#12229

pending completion

Build # #12229

Build Type

push

circleci

Committed by

web-flow

Commit Message

Merge pull request #2803 from mozilla/MNTOR-1115

MNTOR-1115: add sentry to v2

Run Details

282 of 1329 branches covered (21.22%)

Branch coverage included in aggregate %.

20 of 20 new or added lines in 5 files covered. (100.0%)

959 of 3531 relevant lines covered (27.16%)

2.21 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/app.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

import express from 'express'
import session from 'express-session'
import connectRedis from 'connect-redis'
import helmet from 'helmet'
import accepts from 'accepts'
import redis from 'redis'
import cookieParser from 'cookie-parser'
import rateLimit from 'express-rate-limit'
import Sentry from '@sentry/node'
import '@sentry/tracing'

import AppConstants from './app-constants.js'
import { localStorage } from './utils/local-storage.js'
import { errorHandler } from './middleware/error.js'
import { doubleCsrfProtection } from './utils/csrf.js'
import { initFluentBundles, updateLocale, getMessageWithLocale, getMessage } from './utils/fluent.js'
import { loadBreachesIntoApp } from './utils/hibp.js'
import { RateLimitError } from './utils/error.js'
import { initEmail } from './utils/email.js'
import indexRouter from './routes/index.js'

const app = express()
const isDev = AppConstants.NODE_ENV === 'dev'

// init sentry
Sentry.init({
  dsn: AppConstants.SENTRY_DSN,
  environment: AppConstants.NODE_ENV,
  debug: isDev,
  beforeSend (event, hint) {
    if (!hint.originalException.locales || hint.originalException.locales[0] === 'en') return event // return if no localization or localization is in english

    // try to force an english translation for the error message if localized
    if (hint.originalException.fluentID) {
      event.exception.values[0].value = getMessageWithLocale(hint.originalException.fluentID, 'en') || getMessage(hint.originalException.fluentID)
    }

    return event
  }
})

// Determine from where to serve client code/assets:
// Build script is triggered for `npm start` and assets are served from /dist.
// Build script is NOT run for `npm run dev`, assets are served from /src, and nodemon restarts server without build (faster dev).
const staticPath =
  process.env.npm_lifecycle_event === 'start' ? '../dist' : './client'

await initFluentBundles()

async function getRedisStore () {
  const RedisStoreConstructor = connectRedis(session)
  if (['', 'redis-mock'].includes(AppConstants.REDIS_URL)) {
    const redisMock = await import('redis-mock') // for devs without local redis
    return new RedisStoreConstructor({
      client: redisMock.default.createClient()
    })
  }
  return new RedisStoreConstructor({
    client: redis.createClient({ url: AppConstants.REDIS_URL })
  })
}

// middleware
app.use(
  helmet({
    crossOriginEmbedderPolicy: false
  })
)

app.use(
  Sentry.Handlers.requestHandler({
    request: ['headers', 'method', 'url'], // omit cookies, data, query_string
    user: ['id'] // omit username, email
  })
)

const imgSrc = [
  "'self'"
]

if (AppConstants.FXA_ENABLED) {
  const fxaSrc = new URL(AppConstants.OAUTH_PROFILE_URI).origin
  imgSrc.push(fxaSrc)
}

// disable forced https to allow localhost on Safari
app.use(
  helmet.contentSecurityPolicy({
    directives: {
      imgSrc,
      upgradeInsecureRequests: isDev ? null : []
    }
  })
)

// fallback to default 'no-referrer' only when 'strict-origin-when-cross-origin' not available
app.use(
  helmet.referrerPolicy({
    policy: ['no-referrer', 'strict-origin-when-cross-origin']
  })
)

// When a text/html request is received, negotiate and store the requested language
// Using asyncLocalStorage avoids having to pass req context down through every function (e.g. getMessage())
app.use((req, res, next) => {
  if (!req.headers.accept?.startsWith('text/html')) return next()

  localStorage.run(new Map(), () => {
    req.locale = updateLocale(accepts(req).languages())
    localStorage.getStore().set('locale', req.locale)
    next()
  })
})

