4b2d91d7-54ea-4aec-a5bb-d3ff4b026f45

Build # 4b2d91d7-54ea-4aec-a5bb-d3ff4b026f45

Build Type

push

circleci

Committed by GitHub

Commit Message

Merge pull request #2964 from mozilla/MNTOR-1166

Run Details

282 of 1613 branches covered (17.48%)

Branch coverage included in aggregate %.

7 of 7 new or added lines in 1 file covered. (100.0%)

959 of 4366 relevant lines covered (21.97%)

3.66 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/app.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

import crypto from 'node:crypto'

import express from 'express'
import session from 'express-session'
import helmet from 'helmet'
import accepts from 'accepts'
import { createClient } from 'redis'
import RedisStore from 'connect-redis'
import cookieParser from 'cookie-parser'
import rateLimit from 'express-rate-limit'
import Sentry from '@sentry/node'
import '@sentry/tracing'

import AppConstants from './app-constants.js'
import { localStorage } from './utils/local-storage.js'
import { errorHandler } from './middleware/error.js'
import { initFluentBundles, updateLocale, getMessageWithLocale, getMessage } from './utils/fluent.js'
import { loadBreachesIntoApp } from './utils/hibp.js'
import { RateLimitError } from './utils/error.js'
import { initEmail } from './utils/email.js'
import indexRouter from './routes/index.js'
import { noSearchEngineIndex } from './middleware/noSearchEngineIndex.js'

const app = express()
const isDev = AppConstants.NODE_ENV === 'dev'

// init sentry
Sentry.init({
  dsn: AppConstants.SENTRY_DSN,
  environment: AppConstants.NODE_ENV,
  debug: isDev,
  beforeSend (event, hint) {
    if (!hint.originalException.locales || hint.originalException.locales[0] === 'en') return event // return if no localization or localization is in english

    // try to force an english translation for the error message if localized
    if (hint.originalException.fluentID) {
      event.exception.values[0].value = getMessageWithLocale(hint.originalException.fluentID, 'en') || getMessage(hint.originalException.fluentID)
    }

    return event
  }
})

// Determine from where to serve client code/assets:
// Build script is triggered for `npm start` and assets are served from /dist.
// Build script is NOT run for `npm run dev`, assets are served from /src, and nodemon restarts server without build (faster dev).
const staticPath =
  process.env.npm_lifecycle_event === 'start' ? '../dist' : './client'

await initFluentBundles()

async function getRedisStore () {
  if (['', 'redis-mock'].includes(AppConstants.REDIS_URL)) {
    // allow mock redis for setups without local redis server
    const { redisMockClient } = await import('./utils/redis-mock.js')
    return new RedisStore({ client: redisMockClient })
  }

  const redisClient = createClient({ url: AppConstants.REDIS_URL })
  // the following event handlers are currently required for Heroku server stability: https://github.com/Shopify/shopify-app-js/issues/129
  redisClient.on('error', err => console.error('Redis client error', err))
  redisClient.on('connect', () => console.log('Redis client is connecting'))
  redisClient.on('reconnecting', () => console.log('Redis client is reconnecting'))
  redisClient.on('ready', () => console.log('Redis client is ready'))
  await redisClient.connect().catch(console.error)
  return new RedisStore({ client: redisClient })
}

// middleware
app.use(
  helmet({
    crossOriginResourcePolicy: { policy: 'cross-origin' },
    crossOriginEmbedderPolicy: false
  })
)

app.use(
  Sentry.Handlers.requestHandler({
    request: ['headers', 'method', 'url'], // omit cookies, data, query_string
    user: ['id'] // omit username, email
  })
)

const imgSrc = [
  "'self'",
  'https://www.googletagmanager.com', // Support GA4 per https://developers.google.com/tag-platform/tag-manager/web/csp
  'https://firefoxusercontent.com',
  'https://mozillausercontent.com/',
  'https://monitor.cdn.mozilla.net/'
]

if (AppConstants.FXA_ENABLED) {
  const fxaSrc = new URL(AppConstants.OAUTH_PROFILE_URI).origin
  imgSrc.push(fxaSrc)
}

app.use((_req, res, _next) => {
  res.locals.nonce = crypto.randomBytes(16).toString('hex')
  helmet.contentSecurityPolicy({
    directives: {
      upgradeInsecureRequests: isDev ? null : [], // disable forced https to allow localhost on Safari
      scriptSrc: [
        "'self'",
        // Support GA4 per https://developers.google.com/tag-platform/tag-manager/web/csp
        `'nonce-${res.locals.nonce}'`
      ],
      imgSrc,
      connectSrc: [
        "'self'",
        // Support GA4 per https://developers.google.com/tag-platform/tag-manager/web/csp
        'https://*.google-analytics.com',
        'https://*.analytics.google.com',
        'https://*.googletagmanager.com'
      ]
    }
  })(_req, res, _next)
})

// fallback to default 'no-referrer' only when 'strict-origin-when-cross-origin' not available
app.use(
  helmet.referrerPolicy({
    policy: ['no-referrer', 'strict-origin-when-cross-origin']
  })
)

