From 7584d2d7a7110aef0331ebfa178b2295842c59fa Mon Sep 17 00:00:00 2001 From: MCMXC <16797721+mcmxcdev@users.noreply.github.com> Date: Sat, 10 Feb 2024 18:19:14 -0700 Subject: refactor: project maintenance - work in progress --- config/app.ts | 43 +++--- config/auth.ts | 18 +-- config/bodyparser.ts | 9 +- config/cors.ts | 15 +-- config/dashboard.ts | 6 +- config/database.ts | 54 ++++---- config/drive.ts | 12 +- config/hash.ts | 30 +++-- config/mail.ts | 64 ++++----- config/session.ts | 14 +- config/shield.ts | 363 ++++++++++++++++++--------------------------------- config/static.ts | 8 +- 12 files changed, 261 insertions(+), 375 deletions(-) (limited to 'config') diff --git a/config/app.ts b/config/app.ts index fb3c0be..135f20f 100644 --- a/config/app.ts +++ b/config/app.ts @@ -5,12 +5,12 @@ * file. */ -import proxyAddr from 'proxy-addr'; -import Env from '@ioc:Adonis/Core/Env'; -import { ServerConfig } from '@ioc:Adonis/Core/Server'; -import { LoggerConfig } from '@ioc:Adonis/Core/Logger'; -import { ProfilerConfig } from '@ioc:Adonis/Core/Profiler'; -import { ValidatorConfig } from '@ioc:Adonis/Core/Validator'; +import proxyAddr from 'proxy-addr' +import env from '#start/env' +import { ProfilerConfig } from '@ioc:Adonis/Core/Profiler' +import { LoggerConfig } from '@adonisjs/core/types/logger' +import { ValidatorConfig } from '@adonisjs/validator/types' +import { defineConfig } from '@adonisjs/core/http' /* |-------------------------------------------------------------------------- @@ -25,18 +25,17 @@ import { ValidatorConfig } from '@ioc:Adonis/Core/Validator'; | be decrypted. | */ -export const appKey: string = Env.get('APP_KEY'); +export const appKey: string = env.get('APP_KEY') -export const url: string = Env.get('APP_URL'); +export const url: string = env.get('APP_URL') // TODO: this is parsed as string to be coherent with the previous version of the code we add (before migrating to AdonisJS 5) -export const isRegistrationEnabled: string = Env.get('IS_REGISTRATION_ENABLED'); -export const connectWithFranz: string = Env.get('CONNECT_WITH_FRANZ'); -export const isCreationEnabled: string = Env.get('IS_CREATION_ENABLED'); +export const isRegistrationEnabled: string = env.get('IS_REGISTRATION_ENABLED') +export const connectWithFranz: string = env.get('CONNECT_WITH_FRANZ') +export const isCreationEnabled: string = env.get('IS_CREATION_ENABLED') export const jwtUsePEM: boolean = - Env.get('JWT_USE_PEM', false) || - (Env.get('JWT_PUBLIC_KEY', '') !== '' && - Env.get('JWT_PRIVATE_KEY', '') !== ''); + env.get('JWT_USE_PEM', false) || + (env.get('JWT_PUBLIC_KEY', '') !== '' && env.get('JWT_PRIVATE_KEY', '') !== '') /* |-------------------------------------------------------------------------- | Http server configuration @@ -46,7 +45,7 @@ export const jwtUsePEM: boolean = | the config properties to make keep server secure. | */ -export const http: ServerConfig = { +export const http = defineConfig({ /* |-------------------------------------------------------------------------- | Allow method spoofing @@ -137,7 +136,7 @@ export const http: ServerConfig = { | */ forceContentNegotiationTo: 'application/json', -}; +}) /* |-------------------------------------------------------------------------- @@ -157,7 +156,7 @@ export const logger: LoggerConfig = { | reading the `name` property from the `package.json` file. | */ - name: Env.get('APP_NAME', 'Ferdium-server'), + name: env.get('APP_NAME', 'Ferdium-server'), /* |-------------------------------------------------------------------------- @@ -179,7 +178,7 @@ export const logger: LoggerConfig = { | at deployment level and not code level. | */ - level: Env.get('LOG_LEVEL', 'info'), + level: env.get('LOG_LEVEL', 'info'), /* |-------------------------------------------------------------------------- @@ -190,8 +189,8 @@ export const logger: LoggerConfig = { | can have huge impact on performance. | */ - prettyPrint: Env.get('NODE_ENV') === 'development', -}; + prettyPrint: env.get('NODE_ENV') === 'development', +} /* |-------------------------------------------------------------------------- @@ -230,7 +229,7 @@ export const profiler: ProfilerConfig = { | */ whitelist: [], -}; +} /* |-------------------------------------------------------------------------- @@ -241,4 +240,4 @@ export const profiler: ProfilerConfig = { | to the default config https://git.io/JT0WE | */ -export const validator: ValidatorConfig = {}; +export const validator: ValidatorConfig = {} diff --git a/config/auth.ts b/config/auth.ts index 28a9b8c..f43bbdb 100644 --- a/config/auth.ts +++ b/config/auth.ts @@ -5,9 +5,9 @@ * file. */ -import { AuthConfig } from '@ioc:Adonis/Addons/Auth'; -import Env from '@ioc:Adonis/Core/Env'; -import { appKey, jwtUsePEM } from './app'; +import { AuthConfig } from '@ioc:Adonis/Addons/Auth' +import env from '#start/env' +import { appKey, jwtUsePEM } from './app.js' /* |-------------------------------------------------------------------------- @@ -233,12 +233,8 @@ const authConfig: AuthConfig = { driver: 'jwt', secret: jwtUsePEM ? undefined : appKey, algorithmJwt: jwtUsePEM ? undefined : 'HS256', - publicKey: jwtUsePEM - ? Env.get('JWT_PUBLIC_KEY', '').replaceAll('\\n', '\n') - : undefined, - privateKey: jwtUsePEM - ? Env.get('JWT_PRIVATE_KEY', '').replaceAll('\\n', '\n') - : undefined, + publicKey: jwtUsePEM ? env.get('JWT_PUBLIC_KEY', '').replaceAll('\\n', '\n') : undefined, + privateKey: jwtUsePEM ? env.get('JWT_PRIVATE_KEY', '').replaceAll('\\n', '\n') : undefined, persistJwt: true, // TODO: We should improve the following implementation as this is a security concern. // The following ts-expect-error is to set exp to undefined (JWT with no expiration) @@ -258,6 +254,6 @@ const authConfig: AuthConfig = { }, }, }, -}; +} -export default authConfig; +export default authConfig diff --git a/config/bodyparser.ts b/config/bodyparser.ts index b5adcda..b3a027b 100644 --- a/config/bodyparser.ts +++ b/config/bodyparser.ts @@ -5,9 +5,10 @@ * file. */ -import { BodyParserConfig } from '@ioc:Adonis/Core/BodyParser'; +import { BodyParserConfig } from '@adonisjs/core/bodyparser' +import { defineConfig } from '@adonisjs/core/bodyparser' -const bodyParserConfig: BodyParserConfig = { +const bodyParserConfig = defineConfig({ /* |-------------------------------------------------------------------------- | White listed methods @@ -200,6 +201,6 @@ const bodyParserConfig: BodyParserConfig = { */ types: ['multipart/form-data'], }, -}; +}) -export default bodyParserConfig; +export default bodyParserConfig diff --git a/config/cors.ts b/config/cors.ts index dc0e3f6..911326f 100644 --- a/config/cors.ts +++ b/config/cors.ts @@ -1,13 +1,6 @@ -/** - * Config source: https://git.io/JfefC - * - * Feel free to let us know via PR, if you find something broken in this config - * file. - */ +import { defineConfig } from '@adonisjs/cors' -import { CorsConfig } from '@ioc:Adonis/Core/Cors'; - -const corsConfig: CorsConfig = { +const corsConfig = defineConfig({ /* |-------------------------------------------------------------------------- | Enabled @@ -129,6 +122,6 @@ const corsConfig: CorsConfig = { | */ maxAge: 90, -}; +}) -export default corsConfig; +export default corsConfig diff --git a/config/dashboard.ts b/config/dashboard.ts index 18feb14..9e92024 100644 --- a/config/dashboard.ts +++ b/config/dashboard.ts @@ -1,5 +1,5 @@ -import Env from '@ioc:Adonis/Core/Env'; +import env from '#start/env' -export const enabled: boolean = Env.get('IS_DASHBOARD_ENABLED') !== 'false'; +export const enabled: boolean = env.get('IS_DASHBOARD_ENABLED') !