@reldens/server-utils 0.18.0 → 0.20.0

package/README.md

@@ -1,22 +1,313 @@
 # Reldens - Server Utils
 
-A set of helpers for Node.js to create a server and handle files.
-
+A Node.js server toolkit providing secure application server creation, file handling, encryption, and file upload capabilities for production-ready applications.
 
 [![Reldens - GitHub - Release](https://www.dwdeveloper.com/media/reldens/reldens-mmorpg-platform.png)](https://github.com/damian-pastorini/reldens)
 
-# Reldens - Server Utils
+## Features
 
-### Features
+### AppServerFactory
+- Complete Express.js server configuration with security defaults
+- HTTPS/HTTP server creation with SSL certificate management
+- SNI (Server Name Indication) support for multi-domain hosting
+- Virtual host management with domain mapping
+- Development mode detection with appropriate configurations
+- CORS configuration with flexible origin management
+- Rate limiting with customizable thresholds
+- Security headers and XSS protection
+- Helmet integration for enhanced security
+- Protocol enforcement (HTTP to HTTPS redirection)
+- Trusted proxy configuration
+- Request parsing with size limits and validation
+- Static file serving with security headers
+- Input validation utilities
 
-- File handler.
-- Express server factory.
-- Multer uploader factory.
-- Password manager.
+### FileHandler
+- Secure file system operations with path validation
+- File and folder creation, copying, and removal
+- JSON file parsing and validation
+- File type detection based on magic numbers
+- Secure filename generation
+- Path sanitization and traversal protection
+- File permissions checking
+- Folder content listing and filtering
+- Temporary file creation
+- File quarantine functionality for security threats
+- Binary file head reading for type detection
+- Comprehensive error handling with detailed context
 
-Need something specific?
+### Encryptor
+- Password hashing using PBKDF2 with configurable iterations
+- Password validation against stored hashes
+- AES-256-GCM data encryption and decryption
+- Secure token generation with customizable length
+- TOTP (Time-based One-Time Password) generation
+- Data hashing with multiple algorithms (SHA-256, SHA-512, MD5)
+- HMAC generation and verification
+- Constant-time string comparison for security
+- Cryptographically secure random value generation
 
