#11786

pending completion

Build # #11786

Build Type

push

circleci

Committed by

web-flow

Commit Message

Merge pull request #2751 from mozilla/MNTOR-1025

MNTOR-1025: csrf

Run Details

282 of 1122 branches covered (25.13%)

Branch coverage included in aggregate %.

4 of 4 new or added lines in 2 files covered. (100.0%)

959 of 3014 relevant lines covered (31.82%)

2.56 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/app.js

import express from 'express'
import session from 'express-session'
import connectRedis from 'connect-redis'
import helmet from 'helmet'
import accepts from 'accepts'
import redis from 'redis'
import cookieParser from 'cookie-parser'

import AppConstants from './app-constants.js'
import { localStorage } from './utils/local-storage.js'
import { errorHandler } from './middleware/error.js'
import { doubleCsrfProtection } from './utils/csrf.js'
import { initFluentBundles, updateLocale } from './utils/fluent.js'
import { loadBreachesIntoApp } from './utils/hibp.js'
import indexRouter from './routes/index.js'

const app = express()
const isDev = AppConstants.NODE_ENV === 'dev'

// Determine from where to serve client code/assets:
// Build script is triggered for `npm start` and assets are served from /dist.
// Build script is NOT run for `npm run dev`, assets are served from /src, and nodemon restarts server without build (faster dev).
const staticPath = process.env.npm_lifecycle_event === 'start' ? '../dist' : './client'

await initFluentBundles()

async function getRedisStore () {
  const RedisStoreConstructor = connectRedis(session)
  if (['', 'redis-mock'].includes(AppConstants.REDIS_URL)) {
    const redisMock = await import('redis-mock') // for devs without local redis
    return new RedisStoreConstructor({ client: redisMock.default.createClient() })
  }
  return new RedisStoreConstructor({ client: redis.createClient({ url: AppConstants.REDIS_URL }) })
}

// middleware
app.use(helmet())

// disable forced https to allow localhost on Safari
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      upgradeInsecureRequests: isDev ? null : []
    }
  })
)

// fallback to default 'no-referrer' only when 'strict-origin-when-cross-origin' not available
app.use(
  helmet.referrerPolicy({
    policy: ['no-referrer', 'strict-origin-when-cross-origin']
  })
)

// When a text/html request is received, negotiate and store the requested language
// Using asyncLocalStorage avoids having to pass req context down through every function (e.g. getMessage())
app.use((req, res, next) => {
  if (!req.headers.accept?.startsWith('text/html')) return next()

  localStorage.run(new Map(), () => {
    req.locale = updateLocale(accepts(req).languages())
    localStorage.getStore().set('locale', req.locale)
    next()
  })
})

// MNTOR-1009:
// Because of heroku's proxy settings, request / cookies are not persisted between calls
// Setting the trust proxy to high and securing the cookie allowed the cookie to persist
// If cookie.secure is set as true, for nodejs behind proxy, "trust proxy" needs to be set
if (AppConstants.NODE_ENV === 'heroku') {
  app.set('trust proxy', 1)
}

// session
const SESSION_DURATION_HOURS = AppConstants.SESSION_DURATION_HOURS || 48
app.use(session({
  cookie: {
    maxAge: SESSION_DURATION_HOURS * 60 * 60 * 1000, // 48 hours
    rolling: true,
    sameSite: 'lax',
    secure: !isDev
  },
  resave: false,
  saveUninitialized: true,
  secret: AppConstants.COOKIE_SECRET,
  store: await getRedisStore()
}))

// Load breaches into namespaced cache
try {
  await loadBreachesIntoApp(app)
} catch (error) {
  console.error('Error loading breaches into app.locals', error)
}

app.use(express.static(staticPath))
app.use(express.json())
app.use(cookieParser(AppConstants.COOKIE_SECRET))
app.use(doubleCsrfProtection)

// routing
app.use('/', indexRouter)
app.use(errorHandler)

// start server
app.listen(AppConstants.PORT, function () {
  console.log(`MONITOR V2: Server listening at ${this.address().port}`)
  console.log(`Static files served from ${staticPath}`)
})