== 'false' -export const mailFrom: string = Env.get('MAIL_SENDER'); +export const mailFrom: string = env.get('MAIL_SENDER') diff --git a/config/database.ts b/config/database.ts index 65a9455..d2db1c2 100644 --- a/config/database.ts +++ b/config/database.ts @@ -1,4 +1,3 @@ -/* eslint-disable @typescript-eslint/indent */ /** * Config source: https://git.io/JesV9 * @@ -6,11 +5,12 @@ * file. */ -import path from 'node:path'; -import Env from '@ioc:Adonis/Core/Env'; -import { DatabaseConfig } from '@ioc:Adonis/Lucid/Database'; +import path from 'node:path' +import env from '#start/env' +import { DatabaseConfig } from '@adonisjs/lucid/database' +import { defineConfig } from '@adonisjs/lucid' -const databaseConfig: DatabaseConfig = { +const databaseConfig = defineConfig({ /* |-------------------------------------------------------------------------- | Connection @@ -21,7 +21,7 @@ const databaseConfig: DatabaseConfig = { | file. | */ - connection: Env.get('DB_CONNECTION', 'sqlite'), + connection: env.get('DB_CONNECTION', 'sqlite'), connections: { /* @@ -39,13 +39,13 @@ const databaseConfig: DatabaseConfig = { client: 'sqlite', connection: { filename: path.join( - Env.get('DATA_DIR', 'data'), - `${Env.get('DB_DATABASE', 'ferdium')}.sqlite`, + env.get('DATA_DIR', 'data'), + `${env.get('DB_DATABASE', 'ferdium')}.sqlite` ), }, pool: { afterCreate: (conn, cb) => { - conn.run('PRAGMA foreign_keys=true', cb); + conn.run('PRAGMA foreign_keys=true', cb) }, }, migrations: { @@ -53,7 +53,7 @@ const databaseConfig: DatabaseConfig = { }, useNullAsDefault: true, healthCheck: false, - debug: Env.get('DB_DEBUG', false), + debug: env.get('DB_DEBUG', false), }, /* @@ -70,17 +70,17 @@ const databaseConfig: DatabaseConfig = { mysql: { client: 'mysql', connection: { - host: Env.get('DB_HOST', 'localhost'), - port: Env.get('DB_PORT', ''), - user: Env.get('DB_USER', 'root'), - password: Env.get('DB_PASSWORD', ''), - database: Env.get('DB_DATABASE', 'ferdium'), + host: env.get('DB_HOST', 'localhost'), + port: env.get('DB_PORT', ''), + user: env.get('DB_USER', 'root'), + password: env.get('DB_PASSWORD', ''), + database: env.get('DB_DATABASE', 'ferdium'), }, migrations: { naturalSort: true, }, healthCheck: false, - debug: Env.get('DB_DEBUG', false), + debug: env.get('DB_DEBUG', false), }, /* @@ -97,25 +97,25 @@ const databaseConfig: DatabaseConfig = { pg: { client: 'pg', connection: { - host: Env.get('DB_HOST', 'localhost'), - port: Env.get('DB_PORT', ''), - user: Env.get('DB_USER', 'root'), - password: Env.get('DB_PASSWORD', ''), - database: Env.get('DB_DATABASE', 'ferdium'), - ssl: Env.get('DB_CA_CERT') + host: env.get('DB_HOST', 'localhost'), + port: env.get('DB_PORT', ''), + user: env.get('DB_USER', 'root'), + password: env.get('DB_PASSWORD', ''), + database: env.get('DB_DATABASE', 'ferdium'), + ssl: env.get('DB_CA_CERT') ? { rejectUnauthorized: false, - ca: Env.get('DB_CA_CERT'), + ca: env.get('DB_CA_CERT'), } - : JSON.parse(Env.get('DB_SSL', 'true')), + : JSON.parse(env.get('DB_SSL', 'true')), }, migrations: { naturalSort: true, }, healthCheck: false, - debug: Env.get('DB_DEBUG', false), + debug: env.get('DB_DEBUG', false), }, }, -}; +}) -export default databaseConfig; +export default databaseConfig diff --git a/config/drive.ts b/config/drive.ts index b6950eb..f099303 100644 --- a/config/drive.ts +++ b/config/drive.ts @@ -5,9 +5,9 @@ * file. */ -import Env from '@ioc:Adonis/Core/Env'; -import { driveConfig } from '@adonisjs/core/build/config'; -import Application from '@ioc:Adonis/Core/Application'; +import env from '#start/env' +import { driveConfig } from '@adonisjs/core/build/config' +import { app } from '@adonisjs/core/services/app' /* |-------------------------------------------------------------------------- @@ -28,7 +28,7 @@ export default driveConfig({ | the `DRIVE_DISK` environment variable. | */ - disk: Env.get('DRIVE_DISK', 'local'), + disk: env.get('DRIVE_DISK', 'local'), disks: { /* @@ -53,7 +53,7 @@ export default driveConfig({ | files. | */ - root: Application.tmpPath('uploads'), + root: app.tmpPath('uploads'), /* |-------------------------------------------------------------------------- @@ -146,4 +146,4 @@ export default driveConfig({ // usingUniformAcl: false, // }, }, -}); +}) diff --git a/config/hash.ts b/config/hash.ts index abe7dd0..22e38bd 100644 --- a/config/hash.ts +++ b/config/hash.ts @@ -5,8 +5,9 @@ * file. */ -import Env from '@ioc:Adonis/Core/Env'; -import { hashConfig } from '@adonisjs/core/build/config'; +import env from '#start/env' +import { defineConfig } from '@adonisjs/core/hash' +import { drivers } from '@adonisjs/core/hash' /* |-------------------------------------------------------------------------- @@ -17,7 +18,7 @@ import { hashConfig } from '@adonisjs/core/build/config'; | defined inside `contracts` directory. | */ -export default hashConfig({ +export default defineConfig({ /* |-------------------------------------------------------------------------- | Default hasher @@ -28,18 +29,17 @@ export default hashConfig({ | | Default is set to bcrypt to prevent breaking-changes. */ - default: Env.get('HASH_DRIVER', 'scrypt'), + default: env.get('HASH_DRIVER', 'scrypt'), list: { - scrypt: { - driver: 'scrypt', + scrypt: drivers.scrypt({ cost: 16_384, blockSize: 8, parallelization: 1, saltSize: 16, keyLength: 64, maxMemory: 32 * 1024 * 1024, - }, + }), /* |-------------------------------------------------------------------------- | Argon @@ -53,14 +53,13 @@ export default hashConfig({ | npm install phc-argon2 | */ - argon: { - driver: 'argon2', + argon: drivers.argon2({ variant: 'id', iterations: 3, memory: 4096, parallelism: 1, saltSize: 16, - }, + }), /* |-------------------------------------------------------------------------- @@ -75,14 +74,17 @@ export default hashConfig({ | npm install phc-bcrypt | */ - bcrypt: { - driver: 'bcrypt', + bcrypt: drivers.bcrypt({ rounds: 10, - }, + }), legacy: { // @ts-expect-error driver: 'legacy', }, }, -}); +}) + +declare module '@adonisjs/core/types' { + export interface HashersList extends InferHashers {} +} diff --git a/config/mail.ts b/config/mail.ts index 3f688ce..7d650d5 100644 --- a/config/mail.ts +++ b/config/mail.ts @@ -5,10 +5,10 @@ * file. */ -import Env from '@ioc:Adonis/Core/Env'; -import { mailConfig } from '@adonisjs/mail/build/config'; +import env from '#start/env' +import { defineConfig } from '@adonisjs/mail' -export default mailConfig({ +export default defineConfig({ /* |-------------------------------------------------------------------------- | Default mailer @@ -18,7 +18,7 @@ export default mailConfig({ | a mailer | */ - mailer: Env.get('MAIL_CONNECTION', 'smtp'), + mailer: env.get('MAIL_CONNECTION', 'smtp'), /* |-------------------------------------------------------------------------- @@ -42,22 +42,21 @@ export default mailConfig({ | Uses SMTP protocol for sending email | */ - smtp: { - driver: 'smtp', - name: Env.get('APP_URL'), - port: Env.get('SMTP_PORT', '2525'), - host: Env.get('SMTP_HOST', 'localhost'), - secure: JSON.parse(Env.get('MAIL_SSL', 'false')), - requireTLS: JSON.parse(Env.get('MAIL_REQUIRE_TLS', 'false')), + smtp: drivers.smtp({ + name: env.get('APP_URL'), + port: env.get('SMTP_PORT', '2525'), + host: env.get('SMTP_HOST', 'localhost'), + secure: JSON.parse(env.get('MAIL_SSL', 'false')), + requireTLS: JSON.parse(env.get('MAIL_REQUIRE_TLS', 'false')), auth: { - user: Env.get('MAIL_USERNAME'), - pass: Env.get('MAIL_PASSWORD'), + user: env.get('MAIL_USERNAME'), + pass: env.get('MAIL_PASSWORD'), type: 'login', }, maxConnections: 