-[Request a feature here: https://www.reldens.com/features-request](https://www.reldens.com/features-request)
+### UploaderFactory
+- Multer-based file upload handling with security validation
+- Multiple file upload support with field mapping
+- File type validation using MIME types and extensions
+- Filename security validation and sanitization
+- File size limits and upload count restrictions
+- Secure filename generation option
+- File content validation based on magic numbers
+- Dangerous file extension filtering
+- Automatic file cleanup on validation failure
+- Custom error response handling
+- Upload destination mapping per field
+
+## Installation
+
+```bash
+npm install @reldens/server-utils
+```
+
+## Quick Start
+
+### Basic Server Setup
+
+```javascript
+const { AppServerFactory } = require('@reldens/server-utils');
+
+let appServerFactory = new AppServerFactory();
+let serverResult = appServerFactory.createAppServer({
+    port: 3000,
+    useHttps: false,
+    autoListen: true
+});
+
+if(serverResult){
+    let { app, appServer } = serverResult;
+    console.log('Server running on port 3000');
+}
+```
+
+### File Operations
+
+```javascript
+const { FileHandler } = require('@reldens/server-utils');
+
+// Read a JSON configuration file
+let config = FileHandler.fetchFileJson('/path/to/config.json');
+if(config){
+    console.log('Configuration loaded:', config);
+}
+
+// Create a folder securely
+if(FileHandler.createFolder('/path/to/new/folder')){
+    console.log('Folder created successfully');
+}
+
+// Generate a secure filename
+let secureFilename = FileHandler.generateSecureFilename('user-upload.jpg');
+console.log('Secure filename:', secureFilename);
+```
+
+### Password Encryption
+
+```javascript
+const { Encryptor } = require('@reldens/server-utils');
+
+// Hash a password
+let hashedPassword = Encryptor.encryptPassword('userPassword123');
+if(hashedPassword){
+    console.log('Password hashed:', hashedPassword);
+}
+
+// Validate password
+let isValid = Encryptor.validatePassword('userPassword123', hashedPassword);
+console.log('Password valid:', isValid);
+
+// Generate secure token
+let secureToken = Encryptor.generateSecureToken(32);
+console.log('Secure token:', secureToken);
+```
+
+### File Upload Configuration
+
+```javascript
+const { UploaderFactory } = require('@reldens/server-utils');
+
+let uploaderFactory = new UploaderFactory({
+    maxFileSize: 10 * 1024 * 1024, // 10MB
+    mimeTypes: {
+        image: ['image/jpeg', 'image/png', 'image/gif'],
+        document: ['application/pdf', 'text/plain']
+    },
+    allowedExtensions: {
+        image: ['.jpg', '.jpeg', '.png', '.gif'],
+        document: ['.pdf', '.txt']
+    },
+    applySecureFileNames: true
+});
+
+let uploader = uploaderFactory.createUploader(
+    [{ name: 'avatar' }, { name: 'document' }],
+    { avatar: '/uploads/avatars', document: '/uploads/docs' },
+    { avatar: 'image', document: 'document' }
+);
+
+// Use with Express
+app.post('/upload', uploader, (req, res) => {
+    console.log('Files uploaded:', req.files);
+    res.json({ success: true });
+});
+```
+
+## Advanced Configuration
+
+### HTTPS Server with Multiple Domains
+
+```javascript
+let appServerFactory = new AppServerFactory();
+
+appServerFactory.addDomain({
+    hostname: 'example.com',
+    keyPath: '/ssl/example.com.key',
+    certPath: '/ssl/example.com.crt',
+    aliases: ['www.example.com']
+});
+
+appServerFactory.addDomain({
+    hostname: 'api.example.com',
+    keyPath: '/ssl/api.example.com.key',
+    certPath: '/ssl/api.example.com.crt'
+});
+
+let serverResult = appServerFactory.createAppServer({
+    useHttps: true,
+    useVirtualHosts: true,
+    keyPath: '/ssl/default.key',
+    certPath: '/ssl/default.crt',
+    port: 443
+});
+```
+
+### Development Mode Configuration
+
+```javascript
+let appServerFactory = new AppServerFactory();
+
+// Add development domains
+appServerFactory.addDevelopmentDomain('localhost');
+appServerFactory.addDevelopmentDomain('dev.myapp.local');
+
+let serverResult = appServerFactory.createAppServer({
+    port: 3000,
+    corsOrigin: ['http://localhost:3000', 'http://dev.myapp.local:3000'],
+    developmentMultiplier: 5, // More lenient rate limiting in dev
+});
+```
+
+### Custom Security Configuration
+
+```javascript
+let appServerFactory = new AppServerFactory();
+
+let serverResult = appServerFactory.createAppServer({
+    useHelmet: true,
+    helmetConfig: {
+        contentSecurityPolicy: {
+            directives: {
+                defaultSrc: ["'self'"],
+                styleSrc: ["'self'", "'unsafe-inline'"],
+                scriptSrc: ["'self'"]
+            }
+        }
+    },
+    globalRateLimit: 100, // requests per window
+    windowMs: 60000, // 1 minute
+    maxRequests: 30,
+    trustedProxy: '127.0.0.1'
+});
+```
+
+## API Reference
+
+### AppServerFactory Methods
+
+- `createAppServer(config)` - Creates and configures Express server
+- `addDomain(domainConfig)` - Adds domain configuration for virtual hosting
+- `addDevelopmentDomain(domain)` - Adds development domain pattern
+- `setDomainMapping(mapping)` - Sets domain to configuration mapping
+- `enableServeHome(app, callback)` - Enables homepage serving
+- `serveStatics(app, staticPath)` - Serves static files
+- `serveStaticsPath(app, route, staticPath)` - Serves static files on specific route
+- `validateInput(input, type)` - Validates input against predefined patterns
+- `enableCSP(cspOptions)` - Enables Content Security Policy
+- `listen(port)` - Starts server listening
+- `close()` - Gracefully closes server
+
+### FileHandler Methods
+
+- `exists(path)` - Checks if file or folder exists
+- `createFolder(path)` - Creates folder with recursive option
+- `remove(path)` - Removes file or folder recursively
+- `copyFile(source, destination)` - Copies file to destination
+- `copyFolderSync(source, destination)` - Copies folder recursively
+- `readFile(path)` - Reads file contents as string
+- `writeFile(path, content)` - Writes content to file
+- `fetchFileJson(path)` - Reads and parses JSON file
+- `fetchFileContents(path)` - Reads file with validation
+- `updateFileContents(path, content)` - Updates existing file
+- `isFile(path)` - Checks if path is file
+- `isFolder(path)` - Checks if path is folder
+- `getFilesInFolder(path, extensions)` - Lists files with optional filtering
+- `validateFileType(path, type, allowedTypes, maxSize)` - Validates file type and size
+- `detectFileType(path)` - Detects MIME type from file signature
+- `generateSecureFilename(originalName)` - Generates cryptographically secure filename
+- `quarantineFile(path, reason)` - Moves file to quarantine folder
+- `createTempFile(prefix, extension)` - Creates temporary file path
+
+### Encryptor Methods
+
+- `encryptPassword(password)` - Hashes password with salt
+- `validatePassword(password, hash)` - Validates password against hash
+- `generateSecretKey()` - Generates 256-bit secret key
+- `encryptData(data, key)` - Encrypts data with AES-256-GCM
+- `decryptData(encryptedData, key)` - Decrypts AES-256-GCM data
+- `generateSecureToken(length)` - Generates base64url token
+- `generateTOTP(secret, timeStep)` - Generates time-based OTP
+- `hashData(data, algorithm)` - Hashes data with specified algorithm
+- `generateHMAC(data, secret, algorithm)` - Generates HMAC signature
+- `verifyHMAC(data, secret, signature, algorithm)` - Verifies HMAC signature
+- `constantTimeCompare(a, b)` - Performs constant-time string comparison
+
+### UploaderFactory Methods
+
+- `createUploader(fields, buckets, allowedTypes)` - Creates multer upload middleware
+- `validateFilenameSecurity(filename)` - Validates filename for security
+- `validateFile(file, allowedType, callback)` - Validates file during upload
+- `validateFileContents(file, allowedType)` - Validates file content after upload
+- `cleanupFiles(files)` - Removes uploaded files on error
+
+## Security Features
+
+### Path Traversal Protection
+All file operations include comprehensive path validation to prevent directory traversal attacks and access to system files.
+
+### Secure File Upload
+File uploads are validated at multiple levels including filename, MIME type, file extension, file size, and content validation using magic number detection.
+
+### Rate Limiting
+Configurable rate limiting with development mode detection for appropriate thresholds in different environments.
+
+### HTTPS Support
+Full SSL/TLS support with SNI for multi-domain hosting and automatic certificate management.
+
+### Input Validation
+Built-in validators for common input types including email, username, strong passwords, alphanumeric strings, and IP addresses.
+
+### Cryptographic Security
+Industry-standard encryption using PBKDF2 for passwords, AES-256-GCM for data encryption, and secure random generation for tokens.
+
+## Error Handling
+
+All methods include comprehensive error handling with detailed error objects containing context information. Errors are logged appropriately and never expose sensitive system information.
 
