setting up and securing the routes

Author: iolufemi

app.js

@@ -24,41 +24,25 @@ if (cluster.isMaster && config.env === 'production') {
 	var express = require('express');
 	var app = express();
 	var router = require('./routes');
-    var helmet = require('helmet');
-    var client = require('redis').createClient(config.redisURL);
-    var limiter = require('express-limiter')(app, client);
+    var express_enforces_ssl = require('express-enforces-ssl');
 
     if(config.trustProxy === 'yes'){
       app.enable('trust proxy');
   }
 
+  if(config.enforceSSL === 'yes'){
+    app.use(express_enforces_ssl());
+}
 
-  app.use(helmet());
-    // no client side caching
-    if(config.noFrontendCaching === 'yes'){
-        app.use(helmet.noCache());
-    }
-
-    limiter({
-      path: '*',
-      method: 'all',
-      lookup: 'userId',
-      total: config.rateLimit * 1,
-      expire: config.rateLimitExpiry * 1,
-      onRateLimited: function (req, res, next) {
-        next({ message: 'Rate limit exceeded', statusCode: 429 });
-    }
-});
-
-    app.use('/',router);
+app.use('/',router);
 
-    if(config.env === 'production'){
-      log.info('Worker %d running!', cluster.worker.id);
-  }
+if(config.env === 'production'){
+  log.info('Worker %d running!', cluster.worker.id);
+}
 
 
-  app.listen(config.port, function () {
-      log.info('listening on port '+config.port+'!');
-  });
+app.listen(config.port, function () {
+  log.info('listening on port '+config.port+'!');
+});
 
 }

config/development.js

@@ -10,5 +10,11 @@ module.exports = {
     noFrontendCaching: process.env.NO_CACHE || 'yes',
     rateLimit: process.env.RATE_LIMIT || '180',
     rateLimitExpiry: process.env.RATE_LIMIT_EXPIRY || '3600000',
-    redisURL: process.env.REDIS_URL || 'redis://192.168.99.100:6379/1'
+    redisURL: process.env.REDIS_URL || 'redis://192.168.99.100:6379/1',
+    userVerificationEndpoint: process.env.USER_VERIFICATION_API || 'http://mockbin.org/bin/9edd4bf7-bb36-47b6-adb2-54d7a7236e80',
+    appVerificationEndpoint: process.env.APP_VERIFICATION_API || 'http://mockbin.org/bin/9edd4bf7-bb36-47b6-adb2-54d7a7236e80',
+    letsencryptSSLVerificationURL: process.env.LETSENCRYPT_VERIFICATION_URL || '/.well-known/acme-challenge/xvArhQBSilF4V30dGUagNAZ96ASipB0b0ex0kXn0za8',
+    letsencryptSSLVerificationBody: process.env.LETSENCRYPT_VERIFICATION_BODY || 'xvArhQBSilF4V30dGUagNAZ96ASipB0b0ex0kXn0za8._v6aFbaRYWeOmSebtlD-X4Ixf5tPsyULMsXM8HjsK-Q',
+    maxContentLength: process.env.MAX_CONTENT_LENGTH || '9999',
+    enforceSSL: process.env.ENFORCE_SSL || 'no'
 };

config/index.js

@@ -8,4 +8,4 @@ if(process.env.NODE_ENV === 'development'){
 	module.exports = production;
 }else{
 	module.exports = development;
-}
+}

config/production.js

@@ -10,5 +10,11 @@ module.exports = {
     noFrontendCaching: process.env.NO_CACHE || 'yes',
     rateLimit: process.env.RATE_LIMIT || '180',
     rateLimitExpiry: process.env.RATE_LIMIT_EXPIRY || '3600000',
-    redisURL: process.env.REDIS_URL || 'redis://192.168.99.100:6379/1'
+    redisURL: process.env.REDIS_URL || 'redis://192.168.99.100:6379/1',
+    userVerificationEndpoint: process.env.USER_VERIFICATION_API || 'http://mockbin.org/bin/9edd4bf7-bb36-47b6-adb2-54d7a7236e80',
+    appVerificationEndpoint: process.env.APP_VERIFICATION_API || 'http://mockbin.org/bin/9edd4bf7-bb36-47b6-adb2-54d7a7236e80',
+    letsencryptSSLVerificationURL: process.env.LETSENCRYPT_VERIFICATION_URL || '/.well-known/acme-challenge/xvArhQBSilF4V30dGUagNAZ96ASipB0b0ex0kXn0za8',
+    letsencryptSSLVerificationBody: process.env.LETSENCRYPT_VERIFICATION_BODY || 'xvArhQBSilF4V30dGUagNAZ96ASipB0b0ex0kXn0za8._v6aFbaRYWeOmSebtlD-X4Ixf5tPsyULMsXM8HjsK-Q',
+    maxContentLength: process.env.MAX_CONTENT_LENGTH || '9999',
+    enforceSSL: process.env.ENFORCE_SSL || 'no'
 };

