| 1 | {"version":3,"file":"index.cjs.js","sources":["../src/addCoreMiddleware.js","../src/addErrorMiddleware.js","../src/addFallbackHandler.js","../src/addSecurityMiddleware.js","../src/createExpressServer.js","../src/index.js"],"sourcesContent":["import compression from \"compression\"\nimport createLocaleMiddleware from \"express-locale\"\nimport cookieParser from \"cookie-parser\"\nimport bodyParser from \"body-parser\"\n\nexport default function addCoreMiddleware(server, { locale }) {\n // Parse cookies via standard express tooling\n server.use(cookieParser())\n\n // Detect client locale and match it with configuration\n server.use(\n createLocaleMiddleware({\n priority: [ \"query\", \"cookie\", \"accept-language\", \"default\" ],\n default: locale.default.replace(/-/, \"_\"),\n allowed: locale.supported.map(entry => entry.replace(/-/, \"_\"))\n })\n )\n\n // Parse application/x-www-form-urlencoded\n server.use(bodyParser.urlencoded({ extended: false }))\n\n // Parse application/json\n server.use(bodyParser.json())\n\n // Compress output stream\n server.use(compression())\n}\n","import PrettyError from \"pretty-error\"\n\nconst pretty = new PrettyError()\n\n// this will skip events.js and http.js and similar core node files\npretty.skipNodeFiles()\n\n// this will skip all the trace lines about express` core and sub-modules\npretty.skipPackage(\"express\")\n\nexport default function addErrorMiddleware(server) {\n // and use it for our app's error handler:\n server.use((error, request, response, next) => {\n // eslint-disable-line max-params\n console.log(pretty.render(error))\n next()\n })\n}\n","/* eslint-disable no-magic-numbers, max-params */\nexport default function addFallbackHandler(server) {\n // Handle 404 errors.\n // Note: the react application middleware hands 404 paths, but it is good to\n // have this backup for paths not handled by the universal middleware. For\n // example you may bind a /api path to express.\n server.use((request, response, next) => {\n // eslint-disable-line no-unused-vars,max-len\n response.status(404).send(\"Sorry, that resource was not found.\")\n })\n\n // Handle all other errors (i.e. 500).\n // Note: You must provide specify all 4 parameters on this callback function\n // even if they aren't used, otherwise it won't be used.\n server.use((error, request, response, next) => {\n if (error) {\n /* eslint-disable no-console */\n console.log(error)\n console.log(error.stack)\n }\n\n response.status(500).send(\"Sorry, an unexpected error occurred.\")\n })\n}\n","import helmet from \"helmet\"\nimport parameterProtection from \"hpp\"\nimport uuid from \"uuid\"\n\nexport default function addSecurityMiddleware(server, { enableNonce = true, enableCSP = true }) {\n if (enableNonce) {\n /* eslint-disable max-params */\n\n // Attach a unique \"nonce\" to every response. This allows use to declare\n // inline scripts as being safe for execution against our content security policy.\n // @see https://helmetjs.github.io/docs/csp/\n server.use((request, response, next) => {\n response.locals.nonce = uuid()\n next()\n })\n }\n\n // Don't expose any software information to hackers.