Initial code for plugin.

Author: mattbishop

.gitignore

@@ -0,0 +1,2 @@
+.idea
+node_modules

README.md

@@ -1,2 +1,6 @@
 # fastify-https-always
-A fastify plugin to redirect http requests to https. Useful to ensure connections utilize secure HTTP connection URLs.
+This fastify plugin recognizes http requests and either redirects to https or disallows the request. Useful to ensure connections utilize secure HTTP connection URLs. The logic is very similar to the [express-ssl](https://github.com/jclem/express-ssl) plugin. It can examine the request headers to determine if a request has been forwarded from a TLS-terminating proxy, a common deployment model.
+
+### Configuration
+
+### fastify's trustProxy

package.json

@@ -0,0 +1,41 @@
+{
+  "name": "fastify-https-always",
+  "version": "1.0.0",
+  "description": "A fastify plugin to redirect http requests to https.",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "ts-node test/test.ts"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/mattbishop/fastify-https-always.git"
+  },
+  "keywords": [
+    "fastify",
+    "fastify-plugin",
+    "https",
+    "TLS",
+    "SSL",
+    "secure"
+  ],
+  "author": "[email protected]",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/mattbishop/fastify-https-always/issues"
+  },
+  "homepage": "https://github.com/mattbishop/fastify-https-always#readme",
+  "dependencies": {
+    "@fastify/error": "3.0.0",
+    "fastify-plugin": "^3.0.1",
+    "undici": "5.8.2"
+  },
+  "devDependencies": {
+    "@types/tape": "^4.13.2",
+    "fastify": "^3.3.0",
+    "tape": "^5.5.3",
+    "ts-node": "^10.9.1",
+    "typescript": "^4.7.4"
+  }
+}

src/index.ts

@@ -0,0 +1,85 @@
+import createError from "@fastify/error"
+import {FastifyInstance, FastifyPluginOptions, FastifyReply, FastifyRequest, HookHandlerDoneFunction} from "fastify"
+import fp from "fastify-plugin"
+
+
+export interface HttpsAlwaysOptions extends FastifyPluginOptions {
+  productionOnly: boolean
+  enabled:        boolean
+  port:           number
+  redirect:       boolean
+}
+
+
+type HttpsAlwaysContext = {
+  port:     string
+  redirect: boolean
+}
+
+
+const HTTP_REQUIRED = createError(
+  "FST_HTTPS_REQUIRED",
+  "Please use HTTPS when communicating with this server.",
+  403)
+
+function handleRequest(ctx:     HttpsAlwaysContext,
+                       request: FastifyRequest,
+                       reply:   FastifyReply,
+                       next:    HookHandlerDoneFunction) {
+  const {
+    port,
+    redirect
+  } = ctx
+
+  const {
+    hostname,
+    protocol,
+    url
+  } = request
+
+
+  if (protocol !== "https") {
+    if (redirect) {
+      const portIdx = hostname.lastIndexOf(":")
+      const host = portIdx > 0 ? hostname.substring(0, portIdx) : hostname
+      const httpsUrl = `https://${host}${port}${url}`
+      reply.redirect(301, httpsUrl)
+    } else {
+      next(HTTP_REQUIRED())
+      return
+    }
+  }
+
+  next()
+}
+
+
+function plugin(fastify:  FastifyInstance,
+                opts:     HttpsAlwaysOptions,
+                next:     () => void) {
+  const {
+    enabled        = true,
+    productionOnly = true,
+    port,
+    redirect       = true,
+  } = opts
+
+  if (enabled) {
+    const inProd = process.env.NODE_ENV === "production"
+    if (!productionOnly || (productionOnly && inProd)) {
+      const ctx: HttpsAlwaysContext = {
+        redirect,
+        port: port ? `:${port}` : ""
+      }
+      fastify.addHook("onRequest", (q, p, d) => handleRequest(ctx, q, p, d))
+    }
+  }
+
+  next()
+}
+
+
+export default fp(plugin, {
+  name:     "fastify-https-always",
+  fastify:  ">=3.x"
+})

