edge-express/lib/index.cjs.js

/*! edge-express v1.0.0-alpha.3 by Sebastian Software <s.werner@sebastian-software.de> */
'use strict';

Object.defineProperty(exports, '__esModule', { value: true });

function _interopDefault (ex) { return (ex && (typeof ex === 'object') && 'default' in ex) ? ex['default'] : ex; }

var compression = _interopDefault(require('compression'));
var createLocaleMiddleware = _interopDefault(require('express-locale'));
var cookieParser = _interopDefault(require('cookie-parser'));
var bodyParser = _interopDefault(require('body-parser'));
var PrettyError = _interopDefault(require('pretty-error'));
var helmet = _interopDefault(require('helmet'));
var parameterProtection = _interopDefault(require('hpp'));
var uuid = _interopDefault(require('uuid'));
var express = _interopDefault(require('express'));
var dotenv = _interopDefault(require('dotenv'));

function addCoreMiddleware(server, _ref) {
  var locale = _ref.locale;

  // Parse cookies via standard express tooling
  server.use(cookieParser());

  // Detect client locale and match it with configuration
  server.use(createLocaleMiddleware({
    priority: ["query", "cookie", "accept-language", "default"],
    "default": locale["default"].replace(/-/, "_"),
    allowed: locale.supported.map(function (entry) {
      return entry.replace(/-/, "_");
    })
  }));

  // Parse application/x-www-form-urlencoded
  server.use(bodyParser.urlencoded({ extended: false }));

  // Parse application/json
  server.use(bodyParser.json());

  // Compress output stream
  server.use(compression());
}

var pretty = new PrettyError();

// this will skip events.js and http.js and similar core node files
pretty.skipNodeFiles();

// this will skip all the trace lines about express` core and sub-modules
pretty.skipPackage("express");

function addErrorMiddleware(server) {
  // and use it for our app's error handler:
  server.use(function (error, request, response, next) {
    // eslint-disable-line max-params
    console.log(pretty.render(error));
    next();
  });
}

/* eslint-disable no-magic-numbers, max-params */
function addFallbackHandler(server) {
  // Handle 404 errors.
  // Note: the react application middleware hands 404 paths, but it is good to
  // have this backup for paths not handled by the universal middleware. For
  // example you may bind a /api path to express.
  server.use(function (request, response) {
    // eslint-disable-line no-unused-vars,max-len
    response.status(404).send("Sorry, that resource was not found.");
  });

  // Handle all other errors (i.e. 500).
  // Note: You must provide specify all 4 parameters on this callback function
  // even if they aren't used, otherwise it won't be used.
  server.use(function (error, request, response) {
    if (error) {
      /* eslint-disable no-console */
      console.log(error);
      console.log(error.stack);
    }

    response.status(500).send("Sorry, an unexpected error occurred.");
  });
}

function addSecurityMiddleware(server, _ref) {
  var _ref$enableNonce = _ref.enableNonce,
      enableNonce = _ref$enableNonce === undefined ? true : _ref$enableNonce,
      _ref$enableCSP = _ref.enableCSP,
      enableCSP = _ref$enableCSP === undefined ? true : _ref$enableCSP;

  if (enableNonce) {
    /* eslint-disable max-params */

    // Attach a unique "nonce" to every response. This allows use to declare
    // inline scripts as being safe for execution against our content security policy.
    // @see https://helmetjs.github.io/docs/csp/
    server.use(function (request, response, next) {
      response.locals.nonce = uuid();
      next();
    });
  }

  // Don't expose any software information to hackers.
  server.disable("x-powered-by");

  // Prevent HTTP Parameter pollution.
  server.use(parameterProtection());

  // Content Security Policy (CSP)
  //
  // If you are unfamiliar with CSPs then I highly recommend that you do some
  // reading on the subject:
  //  - https://content-security-policy.com/
  //  - https://developers.google.com/web/fundamentals/security/csp/
  //  - https://developer.mozilla.org/en/docs/Web/Security/CSP
  //  - https://helmetjs.github.io/docs/csp/
  //
  // If you are relying on scripts/styles/assets from other servers (internal or
  // external to your company) then you will need to explicitly configure the
  // CSP below to allow for this.  For example you can see I have had to add
  // the polyfill.io CDN in order to allow us to use the polyfill script.
  // It can be a pain to manage these, but it's a really great habit to get in
  // to.
  //
  // You may find CSPs annoying at first, but it is a great habit to build.
  // The CSP configuration is an optional item for helmet, however you should
  // not remove it without making a serious consideration that you do not require
  // the added security.
  var cspConfig = enableCSP ? {
    directives: {
      defaultSrc: ["'self'"],

      scriptSrc: [
      // Allow scripts hosted from our application.
      "'self'",

      // Note: We will execution of any inline scripts that have the following
      // nonce identifier attached to them.
      // This is useful for guarding your application whilst allowing an inline
      // script to do data store rehydration (redux/mobx/apollo) for example.
      // @see https://helmetjs.github.io/docs/csp/
      function (request, response) {
        return "'nonce-" + response.locals.nonce + "'";
      },