5, maxMessages: 100, rateLimit: 10, - }, + }), /* |-------------------------------------------------------------------------- @@ -72,47 +71,48 @@ export default mailConfig({ | ``` | */ - ses: { - driver: 'ses', + ses: drivers.ses({ apiVersion: '2010-12-01', - key: Env.get('SES_ACCESS_KEY'), - secret: Env.get('SES_ACCESS_SECRET'), - region: Env.get('SES_REGION'), + key: env.get('SES_ACCESS_KEY'), + secret: env.get('SES_ACCESS_SECRET'), + region: env.get('SES_REGION'), sslEnabled: true, sendingRate: 10, maxConnections: 5, - }, + }), /* |-------------------------------------------------------------------------- | Mailgun |-------------------------------------------------------------------------- | - | Uses Mailgun service for sending emails. + | Uses Mailgun service for sending emails. | | If you are using an EU domain. Ensure to change the baseUrl to hit the | europe endpoint (https://api.eu.mailgun.net/v3). | */ - mailgun: { - driver: 'mailgun', + mailgun: drivers.mailgun({ baseUrl: 'https://api.mailgun.net/v3', - key: Env.get('MAILGUN_API_KEY'), - domain: Env.get('MAILGUN_DOMAIN'), - }, + key: env.get('MAILGUN_API_KEY'), + domain: env.get('MAILGUN_DOMAIN'), + }), /* |-------------------------------------------------------------------------- | SparkPost |-------------------------------------------------------------------------- | - | Uses Sparkpost service for sending emails. + | Uses Sparkpost service for sending emails. | */ - sparkpost: { - driver: 'sparkpost', + sparkpost: drivers.sparkpost({ baseUrl: 'https://api.sparkpost.com/api/v1', - key: Env.get('SPARKPOST_API_KEY'), - }, + key: env.get('SPARKPOST_API_KEY'), + }), }, -}); +}) + +declare module '@adonisjs/mail/types' { + export interface MailersList extends InferMailers {} +} diff --git a/config/session.ts b/config/session.ts index fbf8c7c..299eec3 100644 --- a/config/session.ts +++ b/config/session.ts @@ -5,11 +5,11 @@ * file. */ -import Env from '@ioc:Adonis/Core/Env'; -import Application from '@ioc:Adonis/Core/Application'; -import { sessionConfig } from '@adonisjs/session/build/config'; +import env from '#start/env' +import { app } from '@adonisjs/core/services/app' +import { defineConfig } from '@adonisjs/session' -export default sessionConfig({ +export default defineConfig({ /* |-------------------------------------------------------------------------- | Enable/Disable sessions @@ -36,7 +36,7 @@ export default sessionConfig({ | Note: Switching drivers will make existing sessions invalid. | */ - driver: Env.get('SESSION_DRIVER', 'cookie'), + driver: env.get('SESSION_DRIVER', 'cookie'), /* |-------------------------------------------------------------------------- @@ -100,7 +100,7 @@ export default sessionConfig({ | */ file: { - location: Application.tmpPath('sessions'), + location: app.tmpPath('sessions'), }, /* @@ -113,4 +113,4 @@ export default sessionConfig({ | */ redisConnection: 'local', -}); +}) diff --git a/config/shield.ts b/config/shield.ts index 3566e1c..c88df25 100644 --- a/config/shield.ts +++ b/config/shield.ts @@ -1,243 +1,138 @@ -/** - * Config source: https://git.io/Jvwvt - * - * Feel free to let us know via PR, if you find something broken in this config - * file. - */ +import env from '#start/env' +import { defineConfig } from '@adonisjs/shield' -import Env from '@ioc:Adonis/Core/Env'; -import { ShieldConfig } from '@ioc:Adonis/Addons/Shield'; +export default defineConfig({ + csp: { + /* + |-------------------------------------------------------------------------- + | Enable/disable CSP + |-------------------------------------------------------------------------- + | + | The CSP rules are disabled by default for seamless onboarding. + | + */ + enabled: false, -/* -|-------------------------------------------------------------------------- -| Content Security Policy -|-------------------------------------------------------------------------- -| -| Content security policy filters out the origins not allowed to execute -| and load resources like scripts, styles and fonts. There are wide -| variety of options to choose from. -*/ -export const csp: ShieldConfig['csp'] = { - /* - |-------------------------------------------------------------------------- - | Enable/disable CSP - |-------------------------------------------------------------------------- - | - | The CSP rules are disabled by default for seamless onboarding. - | - */ - enabled: false, + /* + |-------------------------------------------------------------------------- + | Directives + |-------------------------------------------------------------------------- + | + | All directives are defined in camelCase and here is the list of + | available directives and their possible values. + | + | https://content-security-policy.com + | + | @example + | directives: { + | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com'] + | } + | + */ + directives: {}, - /* - |-------------------------------------------------------------------------- - | Directives - |-------------------------------------------------------------------------- - | - | All directives are defined in camelCase and here is the list of - | available directives and their possible values. - | - | https://content-security-policy.com - | - | @example - | directives: { - | defaultSrc: ["'self'", '@nonce', 'cdnjs.cloudflare.com'] - | } - | - */ - directives: {}, - - /* - |-------------------------------------------------------------------------- - | Report only - |-------------------------------------------------------------------------- - | - | Setting `reportOnly=true` will not block the scripts from running and - | instead report them to a URL. - | - */ - reportOnly: false, -}; - -/* -|-------------------------------------------------------------------------- -| CSRF Protection -|-------------------------------------------------------------------------- -| -| CSRF Protection adds another layer of security by making sure, actionable -| routes does have a valid token to execute an action. -| -*/ -export const csrf: ShieldConfig['csrf'] = { - /* - |-------------------------------------------------------------------------- - | Enable/Disable CSRF - |-------------------------------------------------------------------------- - */ - enabled: Env.get('NODE_ENV') === 'production', - - /* - |-------------------------------------------------------------------------- - | Routes to Ignore - |-------------------------------------------------------------------------- - | - | Define an array of route patterns that you want to ignore from CSRF - | validation. Make sure the route patterns are started with a leading - | slash. Example: - | - | `/foo/bar` - | - | Also you can define a function that is evaluated on every HTTP Request. - | ``` - | exceptRoutes: ({ request }) => request.url().includes('/api') - | ``` - | - */ - exceptRoutes: ctx => { - // ignore all routes starting with /v1/ (api) - return ( - ctx.request.url().includes('/v1/') || - ctx.request.url().includes('/import') - ); + /* + |-------------------------------------------------------------------------- + | Report only + |-------------------------------------------------------------------------- + | + | Setting `reportOnly=true` will not block the scripts from running and + | instead report them to a URL. + | + */ + reportOnly: false, }, + csrf: { + /* + |-------------------------------------------------------------------------- + | Enable/Disable CSRF + |-------------------------------------------------------------------------- + */ + enabled: env.get('NODE_ENV') === 