test/test.ts

@@ -0,0 +1,90 @@
+import test from "tape"
+import Fastify from "fastify"
+import {fetch} from "undici"
+import httpsAlwaysPlugin, {HttpsAlwaysOptions} from "../src"
+
+
+
+// self-signed testing cert
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"
+
+const URL = "/a/url"
+
+test("default options for both fastify and https-always", async (t) => {
+  process.env.NODE_ENV = "production"
+  const http = Fastify()
+  const https = Fastify({
+    https: {
+      key:  httpsKey,
+      cert: httpsCert
+    }
+  })
+  http.register(httpsAlwaysPlugin)
+  https.register(httpsAlwaysPlugin)
+
+  await http.listen({port: 3080})
+  await https.listen({port: 3443})
+  await http.ready()
+  await https.ready()
+
+  t.plan(3)
+  let result = await fetch(`http://localhost:3080${URL}`, {
+    redirect: "manual"
+/*
+    headers: {
+      "x-forwarded-proto": "https",
+      "x-forwarded-host": "localhost:3443"
+    }
+*/
+  })
+  t.equal(result.status, 301, "http Permanently Moved")
+  t.equal(result.headers.get("location"), `https://localhost${URL}`, "Location is https with no port")
+
+  result = await fetch("https://localhost:3443/")
+  t.equal(result.status, 404, "https Not Found")
+
+  await http.close()
+  await https.close()
+})
+
+// test trustProxy
+
+// test each default
+
+
+
+const httpsKey = `-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMIiJAhpsXD5D/+5
+owjvdgez8Nqm0KLIkld/nVNwzWAVnY12IhkC7hioqRRQCHhPNFElpGVBz3wLWWCj
++koq69yuYiPZljmcBYK/r5JGwG+FFeVVqHjGNAVEbRH6Zvaz3aEqLyOj9wT/F5pJ
+BtIPZC1IgTrOw3xS2TjwN/FqL++HAgMBAAECgYAKOnxFiTQVLLpAEgraBKvmWf+9
+tX5WpVS4kXu7krzvbBQiCPBg+vuKhxBphpH7rMin4eDYiPAirAJoihs83ygQIA4B
+194dSD1irNBJy62Po4IXA8f0tLCESk1V+bfLBC0RsyIqGOFI5yCj3VRYPEGAYHYY
+DprEE2JOhBgjRacneQJBAOAsK26Pknp/OXZSs9FqCOHeZPdA95XkQ+gNChCyzbkk
+a9VIVsKlDe2OUPVzEYQ3QjpddTQshboDMwYKEW+HFO0CQQDdsijp9EFjA3AxyhqW
+TXsYOjSu2MCHe1mnlEcmJMvKKA3y+YpM8NwgLOkY2BDdfRbMtvjuFSurRKUiZtw2
+rhvDAkAmR4SXGY8iuczfJposHVYs86P8EKz2fIcX/foFBfNZNR3wyqx+Cl9JfG7Y
+qvCHykPV4ZWc9ilTrS4uTtPRXpi1AkEAzc6e/NGsAecnOJGOrQmwxIUEc2z1DtEM
+Ie4dPuPZ7AnTKUVPhq3zLEuE+XNb9MIzcEhMP3mX2J8ZTh5/QKPRUQJBAM0pYbRu
+GXlfei3LnTUrSAdIRyc06i3zkWygQztYVJyRodS2vRnhwBTL5MtrgWR5ALKuaAul
+TorrsW76xKLvxec=
+-----END PRIVATE KEY-----
+`
+const httpsCert = `-----BEGIN CERTIFICATE-----
+MIICtjCCAh8CFET/HQXpZC6h7CyE2IgC/edV8gsZMA0GCSqGSIb3DQEBCwUAMIGY
+MQswCQYDVQQGEwJDQTEZMBcGA1UECAwQQnJpdGlzaCBDb2x1bWJpYTESMBAGA1UE
+BwwJVmFuY291dmVyMR0wGwYDVQQKDBRmYXN0aWZ5LWh0dHBzLWFsd2F5czE7MDkG
+A1UEAwwyaHR0cHM6Ly9naXRodWIuY29tL21hdHRiaXNob3AvZmFzdGlmeS1odHRw
+cy1hbHdheXMwIBcNMjIwODE0MjE1OTU4WhgPMjI5NjA1MjgyMTU5NThaMIGYMQsw
+CQYDVQQGEwJDQTEZMBcGA1UECAwQQnJpdGlzaCBDb2x1bWJpYTESMBAGA1UEBwwJ
+VmFuY291dmVyMR0wGwYDVQQKDBRmYXN0aWZ5LWh0dHBzLWFsd2F5czE7MDkGA1UE
+AwwyaHR0cHM6Ly9naXRodWIuY29tL21hdHRiaXNob3AvZmFzdGlmeS1odHRwcy1h
+bHdheXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMIiJAhpsXD5D/+5owjv
+dgez8Nqm0KLIkld/nVNwzWAVnY12IhkC7hioqRRQCHhPNFElpGVBz3wLWWCj+koq
+69yuYiPZljmcBYK/r5JGwG+FFeVVqHjGNAVEbRH6Zvaz3aEqLyOj9wT/F5pJBtIP
+ZC1IgTrOw3xS2TjwN/FqL++HAgMBAAEwDQYJKoZIhvcNAQELBQADgYEAu588Rxko
+Y994JB9IowC5AWzFLSTm4fzp80JQc1Bv9IapeFxvBucumYEDmQN/opOEcBmzYqRb
+iCBkNwSchMbPKWdD0oCU0lIA5CC3jGfKPyFUaFS7RDtDE9GjKHf9iexFxPMNBR3a
+kjYW4mD0WOKNcXVIvYfRYtYimf0lyE0Fn9k=
+-----END CERTIFICATE-----
+`