      // Required for eval-source-maps (devtool in webpack)
      process.env.NODE_ENV === "development" ? "'unsafe-eval'" : ""].filter(function (value) {
        return value !== "";
      }),

      styleSrc: ["'self'", "'unsafe-inline'", "blob:"],
      imgSrc: ["'self'", "data:"],
      fontSrc: ["'self'", "data:"],

      // Note: Setting this to stricter than * breaks the service worker. :(
      // I can't figure out how to get around this, so if you know of a safer
      // implementation that is kinder to service workers please let me know.
      // ["'self'", 'ws:'],
      connectSrc: ["*"],

      // objectSrc: [ "'none'" ],
      // mediaSrc: [ "'none'" ],

      childSrc: ["'self'"]
    }
  } : null;

  if (enableCSP) {
    server.use(helmet.contentSecurityPolicy(cspConfig));
  }

  // The xssFilter middleware sets the X-XSS-Protection header to prevent
  // reflected XSS attacks.
  // @see https://helmetjs.github.io/docs/xss-filter/
  server.use(helmet.xssFilter());

  // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.
  // @see https://helmetjs.github.io/docs/frameguard/
  server.use(helmet.frameguard("deny"));

  // Sets the X-Download-Options to prevent Internet Explorer from executing
  // downloads in your site’s context.
  // @see https://helmetjs.github.io/docs/ienoopen/
  server.use(helmet.ieNoOpen());

  // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying
  // to guess (“sniff”) the MIME type, which can have security implications. It
  // does this by setting the X-Content-Type-Options header to nosniff.
  // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/
  server.use(helmet.noSniff());
}

var defaultLocale = {
  "default": "en-US",
  supported: ["en-US"]
};

var defaultStatic = {
  "public": "/static/",
  path: "build/client"
};

function createExpressServer(_ref) {
  var _ref$localeConfig = _ref.localeConfig,
      localeConfig = _ref$localeConfig === undefined ? defaultLocale : _ref$localeConfig,
      _ref$staticConfig = _ref.staticConfig,
      staticConfig = _ref$staticConfig === undefined ? defaultStatic : _ref$staticConfig,
      _ref$afterSecurity = _ref.afterSecurity,
      afterSecurity = _ref$afterSecurity === undefined ? [] : _ref$afterSecurity,
      _ref$beforeFallback = _ref.beforeFallback,
      beforeFallback = _ref$beforeFallback === undefined ? [] : _ref$beforeFallback,
      _ref$enableCSP = _ref.enableCSP,
      enableCSP = _ref$enableCSP === undefined ? false : _ref$enableCSP,
      _ref$enableNonce = _ref.enableNonce,
      enableNonce = _ref$enableNonce === undefined ? false : _ref$enableNonce;

  // Create our express based server.
  var server = express();

  addErrorMiddleware(server);
  addSecurityMiddleware(server, { enableCSP: enableCSP, enableNonce: enableNonce });

  // Allow for some early additions for middleware
  if (afterSecurity.length > 0) {
    afterSecurity.forEach(function (middleware) {
      if (middleware instanceof Array) {
        server.use.apply(server, middleware);
      } else {
        server.use(middleware);
      }
    });
  }

  addCoreMiddleware(server, { locale: localeConfig });

  // Configure static serving of our webpack bundled client files.
  if (staticConfig) {
    server.use(staticConfig["public"], express["static"](staticConfig.path));
  }

  // Allow for some late additions for middleware
  if (beforeFallback.length > 0) {
    beforeFallback.forEach(function (middleware) {
      if (middleware instanceof Array) {
        server.use.apply(server, middleware);
      } else {
        server.use(middleware);
      }
    });
  }

  // For all things which did not went well.
  addFallbackHandler(server);

  return server;
}

// Initialize environment configuration
dotenv.config();

exports.addCoreMiddleware = addCoreMiddleware;
exports.addErrorMiddleware = addErrorMiddleware;
exports.addFallbackHandler = addFallbackHandler;
exports.addSecurityMiddleware = addSecurityMiddleware;
exports.createExpressServer = createExpressServer;
//# sourceMappingURL=index.cjs.js.map