'production', - /* - |-------------------------------------------------------------------------- - | Enable Sharing Token Via Cookie - |-------------------------------------------------------------------------- - | - | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` - | cookie that frontend frameworks can read and return back as a - | `X-XSRF-TOKEN` header. - | - | The cookie has `httpOnly` flag set to false, so it is little insecure and - | can be turned off when you are not using a frontend framework making - | AJAX requests. - | - */ - enableXsrfCookie: true, - - /* - |-------------------------------------------------------------------------- - | Methods to Validate - |-------------------------------------------------------------------------- - | - | Define an array of HTTP methods to be validated for a valid CSRF token. - | - */ - methods: ['POST', 'PUT', 'PATCH', 'DELETE'], -}; - -/* -|-------------------------------------------------------------------------- -| DNS Prefetching -|-------------------------------------------------------------------------- -| -| DNS prefetching allows browsers to proactively perform domain name -| resolution in background. -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control -| -*/ -export const dnsPrefetch: ShieldConfig['dnsPrefetch'] = { - /* - |-------------------------------------------------------------------------- - | Enable/disable this feature - |-------------------------------------------------------------------------- - */ - enabled: true, + /* + |-------------------------------------------------------------------------- + | Routes to Ignore + |-------------------------------------------------------------------------- + | + | Define an array of route patterns that you want to ignore from CSRF + | validation. Make sure the route patterns are started with a leading + | slash. Example: + | + | `/foo/bar` + | + | Also you can define a function that is evaluated on every HTTP Request. + | ``` + | exceptRoutes: ({ request }) => request.url().includes('/api') + | ``` + | + */ + exceptRoutes: (ctx) => { + // ignore all routes starting with /v1/ (api) + return ctx.request.url().includes('/v1/') || ctx.request.url().includes('/import') + }, - /* - |-------------------------------------------------------------------------- - | Allow or Dis-Allow Explicitly - |-------------------------------------------------------------------------- - | - | The `enabled` boolean does not set `X-DNS-Prefetch-Control` header. However - | the `allow` boolean controls the value of `X-DNS-Prefetch-Control` header. - | - | - When `allow = true`, then `X-DNS-Prefetch-Control = 'on'` - | - When `allow = false`, then `X-DNS-Prefetch-Control = 'off'` - | - */ - allow: true, -}; + /* + |-------------------------------------------------------------------------- + | Enable Sharing Token Via Cookie + |-------------------------------------------------------------------------- + | + | When the following flag is enabled, AdonisJS will drop `XSRF-TOKEN` + | cookie that frontend frameworks can read and return back as a + | `X-XSRF-TOKEN` header. + | + | The cookie has `httpOnly` flag set to false, so it is little insecure and + | can be turned off when you are not using a frontend framework making + | AJAX requests. + | + */ + enableXsrfCookie: true, -/* -|-------------------------------------------------------------------------- -| Iframe Options -|-------------------------------------------------------------------------- -| -| xFrame defines whether or not your website can be embedded inside an -| iframe. Choose from one of the following options. -| -| - DENY -| - SAMEORIGIN -| - ALLOW-FROM http://example.com -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options -*/ -export const xFrame: ShieldConfig['xFrame'] = { - enabled: true, - action: 'DENY', -}; - -/* -|-------------------------------------------------------------------------- -| Http Strict Transport Security -|-------------------------------------------------------------------------- -| -| A security to ensure that a browser always makes a connection over -| HTTPS. -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security -| -*/ -export const hsts: ShieldConfig['hsts'] = { - enabled: true, - /* - |-------------------------------------------------------------------------- - | Max Age - |-------------------------------------------------------------------------- - | - | Control, how long the browser should remember that a site is only to be - | accessed using HTTPS. - | - */ - maxAge: '180 days', - - /* - |-------------------------------------------------------------------------- - | Include Subdomains - |-------------------------------------------------------------------------- - | - | Apply rules on the subdomains as well. - | - */ - includeSubDomains: true, + /* + |-------------------------------------------------------------------------- + | Methods to Validate + |-------------------------------------------------------------------------- + | + | Define an array of HTTP methods to be validated for a valid CSRF token. + | + */ + methods: ['POST', 'PUT', 'PATCH', 'DELETE'], + }, + hsts: { + enabled: true, + /* + |-------------------------------------------------------------------------- + | Max Age + |-------------------------------------------------------------------------- + | + | Control, how long the browser should remember that a site is only to be + | accessed using HTTPS. + | + */ + maxAge: '180 days', - /* - |-------------------------------------------------------------------------- - | Preloading - |-------------------------------------------------------------------------- - | - | Google maintains a service to register your domain and it will preload - | the HSTS policy. Learn more https://hstspreload.org/ - | - */ - preload: false, -}; + /* + |-------------------------------------------------------------------------- + | Include Subdomains + |-------------------------------------------------------------------------- + | + | Apply rules on the subdomains as well. + | + */ + includeSubDomains: true, -/* -|-------------------------------------------------------------------------- -| No Sniff -|-------------------------------------------------------------------------- -| -| Browsers have a habit of sniffing content-type of a response. Which means -| files with .txt extension containing Javascript code will be executed as -| Javascript. You can disable this behavior by setting nosniff to false. -| -| Learn more at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options -| -*/ -export const contentTypeSniffing: ShieldConfig['contentTypeSniffing'] = { - enabled: true, -}; + /* + |-------------------------------------------------------------------------- + | Preloading + |-------------------------------------------------------------------------- + | + | Google maintains a service to register your domain and it will preload + | the HSTS policy. Learn more https://hstspreload.org/ + | + */ + preload: false, + }, + contentTypeSniffing: { + enabled: true, + }, +}) diff --git a/config/static.ts b/config/static.ts index 1f7c88f..1d0d0c3 100644 --- a/config/static.ts +++ b/config/static.ts @@ -1,10 +1,10 @@ -import { AssetsConfig } from '@ioc:Adonis/Core/Static'; +import { defineConfig } from '@adonisjs/static' -const staticConfig: AssetsConfig = { +const staticConfig = defineConfig({ enabled: true, dotFiles: 'ignore', etag: true, lastModified: true, -}; +}) -export default staticConfig; +export default staticConfig -- cgit v1.2.3-70-g09d2