@reldens/server-utils 0.26.0 → 0.28.0

package/lib/app-server-factory/cors-configurer.js

@@ -17,7 +17,7 @@ class CorsConfigurer
         this.corsMethods = ['GET','POST'];
         this.corsHeaders = ['Content-Type','Authorization'];
         this.developmentCorsOrigins = [];
-        this.developmentPorts = [3000, 8080, 8081];
+        this.developmentPorts = [];
     }
 
     setup(app, config)
@@ -40,12 +40,15 @@ class CorsConfigurer
             allowedHeaders: this.corsHeaders,
             credentials: true
         };
+        if('*' === this.corsOrigin && true === corsOptions.credentials){
+            corsOptions.origin = true;
+        }
         if(this.isDevelopmentMode && 0 < this.developmentCorsOrigins.length){
             corsOptions.origin = (origin, callback) => {
                 if(!origin){
                     return callback(null, true);
                 }
-                if(-1 !== this.developmentCorsOrigins.indexOf(origin)){
+                if(-1 !== this.developmentCorsOrigins.indexOf(this.normalizeHost(origin))){
                     return callback(null, true);
                 }
                 if('*' === this.corsOrigin){
@@ -59,20 +62,32 @@ class CorsConfigurer
 
     extractDevelopmentOrigins(domainMapping)
     {
-        let origins = [];
+        let originsSet = new Set();
         let mappingKeys = Object.keys(domainMapping);
         for(let domain of mappingKeys){
-            origins.push('http://'+domain);
-            origins.push('https://'+domain);
-            if(domain.includes(':')){
+            let normalizedDomain = this.normalizeHost(domain);
+            originsSet.add('http://'+normalizedDomain);
+            originsSet.add('https://'+normalizedDomain);
+            if(-1 !== normalizedDomain.indexOf(':')){
                 continue;
             }
-            for(let port of this.developmentPorts){
-                origins.push('http://'+domain+':'+port);
-                origins.push('https://'+domain+':'+port);
+            if(0 < this.developmentPorts.length){
+                for(let port of this.developmentPorts){
+                    originsSet.add('http://'+normalizedDomain+':'+port);
+                    originsSet.add('https://'+normalizedDomain+':'+port);
+                }
             }
         }
-        return origins;
+        return Array.from(originsSet);
+    }
+
+    normalizeHost(originOrHost)
+    {
+        let normalizedHost = (''+originOrHost).toLowerCase();
+        if('/' === normalizedHost.charAt(normalizedHost.length - 1)){
+            normalizedHost = normalizedHost.substring(0, normalizedHost.length - 1);
+        }
+        return normalizedHost;
     }
 
 }

package/lib/app-server-factory/development-mode-detector.js

@@ -26,6 +26,7 @@ class DevelopmentModeDetector
             'staging.'
         ];
         this.developmentEnvironments = ['development', 'dev', 'test'];
+        this.env = process?.env?.NODE_ENV || 'production';
     }
 
     detect(config = {})
@@ -36,8 +37,7 @@ class DevelopmentModeDetector
         if(config.developmentEnvironments){
             this.developmentEnvironments = config.developmentEnvironments;
         }
-        let env = process.env.NODE_ENV;
-        if(this.developmentEnvironments.includes(env)){
+        if(this.developmentEnvironments.includes(this.env)){
             return true;
         }
         if(config.developmentDomains && 0 < config.developmentDomains.length){
@@ -49,7 +49,7 @@ class DevelopmentModeDetector
         }
         if(config.domains && 0 < config.domains.length){
             for(let domainConfig of config.domains){
-                if(!domainConfig.hostname){
+                if(!domainConfig?.hostname){
                     continue;
                 }
                 if(this.matchesPattern(domainConfig.hostname)){
@@ -62,8 +62,34 @@ class DevelopmentModeDetector
 
     matchesPattern(domain)
     {
-        for(let pattern of this.developmentPatterns){
-            if(domain.includes(pattern)){
+        if(!domain){
+            return false;
+        }
+        let d = (''+domain).toLowerCase();
+        if('localhost' === d){
+            return true;
+        }
+        if('127.0.0.1' === d){
+            return true;
+        }
+        if('::1' === d){
+            return true;
+        }
+        for(let pattern of this.developmentPatterns || []){
+            if(!pattern){
+                continue;
+            }
+            let p = (''+pattern).toLowerCase();
+            if('.' === p.charAt(0) && d.endsWith(p)){
+                return true;
+            }
+            if('.' === p.charAt(p.length - 1) && 0 === d.indexOf(p)){
+                return true;
+            }
+            if(d === p){
+                return true;
+            }
+            if(0 <= d.indexOf(p)){
                 return true;
             }
         }

package/lib/app-server-factory/protocol-enforcer.js

@@ -20,8 +20,8 @@ class ProtocolEnforcer
         this.useHttps = config.useHttps || false;
         this.enforceProtocol = config.enforceProtocol !== false;
         app.use((req, res, next) => {
-            let protocol = req.get('X-Forwarded-Proto') || req.protocol;
-            let host = req.get('host');
+            let protocol = (req.get('X-Forwarded-Proto') || req.protocol || '').toLowerCase();
+            let host = (req.get('host') || '').toLowerCase().trim();
             if(this.isDevelopmentMode){
                 res.removeHeader('Origin-Agent-Cluster');
                 res.removeHeader('Strict-Transport-Security');
@@ -29,12 +29,10 @@ class ProtocolEnforcer
                 res.set('Origin-Agent-Cluster', '?0');
                 if(this.enforceProtocol && host){
                     if(!this.useHttps && 'https' === protocol){
-                        let redirectUrl = 'http://'+host+req.url;
-                        return res.redirect(301, redirectUrl);
+                        return res.redirect(301, 'http://'+host+req.url);
                     }
                     if(this.useHttps && 'http' === protocol){
-                        let redirectUrl = 'https://'+host+req.url;
-                        return res.redirect(301, redirectUrl);
+                        return res.redirect(301, 'https://'+host+req.url);
                     }
                 }
             }

package/lib/app-server-factory/rate-limit-configurer.js

@@ -25,9 +25,9 @@ class RateLimitConfigurer
     {
         this.isDevelopmentMode = config.isDevelopmentMode || false;
         this.globalRateLimit = config.globalRateLimit || 0;
-        this.windowMs = config.windowMs || this.windowMs;
-        this.maxRequests = config.maxRequests || this.maxRequests;
-        this.developmentMultiplier = config.developmentMultiplier || this.developmentMultiplier;
+        this.windowMs = Number(config.windowMs || this.windowMs);
+        this.maxRequests = Number(config.maxRequests || this.maxRequests);
+        this.developmentMultiplier = Number(config.developmentMultiplier || this.developmentMultiplier);
         this.applyKeyGenerator = config.applyKeyGenerator || false;
         this.tooManyRequestsMessage = config.tooManyRequestsMessage || this.tooManyRequestsMessage;
         if(!this.globalRateLimit){
@@ -36,7 +36,7 @@ class RateLimitConfigurer
         let limiterParams = {
             windowMs: this.windowMs,
             limit: this.maxRequests,
-            standardHeaders: true,
+            standardHeaders: 'draft-8',
             legacyHeaders: false,
             message: this.tooManyRequestsMessage
         };
@@ -56,7 +56,7 @@ class RateLimitConfigurer
         let limiterParams = {
             windowMs: this.windowMs,
             limit: this.maxRequests,
-            standardHeaders: true,
+            standardHeaders: 'draft-8',
             legacyHeaders: false
         };
         if(this.isDevelopmentMode){

package/lib/app-server-factory/security-configurer.js

@@ -27,40 +27,48 @@ class SecurityConfigurer
         if(!this.useHelmet){
             return;
         }
-        let helmetOptions = {
+        let helmetOptions = this.setModeOptions({
             crossOriginEmbedderPolicy: false,
             crossOriginOpenerPolicy: false,
             crossOriginResourcePolicy: false,
             originAgentCluster: false
-        };
+        }, config);
+        if(this.helmetConfig){
+            Object.assign(helmetOptions, this.helmetConfig);
+        }
+        app.use(helmet(helmetOptions));
+    }
+
+    setModeOptions(helmetOptions, config)
+    {
         if(this.isDevelopmentMode){
             helmetOptions.contentSecurityPolicy = false;
             helmetOptions.hsts = false;
             helmetOptions.noSniff = false;
-        } else {
-            helmetOptions.contentSecurityPolicy = {
-                directives: {
-                    defaultSrc: ["'self'"],
-                    scriptSrc: ["'self'"],
-                    scriptSrcElem: ["'self'"],
-                    styleSrc: ["'self'", "'unsafe-inline'"],
-                    styleSrcElem: ["'self'", "'unsafe-inline'"],
-                    imgSrc: ["'self'", "data:", "https:"],
-                    fontSrc: ["'self'"],
-                    connectSrc: ["'self'"],
-                    frameAncestors: ["'none'"],
-                    baseUri: ["'self'"],
-                    formAction: ["'self'"]
-                }
-            };
-            if(config.developmentExternalDomains){
-                this.addExternalDomainsToCsp(helmetOptions.contentSecurityPolicy.directives, config.developmentExternalDomains);
-            }
+            return helmetOptions;
         }
-        if(this.helmetConfig){
-            Object.assign(helmetOptions, this.helmetConfig);
+        helmetOptions.contentSecurityPolicy = {
+            directives: {
+                defaultSrc: ["'self'"],
+                scriptSrc: ["'self'"],
+                scriptSrcElem: ["'self'"],
+                styleSrc: ["'self'", "'unsafe-inline'"],
+                styleSrcElem: ["'self'", "'unsafe-inline'"],
+                imgSrc: ["'self'", "data:", "https:"],
+                fontSrc: ["'self'"],
+                connectSrc: ["'self'"],
+                frameAncestors: ["'none'"],
+                baseUri: ["'self'"],
+                formAction: ["'self'"]
+            }
+        };
+        if(config.developmentExternalDomains){
+            this.addExternalDomainsToCsp(
+                helmetOptions.contentSecurityPolicy.directives,
+                config.developmentExternalDomains
+            );
         }
-        app.use(helmet(helmetOptions));
+        return helmetOptions;
     }
 
     addExternalDomainsToCsp(directives, externalDomains)
@@ -94,7 +102,7 @@ class SecurityConfigurer
             if(!req.body){
                 return next();
             }
-            if('object' === typeof req.body){
+            if('object' === typeof req.body && null !== req.body){
                 this.sanitizeRequestBody(req.body);
             }
             next();
@@ -103,9 +111,24 @@ class SecurityConfigurer
 
     sanitizeRequestBody(body)
     {
-        let bodyKeys = Object.keys(body);
-        for(let i = 0; i < bodyKeys.length; i++){
-            let key = bodyKeys[i];
+        if(Array.isArray(body)){
+            for(let i = 0; i < body.length; i++){
+                if('string' === typeof body[i]){
+                    body[i] = sanitizeHtml(body[i], this.sanitizeOptions);
+                    continue;
+                }
+                if('object' === typeof body[i] && null !== body[i]){
+                    this.sanitizeRequestBody(body[i]);
+                }
+            }
+            return;
+        }
+        if('object' !== typeof body || null === body){
+            return;
+        }
+        let keys = Object.keys(body);
+        for(let i = 0; i < keys.length; i++){
+            let key = keys[i];
             if('string' === typeof body[key]){
                 body[key] = sanitizeHtml(body[key], this.sanitizeOptions);
                 continue;