@ladjs/web 16.0.3 → 17.0.1

package/index.js

@@ -38,7 +38,6 @@ const koaCash = require('koa-cash');
 const koaConnect = require('koa-connect');
 const methodOverride = require('koa-methodoverride');
 const ms = require('ms');
-const multimatch = require('multimatch');
 const ratelimit = require('@ladjs/koa-simple-ratelimit');
 const redisStore = require('koa-redis');
 const removeTrailingSlashes = require('koa-no-trailing-slash');
@@ -67,13 +66,13 @@ const reportUri = isSANB(process.env.WEB_URL)
   : null;
 
 const INVALID_TOKEN_MESSAGE = 'Invalid CSRF token.';
-const RATE_LIMIT_EXCEEDED = `Rate limit exceeded, retry in %s.`;
 
 class Web {
   // eslint-disable-next-line complexity
   constructor(config, Users) {
+    const sharedWebConfig = sharedConfig('WEB');
     this.config = {
-      ...sharedConfig('WEB'),
+      ...sharedWebConfig,
       meta: {},
       views: {
         root: path.resolve('./app/views'),
@@ -82,9 +81,23 @@ class Web {
           extension: 'pug'
         }
       },
-      csrf: {},
-      csrfIgnoredGlobs: ['/report'],
-      rateLimitIgnoredGlobs: ['/report'],
+      csrf: {
+        ...sharedWebConfig.csrf,
+        ignoredPathGlobs: ['/report'],
+        errorHandler(ctx) {
+          return ctx.throw(
+            Boom.forbidden(
+              typeof ctx.request.t === 'function'
+                ? ctx.request.t(INVALID_TOKEN_MESSAGE)
+                : INVALID_TOKEN_MESSAGE
+            )
+          );
+        }
+      },
+      rateLimit: {
+        ...sharedWebConfig.rateLimit,
+        ignoredPathGlobs: ['/report']
+      },
       sessionKeys: process.env.SESSION_KEYS
         ? process.env.SESSION_KEYS.split(',')
         : ['lad'],
@@ -242,30 +255,14 @@ class Web {
     if (this.config.auth) app.use(auth(this.config.auth));
 
     // rate limiting
-    if (this.config.rateLimit) {
-      app.use((ctx, next) => {
-        // check against ignored/whitelisted paths
-        if (
-          Array.isArray(this.config.rateLimitIgnoredGlobs) &&
-          this.config.rateLimitIgnoredGlobs.length > 0
-        ) {
-          const match = multimatch(ctx.path, this.config.rateLimitIgnoredGlobs);
-          if (Array.isArray(match) && match.length > 0) return next();
-        }
-
-        return ratelimit({
+    if (this.config.rateLimit)
+      app.use(
+        ratelimit({
           ...this.config.rateLimit,
           db: this.client,
-          logger: this.logger,
-          errorMessage(exp) {
-            const fn =
-              typeof ctx.request.t === 'function' ? ctx.request.t : util.format;
-            // NOTE: ms does not support i18n localization
-            return fn(RATE_LIMIT_EXCEEDED, ms(exp, { long: true }));
-          }
-        })(ctx, next);
-      });
-    }
+          logger: this.logger
+        })
+      );
 
     // remove trailing slashes
     app.use(removeTrailingSlashes());
@@ -365,7 +362,6 @@ class Web {
       ctx.state.ctx.pathWithoutLocale = ctx.pathWithoutLocale;
       ctx.state.ctx.query = ctx.query;
       ctx.state.ctx.sessionId = ctx.sessionId;
-      ctx.state.ctx.translate = ctx.translate;
       ctx.state.ctx.url = ctx.url;
 
       return next();
@@ -375,11 +371,11 @@ class Web {
     app.keys = this.config.sessionKeys;
     app.use(
       session({
+        ...this.config.session,
         store: redisStore({ client: this.client }),
         key: this.config.cookiesKey,
         cookie: this.config.cookies,
-        genSid: this.config.genSid,
-        ...this.config.session
+        genSid: this.config.genSid
       })
     );
 
@@ -406,30 +402,13 @@ class Web {
     if (this.config.methodOverride)
       app.use(methodOverride(...this.config.methodOverride));
 
-    // TODO: move this into `@ladjs/csrf`
     // csrf (with added localization support)
     if (this.config.csrf && process.env.NODE_ENV !== 'test') {
-      const csrf = new CSRF({
-        ...this.config.csrf,
-        invalidTokenMessage: (ctx) =>
-          typeof ctx.request.t === 'function'
-            ? ctx.request.t(INVALID_TOKEN_MESSAGE)
-            : INVALID_TOKEN_MESSAGE
-      });
+      const csrf = new CSRF(this.config.csrf);
       app.use(async (ctx, next) => {
-        // check against ignored/whitelisted redirect middleware paths
-        if (
-          Array.isArray(this.config.csrfIgnoredGlobs) &&
-          this.config.csrfIgnoredGlobs.length > 0
-        ) {
-          const match = multimatch(ctx.path, this.config.csrfIgnoredGlobs);
-          if (Array.isArray(match) && match.length > 0) return next();
-        }
-
         try {
           await csrf(ctx, next);
         } catch (err) {
-          ctx.logger.error(err);
           let error = err;
           if (err.name && err.name === 'ForbiddenError')
             error = Boom.forbidden(err.message);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ladjs/web",
   "description": "Web server for Lad",
-  "version": "16.0.3",
+  "version": "17.0.1",
   "author": "Nick Baugh <niftylettuce@gmail.com> (http://niftylettuce.com/)",
   "bugs": {
     "url": "https://github.com/ladjs/web/issues",
@@ -17,10 +17,10 @@
     "@ladjs/koa-better-static": "^2.0.1",
     "@ladjs/koa-cache-responses": "^0.0.3",
     "@ladjs/koa-isajax": "^2.0.0",
-    "@ladjs/koa-simple-ratelimit": "^3.0.0",
+    "@ladjs/koa-simple-ratelimit": "^4.0.1",
     "@ladjs/redis": "^1.0.7",
-    "@ladjs/shared-config": "^7.0.3",
-    "@ladjs/state-helper": "^2.0.1",
+    "@ladjs/shared-config": "^8.0.0",
+    "@ladjs/state-helper": "^2.0.2",
     "@ladjs/store-ip-address": "^0.0.7",
     "boolean": "^3.2.0",
     "cabin": "^9.1.2",
@@ -39,7 +39,7 @@
     "koa-compress": "^5.1.0",
     "koa-conditional-get": "^3.0.0",
     "koa-connect": "^2.1.0",
-    "koa-csrf": "^4.0.1",
+    "koa-csrf": "^5.0.1",
     "koa-etag": "^4.0.0",
     "koa-favicon": "^2.1.0",
     "koa-generic-session": "^2.3.0",
@@ -53,7 +53,6 @@
     "koa-views": "^8.0.0",
     "lodash": "^4.17.21",
     "ms": "^2.1.3",
-    "multimatch": "5",
     "request-received": "^0.0.3",
     "response-time": "^2.3.2"
   },