favicon.ico

@@ -44,11 +44,15 @@
     "crypto": "0.0.3",
     "debug": "^2.6.3",
     "express": "^4.15.2",
+    "express-content-length-validator": "^1.0.0",
+    "express-enforces-ssl": "^1.1.0",
     "express-limiter": "^1.6.0",
     "express-validator": "^3.1.2",
     "helmet": "^3.6.1",
+    "hpp": "^0.2.2",
     "lodash": "^4.17.4",
     "mongoose": "^4.9.0",
+    "node-rest-client": "^3.1.0",
     "q": "^1.4.1",
     "randomstring": "^1.1.5",
     "redis": "^2.7.1",

package.json

@@ -1,20 +1,27 @@
 "use strict";
 var express = require('express');
 var router = express.Router();
-var bodyParser = require('body-parser');
 var expressValidator = require('express-validator');
-var cors = require('cors');
 var response = require('../services/response');
 var encryption = require('../services/encryption');
 var log = require('../services/logger');
 var me = require('../package.json');
 var initialize = require('./initialize');
+var config = require('../config');
+var helmet = require('helmet');
+var client = require('redis').createClient(config.redisURL);
+var limiter = require('express-limiter')(router, client);
 var _ = require('lodash');
+var bodyParser = require('body-parser');
+var cors = require('cors');
+var hpp = require('hpp');
+var contentLength = require('express-content-length-validator');
+var MAX_CONTENT_LENGTH_ACCEPTED = config.maxContentLength * 1;
 
 var allRequestData = function(req,res,next){
     var requestData = {};
-    var newRequestData = _.assignIn(requestData, req.params, req.body, req.query);
     req.param = function(key, defaultValue){
+        var newRequestData = _.assignIn(requestData, req.params, req.body, req.query);
         if(newRequestData[key]){
             return newRequestData[key];
         }else if(defaultValue){
@@ -26,49 +33,81 @@ var allRequestData = function(req,res,next){
     next();
 };
 
-var enforceUserId = function(req,res,next){
+var enforceUserIdAndAppId = function(req,res,next){
     var userId = req.param('userId');
+    var appId = req.param('appId');
     if(!userId){
         res.badRequest(false,'No userId parameter was passed in the payload of this request. Please pass a userId.');
+    }else if(!appId){
+        res.badRequest(false,'No appId parameter was passed in the payload of this request. Please pass an appId.');
     }else{
-        // Do a middleware that validates userId here. put the user service endpoint in the env var. ideally, this should be the gateway endpoint
+        // Do a middleware that validates userId and appID here. put the user service endpoint in the env var. ideally, this should be the gateway endpoint
+        // Check if this user and app is allowed on this service
+        req.userId = userId;
+        req.appId = appId;
         next();
     }
 };
 
-
+router.use(helmet());
+// no client side caching
+if(config.noFrontendCaching === 'yes'){
+    router.use(helmet.noCache());
+}
 router.use(cors());
-router.use(response);
+router.options('*', cors());
 router.use(bodyParser.urlencoded({ extended: false }));
 router.use(bodyParser.json());
 router.use(bodyParser.raw());
 router.use(bodyParser.text());
+router.use(encryption.interpreter);
+router.use(hpp());
+router.use(contentLength.validateMax({max: MAX_CONTENT_LENGTH_ACCEPTED, status: 400, message: "Stop! Maximum content length exceeded."})); // max size accepted for the content-length
 // add the param function to request object
 router.use(allRequestData);
-// Make userId compolsory in every request
-router.use(enforceUserId);
-router.use(encryption.interpreter);
-router.use(expressValidator());
 
+// API Rate limiter
+limiter({
+  path: '*',
+  method: 'all',
+  lookup: ['userId','appId'],
+  total: config.rateLimit * 1,
+  expire: config.rateLimitExpiry * 1,
+  onRateLimited: function (req, res, next) {
+    next({ message: 'Rate limit exceeded', statusCode: 429 });
+}
+});
+
+router.use(response);
+router.use(expressValidator());
 router.use(function(req,res,next){
     log.info('[TIME: '+new Date().toISOString()+'] [IP Address: '+req.ip+'] [METHOD: '+req.method+'] [URL: '+req.originalUrl+']');
     next();
 });
 
-router.options('*', cors());
-
 router.get('/', function (req, res) {
     res.ok({name: me.name, version: me.version});
 });
 
-router.get('/.well-known/acme-challenge/xvArhQBSilF4V30dGUagNAZ96ASipB0b0ex0kXn0za8', function(req,res){
-    res.send('xvArhQBSilF4V30dGUagNAZ96ASipB0b0ex0kXn0za8._v6aFbaRYWeOmSebtlD-X4Ixf5tPsyULMsXM8HjsK-Q');
+// Let's Encrypt Setup
+router.get(config.letsencryptSSLVerificationURL, function(req,res){
+    res.send(config.letsencryptSSLVerificationBody);
 });
 
-// Other routes here
-
 router.use('/', initialize);
 
+// Publicly available routes here
+// 
+// 
+
+
+// Make userId compolsory in every request
+router.use(enforceUserIdAndAppId);
+
+// Other routes here
+// 
+// 
+
 router.use(function(req, res, next) { // jshint ignore:line
     res.notFound();
 });