 ---
 
@@ -24,6 +315,9 @@ Need something specific?
 
 [https://www.reldens.com/documentation/utils/](https://www.reldens.com/documentation/utils/)
 
+Need something specific?
+
+[Request a feature here: https://www.reldens.com/features-request](https://www.reldens.com/features-request)
 
 ---
 

package/lib/app-server-factory/cors-configurer.js

@@ -0,0 +1,80 @@
+/**
+ *
+ * Reldens - CorsConfigurer
+ *
+ */
+
+const cors = require('cors');
+
+class CorsConfigurer
+{
+
+    constructor()
+    {
+        this.isDevelopmentMode = false;
+        this.useCors = true;
+        this.corsOrigin = '*';
+        this.corsMethods = ['GET','POST'];
+        this.corsHeaders = ['Content-Type','Authorization'];
+        this.developmentCorsOrigins = [];
+        this.developmentPorts = [3000, 8080, 8081];
+    }
+
+    setup(app, config)
+    {
+        this.isDevelopmentMode = config.isDevelopmentMode || false;
+        this.useCors = config.useCors !== false;
+        this.corsOrigin = config.corsOrigin || this.corsOrigin;
+        this.corsMethods = config.corsMethods || this.corsMethods;
+        this.corsHeaders = config.corsHeaders || this.corsHeaders;
+        this.developmentPorts = config.developmentPorts || this.developmentPorts;
+        if(!this.useCors){
+            return;
+        }
+        if(this.isDevelopmentMode && config.domainMapping){
+            this.developmentCorsOrigins = this.extractDevelopmentOrigins(config.domainMapping);
+        }
+        let corsOptions = {
+            origin: this.corsOrigin,
+            methods: this.corsMethods,
+            allowedHeaders: this.corsHeaders,
+            credentials: true
+        };
+        if(this.isDevelopmentMode && 0 < this.developmentCorsOrigins.length){
+            corsOptions.origin = (origin, callback) => {
+                if(!origin){
+                    return callback(null, true);
+                }
+                if(-1 !== this.developmentCorsOrigins.indexOf(origin)){
+                    return callback(null, true);
+                }
+                if('*' === this.corsOrigin){
+                    return callback(null, true);
+                }
+                return callback(null, false);
+            };
+        }
+        app.use(cors(corsOptions));
+    }
+
+    extractDevelopmentOrigins(domainMapping)
+    {
+        let origins = [];
+        let mappingKeys = Object.keys(domainMapping);
+        for(let domain of mappingKeys){
+            origins.push('http://'+domain);
+            origins.push('https://'+domain);
+            if(domain.includes(':')){
+                continue;
+            }
+            for(let port of this.developmentPorts){
+                origins.push('http://'+domain+':'+port);
+                origins.push('https://'+domain+':'+port);
+            }
+        }
+        return origins;
+    }
+
+}
+
+module.exports.CorsConfigurer = CorsConfigurer;