1	import express from 'express'
2	import session from 'express-session'
3	import connectRedis from 'connect-redis'
4	import helmet from 'helmet'
5	import accepts from 'accepts'
6	import redis from 'redis'
7	import cookieParser from 'cookie-parser'
8
9	import AppConstants from './app-constants.js'
10	import { localStorage } from './utils/local-storage.js'
11	import { errorHandler } from './middleware/error.js'
12	import { doubleCsrfProtection } from './utils/csrf.js'
13	import { initFluentBundles, updateLocale } from './utils/fluent.js'
14	import { loadBreachesIntoApp } from './utils/hibp.js'
15	import indexRouter from './routes/index.js'
16
17	const app = express()	×
18	const isDev = AppConstants.NODE_ENV === 'dev'	×
19
20	// Determine from where to serve client code/assets:
21	// Build script is triggered for `npm start` and assets are served from /dist.
22	// Build script is NOT run for `npm run dev`, assets are served from /src, and nodemon restarts server without build (faster dev).
23	const staticPath = process.env.npm_lifecycle_event === 'start' ? '../dist' : './client'	×
24
25	await initFluentBundles()	×
26
27	async function getRedisStore () {
28	const RedisStoreConstructor = connectRedis(session)	×
29	if (['', 'redis-mock'].includes(AppConstants.REDIS_URL)) {	×
30	const redisMock = await import('redis-mock') // for devs without local redis	×
31	return new RedisStoreConstructor({ client: redisMock.default.createClient() })	×
32	}
33	return new RedisStoreConstructor({ client: redis.createClient({ url: AppConstants.REDIS_URL }) })	×
34	}
35
36	// middleware
37	app.use(helmet())	×
38
39	// disable forced https to allow localhost on Safari
40	app.use(	×
41	helmet.contentSecurityPolicy({
42	directives: {
43	upgradeInsecureRequests: isDev ? null : []	×
44	}
45	})
46	)
47
48	// fallback to default 'no-referrer' only when 'strict-origin-when-cross-origin' not available
49	app.use(	×
50	helmet.referrerPolicy({
51	policy: ['no-referrer', 'strict-origin-when-cross-origin']
52	})
53	)
54
55	// When a text/html request is received, negotiate and store the requested language
56	// Using asyncLocalStorage avoids having to pass req context down through every function (e.g. getMessage())
57	app.use((req, res, next) => {	×
58	if (!req.headers.accept?.startsWith('text/html')) return next()	×
59
60	localStorage.run(new Map(), () => {	×
61	req.locale = updateLocale(accepts(req).languages())	×
62	localStorage.getStore().set('locale', req.locale)	×
63	next()	×
64	})
65	})
66
67	// MNTOR-1009:
68	// Because of heroku's proxy settings, request / cookies are not persisted between calls
69	// Setting the trust proxy to high and securing the cookie allowed the cookie to persist
70	// If cookie.secure is set as true, for nodejs behind proxy, "trust proxy" needs to be set
71	if (AppConstants.NODE_ENV === 'heroku') {	×
72	app.set('trust proxy', 1)	×
73	}
74
75	// session
76	const SESSION_DURATION_HOURS = AppConstants.SESSION_DURATION_HOURS \|\| 48	×
77	app.use(session({	×
78	cookie: {
79	maxAge: SESSION_DURATION_HOURS * 60 * 60 * 1000, // 48 hours
80	rolling: true,
81	sameSite: 'lax',
82	secure: !isDev
83	},
84	resave: false,
85	saveUninitialized: true,
86	secret: AppConstants.COOKIE_SECRET,
87	store: await getRedisStore()
88	}))
89
90	// Load breaches into namespaced cache
91	try {	×
92	await loadBreachesIntoApp(app)	×
93	} catch (error) {
94	console.error('Error loading breaches into app.locals', error)	×
95	}
96
97	app.use(express.static(staticPath))	×
98	app.use(express.json())	×
99	app.use(cookieParser(AppConstants.COOKIE_SECRET))	×
100	app.use(doubleCsrfProtection)	×
101
102	// routing
103	app.use('/', indexRouter)	×
104	app.use(errorHandler)	×
105
106	// start server
107	app.listen(AppConstants.PORT, function () {	×
108	console.log(`MONITOR V2: Server listening at ${this.address().port}`)	×
109	console.log(`Static files served from ${staticPath}`)	×
110	})

mozilla / blurts-server / #11786

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous