@adaptivestone/framework 4.9.2 → 4.11.0

package/CHANGELOG.md

@@ -1,3 +1,14 @@
+### 4.11.0
+
+[NEW] Cors middleware
+[BREAKING] This is a potencial breaking change as we switched from cors external package to internal middleware. From API nothing was changed. This is a potencial breaking changes, but it should keep working as it
+
+### 4.10.0
+
+[UPDATE] deps update
+[NEW] Static file middleware
+[BREAKING] This is a potencial breaking change as we switched from express.static to internal middleware that provide less features but faster. From API nothing was changed
+
 ### 4.9.2
 
 [UPDATE] deps update

package/config/http.js

@@ -2,7 +2,7 @@ module.exports = {
   port: process.env.HTTP_PORT || 3300,
   hostname: process.env.HTTP_HOST || '0.0.0.0',
   // if you want to use 'all' domains please copy this file to your app
-  // and set "corsDomains: '*'" (not a mistake, string instead of array)
+  // and set "corsDomains: [/./]
   corsDomains: ['http://localhost:3000'],
   myDomain: process.env.HTTP_DOMAIN || 'http://localhost:3300',
   siteDomain: process.env.FRONT_DOMAIN || 'http://localhost:3000',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adaptivestone/framework",
-  "version": "4.9.2",
+  "version": "4.11.0",
   "description": "Adaptive stone node js framework",
   "main": "index.js",
   "engines": {
@@ -28,7 +28,6 @@
   "author": "Andrey Logunov",
   "license": "MIT",
   "dependencies": {
-    "cors": "^2.8.5",
     "deepmerge": "^4.2.2",
     "dotenv": "^16.0.0",
     "express": "^4.17.1",
@@ -38,6 +37,7 @@
     "i18next-chained-backend": "^4.0.0",
     "i18next-fs-backend": "^2.0.0",
     "juice": "^9.0.0",
+    "mime": "^3.0.0",
     "minimist": "^1.2.5",
     "mongoose": "^7.0.0",
     "nodemailer": "^6.6.3",
@@ -58,7 +58,7 @@
     "eslint-plugin-prettier": "^5.0.0",
     "eslint-plugin-vitest": "^0.3.1",
     "husky": "^8.0.0",
-    "lint-staged": "^14.0.0",
+    "lint-staged": "^15.0.0",
     "mongodb-memory-server": "^9.0.0",
     "nodemon": "^3.0.1",
     "prettier": "^3.0.0",

package/services/http/HttpServer.js

@@ -1,12 +1,13 @@
 const http = require('node:http');
 const path = require('node:path');
 const express = require('express');
-const cors = require('cors');
 
 const RequestLoggerMiddleware = require('./middleware/RequestLogger');
 const I18nMiddleware = require('./middleware/I18n');
 const PrepareAppInfoMiddleware = require('./middleware/PrepareAppInfo');
 const RequestParserMiddleware = require('./middleware/RequestParser');
+const StaticFilesMiddleware = require('./middleware/StaticFiles');
+const Cors = require('./middleware/Cors');
 
 const Base = require('../../modules/Base');
 
@@ -30,12 +31,19 @@ class HttpServer extends Base {
 
     const httpConfig = this.app.getConfig('http');
     this.express.use(
-      cors({
-        origin: httpConfig.corsDomains,
-      }),
-    ); // todo whitelist
-    this.express.use(express.static(this.app.foldersConfig.public));
-    this.express.use(express.static('./public'));
+      new Cors(this.app, {
+        origins: httpConfig.corsDomains,
+      }).getMiddleware(),
+    );
+    // todo whitelist
+    this.express.use(
+      new StaticFilesMiddleware(this.app, {
+        folders: [
+          this.app.foldersConfig.public,
+          path.join(__dirname, '../../public/files'),
+        ],
+      }).getMiddleware(),
+    );
 
     this.express.use(new RequestParserMiddleware(this.app).getMiddleware());
 

package/services/http/middleware/Cors.js

@@ -0,0 +1,44 @@
+const AbstractMiddleware = require('./AbstractMiddleware');
+
+class Cors extends AbstractMiddleware {
+  constructor(app, params) {
+    super(app);
+    this.params = params;
+    if (!Array.isArray(params?.origins) || !params.origins.length) {
+      throw new Error('Cors inited without origin config');
+    }
+  }
+
+  static get description() {
+    return 'Add CORS headers to request';
+  }
+
+  async middleware(req, res, next) {
+    if (req.method !== 'OPTIONS') {
+      // only get supported
+      return next();
+    }
+    for (const host of this.params.origins) {
+      if (
+        (typeof host === 'string' && req.headers.origin === host) ||
+        (host instanceof RegExp && host.test(req.headers.origin))
+      ) {
+        res.set('Access-Control-Allow-Origin', req.headers.origin);
+        res.set(
+          'Access-Control-Allow-Methods',
+          'GET,HEAD,PUT,PATCH,POST,DELETE',
+        );
+        res.set('Vary', 'Origin, Access-Control-Request-Headers');
+
+        const allowedHeaders = req.headers['access-control-request-headers'];
+        if (allowedHeaders) {
+          res.set('Access-Control-Allow-Headers', allowedHeaders);
+        }
+        return res.end();
+      }
+    }
+    return next();
+  }
+}
+
+module.exports = Cors;

package/services/http/middleware/Cors.test.js

@@ -0,0 +1,135 @@
+import { describe, it, expect } from 'vitest';
+import Cors from './Cors';
+
+describe('cors middleware methods', () => {
+  it('have description fields', async () => {
+    expect.assertions(1);
+    const middleware = new Cors(global.server.app, { origins: ['something'] });
+    expect(middleware.constructor.description).toBeDefined();
+  });
+
+  it('should throw without origns', async () => {
+    expect.assertions(1);
+    expect(() => new Cors(global.server.app)).toThrow();
+  });
+
+  it('should throw with empty options', async () => {
+    expect.assertions(1);
+    expect(() => new Cors(global.server.app, {})).toThrow();
+  });
+
+  it('should throw with empty origins', async () => {
+    expect.assertions(1);
+    expect(() => new Cors(global.server.app, { origins: [] })).toThrow();
+  });
+
+  it('should throw with empty origins not array', async () => {
+    expect.assertions(1);
+    expect(() => new Cors(global.server.app, { origins: 'origins' })).toThrow();
+  });
+
+  it('non options should be ignored', async () => {
+    expect.assertions(1);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      method: 'GET',
+    };
+    const middleware = new Cors(global.server.app, {
+      origins: ['something'],
+    });
+
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+  });
+
+  it('host the not match origin', async () => {
+    expect.assertions(1);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      method: 'OPTIONS',
+      headers: { origin: 'http://anotherDomain.com' },
+    };
+    const middleware = new Cors(global.server.app, {
+      origins: ['https://localhost'],
+    });
+
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+  });
+
+  it('string domain match', async () => {
+    expect.assertions(5);
+    let isEndCalled = false;
+    const map = new Map();
+    const req = {
+      method: 'OPTIONS',
+      headers: {
+        origin: 'https://localhost',
+        'access-control-request-headers': 'someAccessControlRequestHeaders',
+      },
+    };
+    const res = {
+      set: (key, val) => {
+        map.set(key, val);
+      },
+      end: () => {
+        isEndCalled = true;
+      },
+    };
+    const middleware = new Cors(global.server.app, {
+      origins: ['https://localhost'],
+    });
+
+    await middleware.middleware(req, res);
+    expect(isEndCalled).toBeTruthy();
+    expect(map.get('Vary')).toBe('Origin, Access-Control-Request-Headers');
+    expect(map.get('Access-Control-Allow-Headers')).toBe(
+      'someAccessControlRequestHeaders',
+    );
+    expect(map.get('Access-Control-Allow-Origin')).toBe('https://localhost');
+    expect(map.get('Access-Control-Allow-Methods')).toBe(
+      'GET,HEAD,PUT,PATCH,POST,DELETE',
+    );
+  });
+
+  it('regexp domain match', async () => {
+    expect.assertions(5);
+    let isEndCalled = false;
+    const map = new Map();
+    const req = {
+      method: 'OPTIONS',
+      headers: {
+        origin: 'https://localhost',
+        'access-control-request-headers': 'someAccessControlRequestHeaders',
+      },
+    };
+    const res = {
+      set: (key, val) => {
+        map.set(key, val);
+      },
+      end: () => {
+        isEndCalled = true;
+      },
+    };
+    const middleware = new Cors(global.server.app, {
+      origins: [/./],
+    });
+
+    await middleware.middleware(req, res);
+    expect(isEndCalled).toBeTruthy();
+    expect(map.get('Vary')).toBe('Origin, Access-Control-Request-Headers');
+    expect(map.get('Access-Control-Allow-Headers')).toBe(
+      'someAccessControlRequestHeaders',
+    );
+    expect(map.get('Access-Control-Allow-Origin')).toBe('https://localhost');
+    expect(map.get('Access-Control-Allow-Methods')).toBe(
+      'GET,HEAD,PUT,PATCH,POST,DELETE',
+    );
+  });
+});

package/services/http/middleware/GetUserByToken.js

@@ -23,7 +23,7 @@ class GetUserByToken extends AbstractMiddleware {
     }
     let { token } = req.body;
     this.logger.verbose(
-      `GetUserByToken token in BODY ${token}. Token if Authorization header ${req.get(
+      `GetUserByToken token in BODY ${token}. Token in Authorization header ${req.get(
         'Authorization',
       )}`,
     );

package/services/http/middleware/GetUserByToken.test.js

@@ -0,0 +1,108 @@
+import { describe, it, expect } from 'vitest';
+import GetUserByToken from './GetUserByToken';
+
+describe('getUserByToken middleware methods', () => {
+  it('have description fields', async () => {
+    expect.assertions(1);
+    const middleware = new GetUserByToken(global.server.app);
+    expect(middleware.constructor.description).toBeDefined();
+  });
+
+  it('have description usedAuthParameters', async () => {
+    expect.assertions(2);
+    const middleware = new GetUserByToken(global.server.app);
+    const params = middleware.usedAuthParameters;
+    expect(params).toHaveLength(1);
+    expect(params[0].name).toBe('Authorization');
+  });
+
+  it('should not called twice', async () => {
+    expect.assertions(1);
+    const middleware = new GetUserByToken(global.server.app);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      appInfo: {
+        user: {},
+      },
+    };
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+  });
+
+  it('should not getuser without token', async () => {
+    expect.assertions(1);
+    const middleware = new GetUserByToken(global.server.app);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      appInfo: {},
+      body: {},
+      get: () => {},
+    };
+
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+  });
+
+  it('should not getuser with a wrong token', async () => {
+    expect.assertions(2);
+    const middleware = new GetUserByToken(global.server.app);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      appInfo: {},
+      body: {
+        token: 'fake',
+      },
+      get: () => {},
+    };
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+    expect(req.appInfo.user).toBeUndefined();
+  });
+
+  it('should not getuser with a good token in body', async () => {
+    expect.assertions(2);
+    const middleware = new GetUserByToken(global.server.app);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      appInfo: {},
+      body: {
+        token: global.authToken.token,
+      },
+      get: () => {},
+    };
+
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+    expect(req.appInfo.user).toBeDefined();
+  });
+
+  it('should not getuser with a good token in header', async () => {
+    expect.assertions(2);
+    const middleware = new GetUserByToken(global.server.app);
+    let isCalled = false;
+    const nextFunction = () => {
+      isCalled = true;
+    };
+    const req = {
+      appInfo: {},
+      body: {},
+      get: () => global.authToken.token,
+    };
+
+    await middleware.middleware(req, {}, nextFunction);
+    expect(isCalled).toBeTruthy();
+    expect(req.appInfo.user).toBeDefined();
+  });
+});

package/services/http/middleware/StaticFiles.js

@@ -0,0 +1,60 @@
+const fsPromises = require('node:fs/promises');
+const fs = require('node:fs');
+const path = require('node:path');
+const mime = require('mime');
+
+const AbstractMiddleware = require('./AbstractMiddleware');
+/**
+ * Middleware for static files
+ */
+class StaticFiles extends AbstractMiddleware {
+  constructor(app, params) {
+    super(app);
+    this.params = params;
+    if (!params || !params.folders || !params.folders.length) {
+      throw new Error('StaticFiles inited without folders config');
+    }
+  }
+
+  static get description() {
+    return 'Static file server middleware. Host you static files from public foolder. Mostly for dev.';
+  }
+
+  async middleware(req, res, next) {
+    if (req.method !== 'GET') {
+      // only get supported
+      return next();
+    }
+    const { folders } = this.params;
+
+    const promises = [];
+
+    for (const f of folders) {
+      const filePath = path.join(f, req.url);
+      promises.push(
+        fsPromises
+          .stat(filePath)
+          .catch(() => {
+            // nothing there, file just not exists
+          })
+          .then((stats) => ({ stats, file: filePath })),
+      );
+    }
+
+    const fileStats = await Promise.all(promises);
+
+    for (const fileStat of fileStats) {
+      if (fileStat.stats && fileStat.stats.isFile()) {
+        const contentType = mime.getType(fileStat.file);
+        const fileStream = fs.createReadStream(fileStat.file);
+        res.set('Content-Type', contentType);
+        fileStream.pipe(res);
+        return null;
+      }
+    }
+
+    return next();
+  }
+}
+
+module.exports = StaticFiles;