package/lib/app-server-factory/development-mode-detector.js

@@ -0,0 +1,75 @@
+/**
+ *
+ * Reldens - DevelopmentModeDetector
+ *
+ */
+
+class DevelopmentModeDetector
+{
+
+    constructor()
+    {
+        this.developmentPatterns = [
+            'localhost',
+            '127.0.0.1',
+            // domain ends:
+            '.local',
+            '.test',
+            '.dev',
+            '.acc',
+            '.staging',
+            // sub-domains:
+            'local.',
+            'test.',
+            'dev.',
+            'acc.',
+            'staging.'
+        ];
+        this.developmentEnvironments = ['development', 'dev', 'test'];
+    }
+
+    detect(config = {})
+    {
+        if(config.developmentPatterns){
+            this.developmentPatterns = config.developmentPatterns;
+        }
+        if(config.developmentEnvironments){
+            this.developmentEnvironments = config.developmentEnvironments;
+        }
+        let env = process.env.NODE_ENV;
+        if(this.developmentEnvironments.includes(env)){
+            return true;
+        }
+        if(config.developmentDomains && 0 < config.developmentDomains.length){
+            for(let domain of config.developmentDomains){
+                if(this.matchesPattern(domain)){
+                    return true;
+                }
+            }
+        }
+        if(config.domains && 0 < config.domains.length){
+            for(let domainConfig of config.domains){
+                if(!domainConfig.hostname){
+                    continue;
+                }
+                if(this.matchesPattern(domainConfig.hostname)){
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    matchesPattern(domain)
+    {
+        for(let pattern of this.developmentPatterns){
+            if(domain.includes(pattern)){
+                return true;
+            }
+        }
+        return false;
+    }
+
+}
+
+module.exports.DevelopmentModeDetector = DevelopmentModeDetector;

package/lib/app-server-factory/protocol-enforcer.js

@@ -0,0 +1,48 @@
+/**
+ *
+ * Reldens - ProtocolEnforcer
+ *
+ */
+
+class ProtocolEnforcer
+{
+
+    constructor()
+    {
+        this.isDevelopmentMode = false;
+        this.useHttps = false;
+        this.enforceProtocol = true;
+    }
+
+    setup(app, config)
+    {
+        this.isDevelopmentMode = config.isDevelopmentMode || false;
+        this.useHttps = config.useHttps || false;
+        this.enforceProtocol = config.enforceProtocol !== false;
+        app.use((req, res, next) => {
+            let protocol = req.get('X-Forwarded-Proto') || req.protocol;
+            let host = req.get('host');
+            if(this.isDevelopmentMode){
+                res.removeHeader('Origin-Agent-Cluster');
+                res.removeHeader('Strict-Transport-Security');
+                res.removeHeader('upgrade-insecure-requests');
+                res.set('Origin-Agent-Cluster', '?0');
+                if(this.enforceProtocol && host){
+                    if(!this.useHttps && 'https' === protocol){
+                        let redirectUrl = 'http://'+host+req.url;
+                        return res.redirect(301, redirectUrl);
+                    }
+                    if(this.useHttps && 'http' === protocol){
+                        let redirectUrl = 'https://'+host+req.url;
+                        return res.redirect(301, redirectUrl);
+                    }
+                }
+            }
+            res.set('X-Forwarded-Proto', protocol);
+            next();
+        });
+    }
+
+}
+
+module.exports.ProtocolEnforcer = ProtocolEnforcer;

package/lib/app-server-factory/rate-limit-configurer.js

@@ -0,0 +1,75 @@
+/**
+ *
+ * Reldens - RateLimitConfigurer
+ *
+ */
+
+const rateLimit = require('express-rate-limit');
+
+class RateLimitConfigurer
+{
+
+    constructor()
+    {
+        this.isDevelopmentMode = false;
+        this.globalRateLimit = 0;
+        this.windowMs = 60000;
+        this.maxRequests = 30;
+        this.developmentMultiplier = 10;
+        this.applyKeyGenerator = false;
+        this.tooManyRequestsMessage = 'Too many requests, please try again later.';
+        this.rateLimit = rateLimit;
+    }
+
+    setup(app, config)
+    {
+        this.isDevelopmentMode = config.isDevelopmentMode || false;
+        this.globalRateLimit = config.globalRateLimit || 0;
+        this.windowMs = config.windowMs || this.windowMs;
+        this.maxRequests = config.maxRequests || this.maxRequests;
+        this.developmentMultiplier = config.developmentMultiplier || this.developmentMultiplier;
+        this.applyKeyGenerator = config.applyKeyGenerator || false;
+        this.tooManyRequestsMessage = config.tooManyRequestsMessage || this.tooManyRequestsMessage;
+        if(!this.globalRateLimit){
+            return;
+        }
+        let limiterParams = {
+            windowMs: this.windowMs,
+            max: this.maxRequests,
+            standardHeaders: true,
+            legacyHeaders: false,
+            message: this.tooManyRequestsMessage
+        };
+        if(this.isDevelopmentMode){
+            limiterParams.max = this.maxRequests * this.developmentMultiplier;
+        }
+        if(this.applyKeyGenerator){
+            limiterParams.keyGenerator = function(req){
+                return req.ip;
+            };
+        }
+        app.use(this.rateLimit(limiterParams));
+    }
+
+    createHomeLimiter()
+    {
+        let limiterParams = {
+            windowMs: this.windowMs,
+            max: this.maxRequests,
+            standardHeaders: true,
+            legacyHeaders: false
+        };
+        if(this.isDevelopmentMode){
+            limiterParams.max = this.maxRequests * this.developmentMultiplier;
+        }
+        if(this.applyKeyGenerator){
+            limiterParams.keyGenerator = function(req){
+                return req.ip;
+            };
+        }
+        return this.rateLimit(limiterParams);
+    }
+
+}
+
+module.exports.RateLimitConfigurer = RateLimitConfigurer;

package/lib/app-server-factory/security-configurer.js

@@ -0,0 +1,157 @@
+/**
+ *
+ * Reldens - SecurityConfigurer
+ *
+ */
+
+const helmet = require('helmet');
+const sanitizeHtml = require('sanitize-html');
+
+class SecurityConfigurer
+{
+
+    constructor()
+    {
+        this.isDevelopmentMode = false;
+        this.useHelmet = true;
+        this.useXssProtection = true;
+        this.helmetConfig = false;
+        this.sanitizeOptions = {allowedTags: [], allowedAttributes: {}};
+    }
+
+    setupHelmet(app, config)
+    {
+        this.isDevelopmentMode = config.isDevelopmentMode || false;
+        this.useHelmet = config.useHelmet !== false;
+        this.helmetConfig = config.helmetConfig || false;
+        if(!this.useHelmet){
+            return;
+        }
+        let helmetOptions = {
+            crossOriginEmbedderPolicy: false,
+            crossOriginOpenerPolicy: false,
+            crossOriginResourcePolicy: false,
+            originAgentCluster: false
+        };
+        if(this.isDevelopmentMode){
+            helmetOptions.contentSecurityPolicy = false;
+            helmetOptions.hsts = false;
+            helmetOptions.noSniff = false;
+        } else {
+            helmetOptions.contentSecurityPolicy = {
+                directives: {
+                    defaultSrc: ["'self'"],
+                    scriptSrc: ["'self'"],
+                    scriptSrcElem: ["'self'"],
+                    styleSrc: ["'self'", "'unsafe-inline'"],
+                    styleSrcElem: ["'self'", "'unsafe-inline'"],
+                    imgSrc: ["'self'", "data:", "https:"],
+                    fontSrc: ["'self'"],
+                    connectSrc: ["'self'"],
+                    frameAncestors: ["'none'"],
+                    baseUri: ["'self'"],
+                    formAction: ["'self'"]
+                }
+            };
+            if(config.developmentExternalDomains){
+                this.addExternalDomainsToCsp(helmetOptions.contentSecurityPolicy.directives, config.developmentExternalDomains);
+            }
+        }
+        if(this.helmetConfig){
+            Object.assign(helmetOptions, this.helmetConfig);
+        }
+        app.use(helmet(helmetOptions));
+    }
+
+    addExternalDomainsToCsp(directives, externalDomains)
+    {
+        let keys = Object.keys(externalDomains);
+        for(let directiveKey of keys){
+            let domains = externalDomains[directiveKey];
+            if(!Array.isArray(domains)){
+                continue;
+            }
+            for(let domain of domains){
+                if(directives[directiveKey]){
+                    directives[directiveKey].push(domain);
+                }
+                let elemKey = directiveKey.replace('-src', '-src-elem');
+                if(directives[elemKey]){
+                    directives[elemKey].push(domain);
+                }
+            }
+        }
+    }
+
+    setupXssProtection(app, config)
+    {
+        this.useXssProtection = config.useXssProtection !== false;
+        this.sanitizeOptions = config.sanitizeOptions || this.sanitizeOptions;
+        if(!this.useXssProtection){
+            return;
+        }
+        app.use((req, res, next) => {
+            if(!req.body){
+                return next();
+            }
+            if('object' === typeof req.body){
+                this.sanitizeRequestBody(req.body);
+            }
+            next();
+        });
+    }
+
+    sanitizeRequestBody(body)
+    {
+        let bodyKeys = Object.keys(body);
+        for(let i = 0; i < bodyKeys.length; i++){
+            let key = bodyKeys[i];
+            if('string' === typeof body[key]){
+                body[key] = sanitizeHtml(body[key], this.sanitizeOptions);
+                continue;
+            }
+            if('object' === typeof body[key] && null !== body[key]){
+                this.sanitizeRequestBody(body[key]);
+            }
+        }
+    }
+
+    enableCSP(app, cspOptions)
+    {
+        let defaults = {
+            'default-src': ["'self'"],
+            'script-src': ["'self'"],
+            'style-src': ["'self'", "'unsafe-inline'"],
+            'img-src': ["'self'", "data:", "https:"],
+            'font-src': ["'self'"],
+            'connect-src': ["'self'"],
+            'frame-ancestors': ["'none'"],
+            'base-uri': ["'self'"],
+            'form-action': ["'self'"]
+        };
+        if(this.isDevelopmentMode){
+            defaults['script-src'].push("'unsafe-eval'");
+            defaults['connect-src'].push("ws:");
+            defaults['connect-src'].push("wss:");
+        }
+        let csp = Object.assign({}, defaults, cspOptions);
+        let policyString = '';
+        let keys = Object.keys(csp);
+        for(let i = 0; i < keys.length; i++){
+            let directive = keys[i];
+            let sources = csp[directive];
+            if(0 < i){
+                policyString += '; ';
+            }
+            policyString += directive + ' ' + sources.join(' ');
+        }
+        app.use((req, res, next) => {
+            res.setHeader('Content-Security-Policy', policyString);
+            next();
+        });
+        return true;
+    }
+
+}
+
+module.exports.SecurityConfigurer = SecurityConfigurer;

package/lib/app-server-factory.js

@@ -5,15 +5,16 @@
  */
 
 const { FileHandler } = require('./file-handler');
+const { DevelopmentModeDetector } = require('./app-server-factory/development-mode-detector');
+const { ProtocolEnforcer } = require('./app-server-factory/protocol-enforcer');
+const { SecurityConfigurer } = require('./app-server-factory/security-configurer');
+const { CorsConfigurer } = require('./app-server-factory/cors-configurer');
+const { RateLimitConfigurer } = require('./app-server-factory/rate-limit-configurer');
 const http = require('http');
 const https = require('https');
 const express = require('express');
 const bodyParser = require('body-parser');
 const session = require('express-session');
-const rateLimit = require('express-rate-limit');
-const cors = require('cors');
-const helmet = require('helmet');
-const sanitizeHtml = require('sanitize-html');
 
 class AppServerFactory
 {
@@ -25,7 +26,6 @@ class AppServerFactory
         this.session = session;
         this.appServer = false;
         this.app = express();
-        this.rateLimit = rateLimit;
         this.useCors = true;
         this.useExpressJson = true;
         this.useUrlencoded = true;
@@ -68,6 +68,26 @@ class AppServerFactory
                 res.set('X-Frame-Options', 'DENY');
             }
         };
+        this.isDevelopmentMode = false;
+        this.developmentDomains = [];
+        this.domainMapping = {};
+        this.enforceProtocol = true;
+        this.developmentPatterns = [
+            'localhost',
+            '127.0.0.1',
+            '.local',
+            '.test',
+            '.dev',
+            '.staging'
+        ];
+        this.developmentEnvironments = ['development', 'dev', 'test'];
+        this.developmentPorts = [3000, 8080, 8081];
+        this.developmentMultiplier = 10;
+        this.developmentModeDetector = new DevelopmentModeDetector();
+        this.protocolEnforcer = new ProtocolEnforcer();
+        this.securityConfigurer = new SecurityConfigurer();
+        this.corsConfigurer = new CorsConfigurer();
+        this.rateLimitConfigurer = new RateLimitConfigurer();
     }
 
     createAppServer(appServerConfig)
@@ -75,45 +95,104 @@ class AppServerFactory
         if(appServerConfig){
             Object.assign(this, appServerConfig);
         }
-        if(this.useHelmet){
-            this.app.use(this.helmetConfig ? helmet(this.helmetConfig) : helmet());
-        }
-        if(this.useVirtualHosts){
-            this.setupVirtualHosts();
+        this.detectDevelopmentMode();
+        this.setupDevelopmentConfiguration();
+        this.setupProtocolEnforcement();
+        this.setupSecurity();
+        this.setupVirtualHosts();
+        this.setupCors();
+        this.setupRateLimiting();
+        this.setupRequestParsing();
+        this.setupTrustedProxy();
+        this.appServer = this.createServer();
+        if(!this.appServer){
+            this.error = {message: 'Failed to create app server'};
+            return false;
         }
-        if(this.useCors){
-            let corsOptions = {
-                origin: this.corsOrigin,
-                methods: this.corsMethods,
-                allowedHeaders: this.corsHeaders
-            };
-            this.app.use(cors(corsOptions));
+        if(this.autoListen){
+            this.listen();
         }
-        if(this.globalRateLimit){
-            let limiterParams = {
-                windowMs: this.windowMs,
-                max: this.maxRequests,
-                standardHeaders: true,
-                legacyHeaders: false,
-                message: this.tooManyRequestsMessage
-            };
-            if(this.applyKeyGenerator){
-                limiterParams.keyGenerator = function(req){
-                    return req.ip;
-                };
-            }
-            this.app.use(this.rateLimit(limiterParams));
+        return {app: this.app, appServer: this.appServer};
+    }
+
+    detectDevelopmentMode()
+    {
+        this.isDevelopmentMode = this.developmentModeDetector.detect({
+            developmentPatterns: this.developmentPatterns,
+            developmentEnvironments: this.developmentEnvironments,
+            developmentDomains: this.developmentDomains,
+            domains: this.domains
+        });
+    }
+
+    setupDevelopmentConfiguration()
+    {
+        if(!this.isDevelopmentMode){
+            return;
         }
-        if(this.useXssProtection){
-            this.app.use((req, res, next) => {
-                if(!req.body){
-                    return next();
-                }
-                if('object' === typeof req.body){
-                    this.sanitizeRequestBody(req.body);
-                }
-                next();
-            });
+        this.staticOptions.setHeaders = (res, path) => {
+            res.set('X-Content-Type-Options', 'nosniff');
+            res.set('X-Frame-Options', 'SAMEORIGIN');
+            res.set('Cache-Control', 'no-cache, no-store, must-revalidate');
+            res.set('Pragma', 'no-cache');
+            res.set('Expires', '0');
+        };
+    }
+
+    setupProtocolEnforcement()
+    {
+        this.protocolEnforcer.setup(this.app, {
+            isDevelopmentMode: this.isDevelopmentMode,
+            useHttps: this.useHttps,
+            enforceProtocol: this.enforceProtocol
+        });
+    }
+
+    setupSecurity()
+    {
+        this.securityConfigurer.setupHelmet(this.app, {
+            isDevelopmentMode: this.isDevelopmentMode,
+            useHelmet: this.useHelmet,
+            helmetConfig: this.helmetConfig,
+            developmentExternalDomains: this.developmentExternalDomains
+        });
+        this.securityConfigurer.setupXssProtection(this.app, {
+            useXssProtection: this.useXssProtection,
+            sanitizeOptions: this.sanitizeOptions
+        });
+    }
+
+    setupCors()
+    {
+        this.corsConfigurer.setup(this.app, {
+            isDevelopmentMode: this.isDevelopmentMode,
+            useCors: this.useCors,
+            corsOrigin: this.corsOrigin,
+            corsMethods: this.corsMethods,
+            corsHeaders: this.corsHeaders,
+            domainMapping: this.domainMapping,
+            developmentPorts: this.developmentPorts
+        });
+    }
+
+    setupRateLimiting()
+    {
+        this.rateLimitConfigurer.setup(this.app, {
+            isDevelopmentMode: this.isDevelopmentMode,
+            globalRateLimit: this.globalRateLimit,
+            windowMs: this.windowMs,
+            maxRequests: this.maxRequests,
+            developmentMultiplier: this.developmentMultiplier,
+            applyKeyGenerator: this.applyKeyGenerator,
+            tooManyRequestsMessage: this.tooManyRequestsMessage
+        });
+    }
+
+    setupRequestParsing()
+    {
+        if(this.maxRequestSize){
+            this.jsonLimit = this.maxRequestSize;
+            this.urlencodedLimit = this.maxRequestSize;
         }
         if(this.useExpressJson){
             this.app.use(this.applicationFramework.json({
@@ -127,32 +206,12 @@ class AppServerFactory
                 limit: this.urlencodedLimit
             }));
         }
-        if('' !== this.trustedProxy){
-            this.app.enable('trust proxy', this.trustedProxy);
-        }
-        this.appServer = this.createServer();
-        if(!this.appServer){
-            this.error = {message: 'Failed to create app server'};
-            return false;
-        }
-        if(this.autoListen){
-            this.listen();
-        }
-        return {app: this.app, appServer: this.appServer};
     }
 
-    sanitizeRequestBody(body)
+    setupTrustedProxy()
     {
-        let bodyKeys = Object.keys(body);
-        for(let i = 0; i < bodyKeys.length; i++){
-            let key = bodyKeys[i];
-            if('string' === typeof body[key]){
-                body[key] = sanitizeHtml(body[key], this.sanitizeOptions);
-                continue;
-            }
-            if('object' === typeof body[key] && null !== body[key]){
-                this.sanitizeRequestBody(body[key]);
-            }
+        if('' !== this.trustedProxy){
+            this.app.enable('trust proxy', this.trustedProxy);
         }
     }
 
@@ -172,7 +231,7 @@ class AppServerFactory
 
     setupVirtualHosts()
     {
-        if(0 === this.domains.length){
+        if(!this.useVirtualHosts || 0 === this.domains.length){
             return;
         }
         this.app.use((req, res, next) => {
@@ -306,18 +365,7 @@ class AppServerFactory
 
     async enableServeHome(app, homePageLoadCallback)
     {
-        let limiterParams = {
-            windowMs: this.windowMs,
-            max: this.maxRequests,
-            standardHeaders: true,
-            legacyHeaders: false
-        };
-        if(this.applyKeyGenerator){
-            limiterParams.keyGenerator = function(req){
-                return req.ip;
-            };
-        }
-        let limiter = this.rateLimit(limiterParams);
+        let limiter = this.rateLimitConfigurer.createHomeLimiter();
         app.post('/', limiter);
         app.post('/', async (req, res, next) => {
             if('/' === req._parsedUrl.pathname){
@@ -376,6 +424,24 @@ class AppServerFactory
         return true;
     }
 
+    addDevelopmentDomain(domain)
+    {
+        if(!domain || 'string' !== typeof domain){
+            return false;
+        }
+        this.developmentDomains.push(domain);
+        return true;
+    }
+
+    setDomainMapping(mapping)
+    {
+        if(!mapping || 'object' !== typeof mapping){
+            return false;
+        }
+        this.domainMapping = mapping;
+        return true;
+    }
+
     async close()
     {
         if(!this.appServer){
@@ -386,33 +452,7 @@ class AppServerFactory
 
     enableCSP(cspOptions)
     {
-        let defaults = {
-            'default-src': ["'self'"],
-            'script-src': ["'self'"],
-            'style-src': ["'self'", "'unsafe-inline'"],
-            'img-src': ["'self'", "data:", "https:"],
-            'font-src': ["'self'"],
-            'connect-src': ["'self'"],
-            'frame-ancestors': ["'none'"],
-            'base-uri': ["'self'"],
-            'form-action': ["'self'"]
-        };
-        let csp = Object.assign({}, defaults, cspOptions);
-        let policyString = '';
-        let keys = Object.keys(csp);
-        for(let i = 0; i < keys.length; i++){
-            let directive = keys[i];
-            let sources = csp[directive];
-            if(0 < i){
-                policyString += '; ';
-            }
-            policyString += directive + ' ' + sources.join(' ');
-        }
-        this.app.use((req, res, next) => {
-            res.setHeader('Content-Security-Policy', policyString);
-            next();
-        });
-        return true;
+        return this.securityConfigurer.enableCSP(this.app, cspOptions);
     }
 
     validateInput(input, type)

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@reldens/server-utils",
     "scope": "@reldens",
-    "version": "0.18.0",
+    "version": "0.20.0",
     "description": "Reldens - Server Utils",
     "author": "Damian A. Pastorini",
     "license": "MIT",
@@ -38,10 +38,10 @@
         "body-parser": "2.2.0",
         "cors": "2.8.5",
         "express": "4.21.2",
-        "express-rate-limit": "7.5.0",
+        "express-rate-limit": "7.5.1",
         "express-session": "1.18.1",
         "helmet": "8.1.0",
-        "multer": "2.0.0",
-        "sanitize-html": "^2.17.0"
+        "multer": "2.0.1",
+        "sanitize-html": "2.17.0"
     }
 }