tsconfig.json

@@ -0,0 +1,75 @@
+{
+  "compilerOptions": {
+    /* Visit https://aka.ms/tsconfig.json to read more about this file */
+
+    /* Basic Options */
+    // "incremental": true,                         /* Enable incremental compilation */
+    "target": "es2015",                             /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019', 'ES2020', 'ES2021', or 'ESNEXT'. */
+    "module": "commonjs",                           /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', 'es2020', or 'ESNext'. */
+    // "lib": [],                                   /* Specify library files to be included in the compilation. */
+    // "allowJs": true,                             /* Allow javascript files to be compiled. */
+    // "checkJs": true,                             /* Report errors in .js files. */
+    // "jsx": "preserve",                           /* Specify JSX code generation: 'preserve', 'react-native', 'react', 'react-jsx' or 'react-jsxdev'. */
+    "declaration": true,                            /* Generates corresponding '.d.ts' file. */
+    // "declarationMap": true,                      /* Generates a sourcemap for each corresponding '.d.ts' file. */
+    // "sourceMap": true,                           /* Generates corresponding '.map' file. */
+    // "outFile": "./",                             /* Concatenate and emit output to single file. */
+    "outDir": "./lib",                              /* Redirect output structure to the directory. */
+    // "rootDir": "./",                             /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    // "composite": true,                           /* Enable project compilation */
+    // "tsBuildInfoFile": "./",                     /* Specify file to store incremental compilation information */
+    // "removeComments": true,                      /* Do not emit comments to output. */
+    // "noEmit": true,                              /* Do not emit outputs. */
+    // "importHelpers": true,                       /* Import emit helpers from 'tslib'. */
+    // "downlevelIteration": true,                  /* Provide full support for iterables in 'for-of', spread, and destructuring when targeting 'ES5' or 'ES3'. */
+    // "isolatedModules": true,                     /* Transpile each file as a separate module (similar to 'ts.transpileModule'). */
+
+    /* Strict Type-Checking Options */
+    "strict": true,                                 /* Enable all strict type-checking options. */
+    // "noImplicitAny": true,                       /* Raise error on expressions and declarations with an implied 'any' type. */
+    // "strictNullChecks": true,                    /* Enable strict null checks. */
+    // "strictFunctionTypes": true,                 /* Enable strict checking of function types. */
+    // "strictBindCallApply": true,                 /* Enable strict 'bind', 'call', and 'apply' methods on functions. */
+    // "strictPropertyInitialization": true,        /* Enable strict checking of property initialization in classes. */
+    // "noImplicitThis": true,                      /* Raise error on 'this' expressions with an implied 'any' type. */
+    // "alwaysStrict": true,                        /* Parse in strict mode and emit "use strict" for each source file. */
+
+    /* Additional Checks */
+    // "noUnusedLocals": true,                      /* Report errors on unused locals. */
+    // "noUnusedParameters": true,                  /* Report errors on unused parameters. */
+    // "noImplicitReturns": true,                   /* Report error when not all code paths in function return a value. */
+    // "noFallthroughCasesInSwitch": true,          /* Report errors for fallthrough cases in switch statement. */
+    // "noUncheckedIndexedAccess": true,            /* Include 'undefined' in index signature results */
+    // "noImplicitOverride": true,                  /* Ensure overriding members in derived classes are marked with an 'override' modifier. */
+    // "noPropertyAccessFromIndexSignature": true,  /* Require undeclared properties from index signatures to use element accesses. */
+
+    /* Module Resolution Options */
+    // "moduleResolution": "node",                  /* Specify module resolution strategy: 'node' (Node.js) or 'classic' (TypeScript pre-1.6). */
+    // "baseUrl": "./",                             /* Base directory to resolve non-absolute module names. */
+    // "paths": {},                                 /* A series of entries which re-map imports to lookup locations relative to the 'baseUrl'. */
+    // "rootDirs": [],                              /* List of root folders whose combined content represents the structure of the project at runtime. */
+    // "typeRoots": [],                             /* List of folders to include type definitions from. */
+    // "types": [],                                 /* Type declaration files to be included in compilation. */
+    // "allowSyntheticDefaultImports": true,        /* Allow default imports from modules with no default export. This does not affect code emit, just typechecking. */
+    "esModuleInterop": true,                        /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+    // "preserveSymlinks": true,                    /* Do not resolve the real path of symlinks. */
+    // "allowUmdGlobalAccess": true,                /* Allow accessing UMD globals from modules. */
+
+    /* Source Map Options */
+    // "sourceRoot": "",                            /* Specify the location where debugger should locate TypeScript files instead of source locations. */
+    // "mapRoot": "",                               /* Specify the location where debugger should locate map files instead of generated locations. */
+    // "inlineSourceMap": true,                     /* Emit a single file with source maps instead of having a separate file. */
+    // "inlineSources": true,                       /* Emit the source alongside the sourcemaps within a single file; requires '--inlineSourceMap' or '--sourceMap' to be set. */
+
+    /* Experimental Options */
+    // "experimentalDecorators": true,              /* Enables experimental support for ES7 decorators. */
+    // "emitDecoratorMetadata": true,               /* Enables experimental support for emitting type metadata for decorators. */
+
+    /* Advanced Options */
+    "skipLibCheck": true,                           /* Skip type checking of declaration files. */
+    "forceConsistentCasingInFileNames": true        /* Disallow inconsistently-cased references to the same file. */
+  },
+  "include": [
+    "src/**/*"
+  ]
+}