------------------------------------------------------------- + | Report only + |-------------------------------------------------------------------------- + | + | Setting `reportOnly=true` will not block the scripts from running and + | instead report them to a URL. + | + */ + reportOnly: false, +}; + +/* +|-------------------------------------------------------------------------- +| CSRF Protection +|-------------------------------------------------------------------------- +| +| CSRF Protection adds another layer of security by making sure, actionable +| routes does have a valid token to execute an action. +| +*/ +export const csrf: ShieldConfig['csrf'] = { + /* + |-------------------------------------------------------------------------- + | Enable/Disable CSRF + |-------------------------------------------------------------------------- + */ + enabled: Env.get('NODE_ENV') === 'production', + + /* + |-------------------------------------------------------------------------- + | Routes to Ignore + |-------------------------------------------------------------------------- + | + | Define an array of route patterns that you want to ignore from CSRF + | validation. Make sure the route patterns are started with a leading + | slash. Example: + | + | `/foo/bar` + | + | Also you can define a function that is evaluated on every HTTP Request. + | ``` + | exceptRoutes: ({ request }) => request.url().includes('/api') + | ``` + | + */ + exceptRoutes: ctx => { + // ignore all routes starting with /v1/ (api) + return ( + ctx.request.url().includes('/v1/') || + ctx.request.url().includes('/import') + ); + }, + + /* + |-------------------------------------------------------------------------- + | Enable Sharing Token Via Cookie + |-------------------------------------------------------------------------- + | + | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` + | cookie that frontend frameworks can read and return back as a + | `X-XSRF-TOKEN` header. + | + | The cookie has `httpOnly` flag set to false, so it is little insecure and + | can be turned off when you are not using a frontend framework making + | AJAX requests. + | + */ + enableXsrfCookie: true, + + /* + |-------------------------------------------------------------------------- + | Methods to Validate + |-------------------------------------------------------------------------- + | + | Define an array of HTTP methods to be validated for a valid CSRF token. + | + */ + methods: ['POST', 'PUT', 'PATCH', 'DELETE'], +}; + +/* +|-------------------------------------------------------------------------- +| DNS Prefetching +|-------------------------------------------------------------------------- +| +| DNS prefetching allows browsers to proactively perform domain name +| resolution in background. +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control +| +*/ +export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { + /* + |-------------------------------------------------------------------------- + | Enable/disable this feature + |-------------------------------------------------------------------------- + */ + enabled: true, + + /* + |-------------------------------------------------------------------------- + | Allow or Dis-Allow Explicitly + |-------------------------------------------------------------------------- + | + | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However + | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. + | + | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` + | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` + | + */ + allow: true, +}; + +/* +|-------------------------------------------------------------------------- +| Iframe Options +|-------------------------------------------------------------------------- +| +| xFrame defines whether or not your website can be embedded inside an +| iframe. Choose from one of the following options. +| +| - DENY +| - SAMEORIGIN +| - ALLOW-FROM http://example.com +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options +*/ +export const xFrame: ShieldConfig['xFrame'] = { + enabled: true, + action: 'DENY', +}; + +/* +|-------------------------------------------------------------------------- +| Http Strict Transport Security +|-------------------------------------------------------------------------- +| +| A security to ensure that a browser always makes a connection over +| HTTPS. +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +| +*/ +export const hsts: ShieldConfig['hsts'] = { + enabled: true, + /* + |-------------------------------------------------------------------------- + | Max Age + |-------------------------------------------------------------------------- + | + | Control, how long the browser should remember that a site is only to be + | accessed using HTTPS. + | + */ + maxAge: '180 days', + + /* + |-------------------------------------------------------------------------- + | Include Subdomains + |-------------------------------------------------------------------------- + | + | Apply rules on the subdomains as well. + | + */ + includeSubDomains: true, + + /* + |-------------------------------------------------------------------------- + | Preloading + |-------------------------------------------------------------------------- + | + | Google maintains a service to register your domain and it will preload + | the HSTS policy. Learn more https://hstspreload.org/ + | + */ + preload: false, +}; + +/* +|-------------------------------------------------------------------------- +| No Sniff +|-------------------------------------------------------------------------- +| +| Browsers have a habit of sniffing content-type of a response. Which means +| files with .txt extension containing Javascript code will be executed as +| Javascript. You can disable this behavior by setting nosniff to false. +| +| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +| +*/ +export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { + enabled: true, +}; -- cgit v1.2.3-54-g00ecf