// MNTOR-1009, 1117:
// Because of proxy settings, request / cookies are not persisted between calls
// Setting the trust proxy to high and securing the cookie allowed the cookie to persist
// If cookie.secure is set as true, for nodejs behind proxy, "trust proxy" needs to be set
app.set('trust proxy', 1)

// session
const SESSION_DURATION_HOURS = AppConstants.SESSION_DURATION_HOURS || 48
app.use(
  session({
    cookie: {
      maxAge: SESSION_DURATION_HOURS * 60 * 60 * 1000, // 48 hours
      rolling: true,
      sameSite: 'lax',
      secure: !isDev
    },
    resave: false,
    saveUninitialized: true,
    secret: AppConstants.COOKIE_SECRET,
    store: await getRedisStore()
  })
)

// Load breaches into namespaced cache
try {
  await loadBreachesIntoApp(app)
} catch (error) {
  console.error('Error loading breaches into app.locals', error)
}

app.use(express.static(staticPath))
app.use(express.json())
app.use(cookieParser(AppConstants.COOKIE_SECRET))
app.use(doubleCsrfProtection)

const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
  legacyHeaders: false // Disable the `X-RateLimit-*` headers
})

app.use('/api', apiLimiter)

// routing
app.use('/', indexRouter)

// sentry error handler
app.use(Sentry.Handlers.errorHandler({
  shouldHandleError (error) {
    if (error instanceof RateLimitError) return true
  }
}))

// app error handler
app.use(errorHandler)

app.listen(AppConstants.PORT, async function () {
  console.info(`MONITOR V2: Server listening at ${this.address().port}`)
  console.info(`Static files served from ${staticPath}`)
  try {
    await initEmail()
    console.info('Email initialized')
  } catch (ex) {
    console.error('try-initialize-email-error', { ex })
  }
})

1	/* This Source Code Form is subject to the terms of the Mozilla Public
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5	import express from 'express'
6	import session from 'express-session'
7	import connectRedis from 'connect-redis'
8	import helmet from 'helmet'
9	import accepts from 'accepts'
10	import redis from 'redis'
11	import cookieParser from 'cookie-parser'
12	import rateLimit from 'express-rate-limit'
13	import Sentry from '@sentry/node'
14	import '@sentry/tracing'
15
16	import AppConstants from './app-constants.js'
17	import { localStorage } from './utils/local-storage.js'
18	import { errorHandler } from './middleware/error.js'
19	import { doubleCsrfProtection } from './utils/csrf.js'
20	import { initFluentBundles, updateLocale, getMessageWithLocale, getMessage } from './utils/fluent.js'
21	import { loadBreachesIntoApp } from './utils/hibp.js'
22	import { RateLimitError } from './utils/error.js'
23	import { initEmail } from './utils/email.js'
24	import indexRouter from './routes/index.js'
25
26	const app = express()	×
27	const isDev = AppConstants.NODE_ENV === 'dev'	×
28
29	// init sentry
30	Sentry.init({	×
31	dsn: AppConstants.SENTRY_DSN,
32	environment: AppConstants.NODE_ENV,
33	debug: isDev,
34	beforeSend (event, hint) {
35	if (!hint.originalException.locales \|\| hint.originalException.locales[0] === 'en') return event // return if no localization or localization is in english	×
36
37	// try to force an english translation for the error message if localized
38	if (hint.originalException.fluentID) {	×
39	event.exception.values[0].value = getMessageWithLocale(hint.originalException.fluentID, 'en') \|\| getMessage(hint.originalException.fluentID)	×
40	}
41
42	return event	×
43	}
44	})
45
46	// Determine from where to serve client code/assets:
47	// Build script is triggered for `npm start` and assets are served from /dist.
48	// Build script is NOT run for `npm run dev`, assets are served from /src, and nodemon restarts server without build (faster dev).
49	const staticPath =
50	process.env.npm_lifecycle_event === 'start' ? '../dist' : './client'	×
51
52	await initFluentBundles()	×
53
54	async function getRedisStore () {
55	const RedisStoreConstructor = connectRedis(session)	×
56	if (['', 'redis-mock'].includes(AppConstants.REDIS_URL)) {	×
57	const redisMock = await import('redis-mock') // for devs without local redis	×
58	return new RedisStoreConstructor({	×
59	client: redisMock.default.createClient()
60	})
61	}
62	return new RedisStoreConstructor({	×
63	client: redis.createClient({ url: AppConstants.REDIS_URL })
64	})
65	}
66
67	// middleware
68	app.use(	×
69	helmet({
70	crossOriginEmbedderPolicy: false
71	})
72	)
73
74	app.use(	×
75	Sentry.Handlers.requestHandler({
76	request: ['headers', 'method', 'url'], // omit cookies, data, query_string
77	user: ['id'] // omit username, email
78	})
79	)
80
81	const imgSrc = [	×
82	"'self'"
83	]
84
85	if (AppConstants.FXA_ENABLED) {	×
86	const fxaSrc = new URL(AppConstants.OAUTH_PROFILE_URI).origin	×
87	imgSrc.push(fxaSrc)	×
88	}
89
90	// disable forced https to allow localhost on Safari
91	app.use(	×
92	helmet.contentSecurityPolicy({
93	directives: {
94	imgSrc,
95	upgradeInsecureRequests: isDev ? null : []	×
96	}
97	})
98	)
99
100	// fallback to default 'no-referrer' only when 'strict-origin-when-cross-origin' not available
101	app.use(	×
102	helmet.referrerPolicy({
103	policy: ['no-referrer', 'strict-origin-when-cross-origin']
104	})
105	)
106
107	// When a text/html request is received, negotiate and store the requested language
108	// Using asyncLocalStorage avoids having to pass req context down through every function (e.g. getMessage())
109	app.use((req, res, next) => {	×
110	if (!req.headers.accept?.startsWith('text/html')) return next()	×
111
112	localStorage.run(new Map(), () => {	×
113	req.locale = updateLocale(accepts(req).languages())	×
114	localStorage.getStore().set('locale', req.locale)	×
115	next()	×
116	})
117	})
118
119	// MNTOR-1009, 1117:
120	// Because of proxy settings, request / cookies are not persisted between calls
121	// Setting the trust proxy to high and securing the cookie allowed the cookie to persist
122	// If cookie.secure is set as true, for nodejs behind proxy, "trust proxy" needs to be set
123	app.set('trust proxy', 1)	×
124
125	// session
126	const SESSION_DURATION_HOURS = AppConstants.SESSION_DURATION_HOURS \|\| 48	×
127	app.use(	×
128	session({
129	cookie: {
130	maxAge: SESSION_DURATION_HOURS * 60 * 60 * 1000, // 48 hours
131	rolling: true,
132	sameSite: 'lax',
133	secure: !isDev
134	},
135	resave: false,
136	saveUninitialized: true,
137	secret: AppConstants.COOKIE_SECRET,
138	store: await getRedisStore()
139	})
140	)
141
142	// Load breaches into namespaced cache
143	try {	×
144	await loadBreachesIntoApp(app)	×
145	} catch (error) {
146	console.error('Error loading breaches into app.locals', error)	×
147	}
148
149	app.use(express.static(staticPath))	×
150	app.use(express.json())	×
151	app.use(cookieParser(AppConstants.COOKIE_SECRET))	×
152	app.use(doubleCsrfProtection)	×
153
154	const apiLimiter = rateLimit({	×
155	windowMs: 15 * 60 * 1000, // 15 minutes
156	max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
157	standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
158	legacyHeaders: false // Disable the `X-RateLimit-*` headers
159	})
160
161	app.use('/api', apiLimiter)	×
162
163	// routing
164	app.use('/', indexRouter)	×
165
166	// sentry error handler
167	app.use(Sentry.Handlers.errorHandler({	×
168	shouldHandleError (error) {
169	if (error instanceof RateLimitError) return true	×
170	}
171	}))
172
173	// app error handler
174	app.use(errorHandler)	×
175
176	app.listen(AppConstants.PORT, async function () {	×
177	console.info(`MONITOR V2: Server listening at ${this.address().port}`)	×
178	console.info(`Static files served from ${staticPath}`)	×
179	try {	×
180	await initEmail()	×
181	console.info('Email initialized')	×
182	} catch (ex) {
183	console.error('try-initialize-email-error', { ex })	×
184	}
185	})

mozilla / blurts-server / #12229

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous