-
Notifications
You must be signed in to change notification settings - Fork 0
/
app.js
128 lines (105 loc) · 3.27 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
const path = require('path');
const express = require('express');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
const hpp = require('hpp');
const cookieParser = require('cookie-parser');
const compression = require('compression');
const cors = require('cors');
const AppError = require('./utils/appError');
const globalErrorHandler = require('./controllers/globalErrorHandler');
const bookingController = require('./controllers/bookingController');
const tourRouter = require('./routes/tourRoutes');
const userRouter = require('./routes/userRoutes');
const reviewRouter = require('./routes/reviewRoute');
const viewRouter = require('./routes/viewRoute');
const bookingRouter = require('./routes/bookingRoutes');
const { application } = require('express');
const app = express();
// Because heroku acts as a proxy
app.enable('trust proxy');
app.set('view engine', 'pug');
app.set('views', path.join(__dirname, 'views'));
// 1) GLOBAL MIDDLEWARES
// Implement CORS
app.use(cors());
// Access-Control-Allow-Origin *
app.options('*', cors());
// Serving static files
app.use(express.static(path.join(__dirname, 'public')));
// Set security HTTP headers
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'", 'https:', 'http:', 'data:', 'ws:'],
baseUri: ["'self'"],
fontSrc: ["'self'", 'https:', 'http:', 'data:'],
scriptSrc: ["'self'", 'https:', 'http:', 'blob:'],
styleSrc: ["'self'", 'https:', 'http:', 'unsafe-inline'],
},
})
);
// Developement Logging
if (process.env.NODE_ENV === 'development') {
app.use(morgan('dev'));
}
// Set limit--> It will allow 100 requests in 1hr from a particular IP
const limiter = rateLimit({
max: 100,
windowMs: 60 * 60 * 1000,
message: 'Too many requests from this IP, please try again in an hour!',
});
app.use('/api', limiter);
app.post(
'/webhook-checkout',
express.raw({ type: 'application/json' }),
bookingController.webhookCheckout
);
// Body parser, reading data from body into req.body
app.use(express.json({ limit: '10kb' }));
app.use(express.urlencoded({ extended: true, limit: '10kb' }));
app.use(cookieParser());
// Data sanitization against NoSQL query injection
app.use(mongoSanitize());
// Data sanitization against XSS
app.use(xss());
// Prevent parameter pollution
app.use(
hpp({
whitelist: [
'duration',
'ratingsAverage',
'ratingsQuantity',
'maxGroupSize',
'difficulty',
'price',
],
})
);
app.use(compression());
// app.use((req, res, next) => {
// console.log('Hello from the middleware 👋');
// next();
// });
// Test Middleware
app.use((req, res, next) => {
req.requestTime = new Date().toISOString();
// console.log(req.cookies.jwt);
// console.log(x); // testing
next();
});
// 3) ROUTES
app.use('/', viewRouter);
app.use('/api/v1/tours', tourRouter);
app.use('/api/v1/users', userRouter);
app.use('/api/v1/reviews', reviewRouter);
app.use('/api/v1/bookings', bookingRouter);
app.all('*', (req, res, next) => {
next(new AppError(`Can't find ${req.originalUrl} on this server`));
});
// GLOBAL ERROR HANDLING MIDLEWARE
app.use(globalErrorHandler);
module.exports = app;