\n server.disable(\"x-powered-by\")\n\n // Prevent HTTP Parameter pollution.\n server.use(parameterProtection())\n\n // Content Security Policy (CSP)\n //\n // If you are unfamiliar with CSPs then I highly recommend that you do some\n // reading on the subject:\n // - https://content-security-policy.com/\n // - https://developers.google.com/web/fundamentals/security/csp/\n // - https://developer.mozilla.org/en/docs/Web/Security/CSP\n // - https://helmetjs.github.io/docs/csp/\n //\n // If you are relying on scripts/styles/assets from other servers (internal or\n // external to your company) then you will need to explicitly configure the\n // CSP below to allow for this. For example you can see I have had to add\n // the polyfill.io CDN in order to allow us to use the polyfill script.\n // It can be a pain to manage these, but it's a really great habit to get in\n // to.\n //\n // You may find CSPs annoying at first, but it is a great habit to build.\n // The CSP configuration is an optional item for helmet, however you should\n // not remove it without making a serious consideration that you do not require\n // the added security.\n const cspConfig = enableCSP ? {\n directives: {\n defaultSrc: [ \"'self'\" ],\n\n scriptSrc:\n [\n // Allow scripts hosted from our application.\n \"'self'\",\n\n // Note: We will execution of any inline scripts that have the following\n // nonce identifier attached to them.\n // This is useful for guarding your application whilst allowing an inline\n // script to do data store rehydration (redux/mobx/apollo) for example.\n // @see https://helmetjs.github.io/docs/csp/\n (request, response) => `'nonce-${response.locals.nonce}'`,\n\n // Required for eval-source-maps (devtool in webpack)\n process.env.NODE_ENV === \"development\" ? \"'unsafe-eval'\" : \"\"\n ].filter((value) => value !== \"\"),\n\n styleSrc: [ \"'self'\", \"'unsafe-inline'\", \"blob:\" ],\n imgSrc: [ \"'self'\", \"data:\" ],\n fontSrc: [ \"'self'\", \"data:\" ],\n\n // Note: Setting this to stricter than * breaks the service worker. :(\n // I can't figure out how to get around this, so if you know of a safer\n // implementation that is kinder to service workers please let me know.\n // [\"'self'\", 'ws:'],\n connectSrc: [ \"*\" ],\n\n // objectSrc: [ \"'none'\" ],\n // mediaSrc: [ \"'none'\" ],\n\n childSrc: [ \"'self'\" ]\n }\n } : null\n\n if (enableCSP) {\n server.use(helmet.contentSecurityPolicy(cspConfig))\n }\n\n // The xssFilter middleware sets the X-XSS-Protection header to prevent\n // reflected XSS attacks.\n // @see https://helmetjs.github.io/docs/xss-filter/\n server.use(helmet.xssFilter())\n\n // Frameguard mitigates clickjacking attacks by setting the X-Frame-Options header.\n // @see https://helmetjs.github.io/docs/frameguard/\n server.use(helmet.frameguard(\"deny\"))\n\n // Sets the X-Download-Options to prevent Internet Explorer from executing\n // downloads in your site’s context.\n // @see https://helmetjs.github.io/docs/ienoopen/\n server.use(helmet.ieNoOpen())\n\n // Don’t Sniff Mimetype middleware, noSniff, helps prevent browsers from trying\n // to guess (“sniff”) the MIME type, which can have security implications. It\n // does this by setting the X-Content-Type-Options header to nosniff.\n // @see https://helmetjs.github.io/docs/dont-sniff-mimetype/\n server.use(helmet.noSniff())\n}\n","import express from \"express\"\n\nimport addSecurityMiddleware from \"./addSecurityMiddleware\"\nimport addCoreMiddleware from \"./addCoreMiddleware\"\nimport addErrorMiddleware from \"./addErrorMiddleware\"\nimport addFallbackHandler from \"./addFallbackHandler\"\n\nconst defaultLocale = {\n default: \"en-US\",\n supported: [ \"en-US\" ]\n}\n\nconst defaultStatic = {\n public: \"/static/\",\n path: \"build/client\"\n}\n\nexport default function createExpressServer({\n localeConfig = defaultLocale,\n staticConfig = defaultStatic,\n afterSecurity = [],\n beforeFallback = [],\n enableCSP = false,\n enableNonce = false\n}) {\n // Create our express based server.\n const server = express()\n\n addErrorMiddleware(server)\n addSecurityMiddleware(server, { enableCSP, enableNonce })\n\n // Allow for some early additions for middleware\n if (afterSecurity.length > 0) {\n afterSecurity.forEach((middleware) => {\n if (middleware instanceof Array) {\n server.use(...middleware)\n } else {\n server.use(middleware)\n }\n })\n }\n\n addCoreMiddleware(server, { locale: localeConfig })\n\n // Configure static serving of our webpack bundled client files.\n if (staticConfig) {\n server.use(staticConfig.public, express.static(staticConfig.path))\n }\n\n // Allow for some late additions for middleware\n if (beforeFallback.length > 0) {\n beforeFallback.forEach((middleware) => {\n if (middleware instanceof Array) {\n server.use(...middleware)\n } else {\n server.use(middleware)\n }\n })\n }\n\n // For all things which did not went well.\n addFallbackHandler(server)\n\n return server\n}\n","import dotenv from \"dotenv\"\n\n// Initialize environment configuration\ndotenv.config()\n\nexport { default as addCoreMiddleware } from \"./addCoreMiddleware\"\nexport { default as addErrorMiddleware } from \"./addErrorMiddleware\"\nexport { default as addFallbackHandler } from \"./addFallbackHandler\"\nexport { default as addSecurityMiddleware } from \"./addSecurityMiddleware\"\nexport { default as createExpressServer } from \"./createExpressServer\"\n"],"names":["addCoreMiddleware","server","locale","use","cookieParser","createLocaleMiddleware","replace","supported","map","entry","bodyParser","urlencoded","extended","json","compression","pretty","PrettyError","skipNodeFiles","skipPackage","addErrorMiddleware","error","request","response","next","log","render","addFallbackHandler","status","send","stack","addSecurityMiddleware","enableNonce","enableCSP","locals","nonce","uuid","disable","parameterProtection","cspConfig","env","NODE_ENV","filter","value","helmet","contentSecurityPolicy","xssFilter","frameguard","ieNoOpen","noSniff","defaultLocale","defaultStatic","createExpressServer","localeConfig","staticConfig","afterSecurity","beforeFallback","express","length","forEach","middleware","Array","path","dotenv","config"],"mappings":";;;;;;;;;;;;;;;;;;AAKe,SAASA,iBAAT,CAA2BC,MAA3B,QAA+C;MAAVC,MAAU,QAAVA,MAAU;;;SAErDC,GAAP,CAAWC,cAAX;;;SAGOD,GAAP,CACEE,uBAAuB;cACX,CAAE,OAAF,EAAW,QAAX,EAAqB,iBAArB,EAAwC,SAAxC,CADW;eAEZH,kBAAeI,OAAf,CAAuB,GAAvB,EAA4B,GAA5B,CAFY;aAGZJ,OAAOK,SAAP,CAAiBC,GAAjB,CAAqB;aAASC,MAAMH,OAAN,CAAc,GAAd,EAAmB,GAAnB,CAAT;KAArB;GAHX,CADF;;;SASOH,GAAP,CAAWO,WAAWC,UAAX,CAAsB,EAAEC,UAAU,KAAZ,EAAtB,CAAX;;;SAGOT,GAAP,CAAWO,WAAWG,IAAX,EAAX;;;SAGOV,GAAP,CAAWW,aAAX;;;ACvBF,IAAMC,SAAS,IAAIC,WAAJ,EAAf;;;AAGAD,OAAOE,aAAP;;;AAGAF,OAAOG,WAAP,CAAmB,SAAnB;;AAEA,AAAe,SAASC,kBAAT,CAA4BlB,MAA5B,EAAoC;;SAE1CE,GAAP,CAAW,UAACiB,KAAD,EAAQC,OAAR,EAAiBC,QAAjB,EAA2BC,IAA3B,EAAoC;;YAErCC,GAAR,CAAYT,OAAOU,MAAP,CAAcL,KAAd,CAAZ;;GAFF;;;ACZF;AACA,AAAe,SAASM,kBAAT,CAA4BzB,MAA5B,EAAoC;;;;;SAK1CE,GAAP,CAAW,UAACkB,OAAD,EAAUC,QAAV,EAA6B;;aAE7BK,MAAT,CAAgB,GAAhB,EAAqBC,IAArB,CAA0B,qCAA1B;GAFF;;;;;SAQOzB,GAAP,CAAW,UAACiB,KAAD,EAAQC,OAAR,EAAiBC,QAAjB,EAAoC;QACzCF,KAAJ,EAAW;;cAEDI,GAAR,CAAYJ,KAAZ;cACQI,GAAR,CAAYJ,MAAMS,KAAlB;;;aAGOF,MAAT,CAAgB,GAAhB,EAAqBC,IAArB,CAA0B,sCAA1B;GAPF;;;ACVa,SAASE,qBAAT,CAA+B7B,MAA/B,QAAiF;8BAAxC8B,WAAwC;MAAxCA,WAAwC,oCAA1B,IAA0B;4BAApBC,SAAoB;MAApBA,SAAoB,kCAAR,IAAQ;;MAC1FD,WAAJ,EAAiB;;;;;;WAMR5B,GAAP,CAAW,UAACkB,OAAD,EAAUC,QAAV,EAAoBC,IAApB,EAA6B;eAC7BU,MAAT,CAAgBC,KAAhB,GAAwBC,MAAxB;;KADF;;;;SAOKC,OAAP,CAAe,cAAf;;;SAGOjC,GAAP,CAAWkC,qBAAX;;;;;;;;;;;;;;;;;;;;;;MAsBMC,YAAYN,YAAY;gBAChB;kBACE,CAAE,QAAF,CADF;;iBAIV;;cAAA;;;;;;;gBASGX,OAAD,EAAUC,QAAV;2BAAiCA,SAASW,MAAT,CAAgBC,KAAjD;OATF;;;cAYUK,GAAR,CAAYC,QAAZ,KAAyB,aAAzB,GAAyC,eAAzC,GAA2D,EAZ7D,EAaEC,MAbF,CAaS,UAACC,KAAD;eAAWA,UAAU,EAArB;OAbT,CAJU;;gBAmBA,CAAE,QAAF,EAAY,iBAAZ,EAA+B,OAA/B,CAnBA;cAoBF,CAAE,QAAF,EAAY,OAAZ,CApBE;eAqBD,CAAE,QAAF,EAAY,OAAZ,CArBC;;;;;;kBA2BE,CAAE,GAAF,CA3BF;;;;;gBAgCA,CAAE,QAAF;;GAjCI,GAmCd,IAnCJ;;MAqCIV,SAAJ,EAAe;WACN7B,GAAP,CAAWwC,OAAOC,qBAAP,CAA6BN,SAA7B,CAAX;;;;;;SAMKnC,GAAP,CAAWwC,OAAOE,SAAP,EAAX;;;;SAIO1C,GAAP,CAAWwC,OAAOG,UAAP,CAAkB,MAAlB,CAAX;;;;;SAKO3C,GAAP,CAAWwC,OAAOI,QAAP,EAAX;;;;;;SAMO5C,GAAP,CAAWwC,OAAOK,OAAP,EAAX;;;AC/FF,IAAMC,gBAAgB;aACX,OADW;aAET,CAAE,OAAF;CAFb;;AAKA,IAAMC,gBAAgB;YACZ,UADY;QAEd;CAFR;;AAKA,AAAe,SAASC,mBAAT,OAOZ;+BANDC,YAMC;MANDA,YAMC,qCANcH,aAMd;+BALDI,YAKC;MALDA,YAKC,qCALcH,aAKd;gCAJDI,aAIC;MAJDA,aAIC,sCAJe,EAIf;iCAHDC,cAGC;MAHDA,cAGC,uCAHgB,EAGhB;4BAFDvB,SAEC;MAFDA,SAEC,kCAFW,KAEX;8BADDD,WACC;MADDA,WACC,oCADa,KACb;;;MAEK9B,SAASuD,SAAf;;qBAEmBvD,MAAnB;wBACsBA,MAAtB,EAA8B,EAAE+B,oBAAF,EAAaD,wBAAb,EAA9B;;;MAGIuB,cAAcG,MAAd,GAAuB,CAA3B,EAA8B;kBACdC,OAAd,CAAsB,UAACC,UAAD,EAAgB;UAChCA,sBAAsBC,KAA1B,EAAiC;eACxBzD,GAAP,eAAcwD,UAAd;OADF,MAEO;eACExD,GAAP,CAAWwD,UAAX;;KAJJ;;;oBASgB1D,MAAlB,EAA0B,EAAEC,QAAQkD,YAAV,EAA1B;;;MAGIC,YAAJ,EAAkB;WACTlD,GAAP,CAAWkD,sBAAX,EAAgCG,kBAAeH,aAAaQ,IAA5B,CAAhC;;;;MAIEN,eAAeE,MAAf,GAAwB,CAA5B,EAA+B;mBACdC,OAAf,CAAuB,UAACC,UAAD,EAAgB;UACjCA,sBAAsBC,KAA1B,EAAiC;eACxBzD,GAAP,eAAcwD,UAAd;OADF,MAEO;eACExD,GAAP,CAAWwD,UAAX;;KAJJ;;;;qBAUiB1D,MAAnB;;SAEOA,MAAP;;;AC7DF;AACA6D,OAAOC,MAAP;;;;;;;;"} |