// For text/html or */* (if Accept has not been set), negotiate and store the requested language.
// This filter avoids running unecessary locale functions for every image/webp request, for example.
// Using AsyncLocalStorage avoids having to pass req context down through every function (e.g. for getMessage())
app.use((req, res, next) => {
  if (!['text/html', '*/*'].includes(accepts(req).types()[0])) return next()

  req.locale = updateLocale(accepts(req).languages())
  localStorage.run(new Map(), () => {
    localStorage.getStore().set('locale', req.locale)
    next() // call next() inside this function to pass asyncLocalStorage context to other middleware.
  })
})

// MNTOR-1009, 1117:
// Because of proxy settings, request / cookies are not persisted between calls
// Setting the trust proxy to high and securing the cookie allowed the cookie to persist
// If cookie.secure is set as true, for nodejs behind proxy, "trust proxy" needs to be set
app.set('trust proxy', 1)

// session
const SESSION_DURATION_HOURS = AppConstants.SESSION_DURATION_HOURS || 48
app.use(
  session({
    cookie: {
      maxAge: SESSION_DURATION_HOURS * 60 * 60 * 1000, // 48 hours
      rolling: true,
      sameSite: 'lax',
      secure: !isDev
    },
    resave: false,
    saveUninitialized: true,
    secret: AppConstants.COOKIE_SECRET,
    store: await getRedisStore()
  })
)

// Load breaches into namespaced cache
try {
  await loadBreachesIntoApp(app)
} catch (error) {
  console.error('Error loading breaches into app.locals', error)
}

app.use(noSearchEngineIndex)
app.use(express.static(staticPath))
app.use(express.json())
app.use(cookieParser(AppConstants.COOKIE_SECRET))

const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
  legacyHeaders: false // Disable the `X-RateLimit-*` headers
})

app.use('/api', apiLimiter)

// routing
app.use('/', indexRouter)

// sentry error handler
app.use(Sentry.Handlers.errorHandler({
  shouldHandleError (error) {
    if (error instanceof RateLimitError) return true
  }
}))

// app error handler
app.use(errorHandler)

app.listen(AppConstants.PORT, async function () {
  console.info(`MONITOR V2: Server listening at ${this.address().port}`)
  console.info(`Static files served from ${staticPath}`)
  try {
    await initEmail()
    console.info('Email initialized')
  } catch (ex) {
    console.error('try-initialize-email-error', { ex })
  }
})

1	/* This Source Code Form is subject to the terms of the Mozilla Public
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5	import crypto from 'node:crypto'
6
7	import express from 'express'
8	import session from 'express-session'
9	import helmet from 'helmet'
10	import accepts from 'accepts'
11	import { createClient } from 'redis'
12	import RedisStore from 'connect-redis'
13	import cookieParser from 'cookie-parser'
14	import rateLimit from 'express-rate-limit'
15	import Sentry from '@sentry/node'
16	import '@sentry/tracing'
17
18	import AppConstants from './app-constants.js'
19	import { localStorage } from './utils/local-storage.js'
20	import { errorHandler } from './middleware/error.js'
21	import { initFluentBundles, updateLocale, getMessageWithLocale, getMessage } from './utils/fluent.js'
22	import { loadBreachesIntoApp } from './utils/hibp.js'
23	import { RateLimitError } from './utils/error.js'
24	import { initEmail } from './utils/email.js'
25	import indexRouter from './routes/index.js'
26	import { noSearchEngineIndex } from './middleware/noSearchEngineIndex.js'
27
28	const app = express()	×
29	const isDev = AppConstants.NODE_ENV === 'dev'	×
30
31	// init sentry
32	Sentry.init({	×
33	dsn: AppConstants.SENTRY_DSN,
34	environment: AppConstants.NODE_ENV,
35	debug: isDev,
36	beforeSend (event, hint) {
37	if (!hint.originalException.locales \|\| hint.originalException.locales[0] === 'en') return event // return if no localization or localization is in english	×
38
39	// try to force an english translation for the error message if localized
40	if (hint.originalException.fluentID) {	×
41	event.exception.values[0].value = getMessageWithLocale(hint.originalException.fluentID, 'en') \|\| getMessage(hint.originalException.fluentID)	×
42	}
43
44	return event	×
45	}
46	})
47
48	// Determine from where to serve client code/assets:
49	// Build script is triggered for `npm start` and assets are served from /dist.
50	// Build script is NOT run for `npm run dev`, assets are served from /src, and nodemon restarts server without build (faster dev).
51	const staticPath =
52	process.env.npm_lifecycle_event === 'start' ? '../dist' : './client'	×
53
54	await initFluentBundles()	×
55
56	async function getRedisStore () {
57	if (['', 'redis-mock'].includes(AppConstants.REDIS_URL)) {	×
58	// allow mock redis for setups without local redis server
59	const { redisMockClient } = await import('./utils/redis-mock.js')	×
60	return new RedisStore({ client: redisMockClient })	×
61	}
62
63	const redisClient = createClient({ url: AppConstants.REDIS_URL })	×
64	// the following event handlers are currently required for Heroku server stability: https://github.com/Shopify/shopify-app-js/issues/129
65	redisClient.on('error', err => console.error('Redis client error', err))	×
66	redisClient.on('connect', () => console.log('Redis client is connecting'))	×
67	redisClient.on('reconnecting', () => console.log('Redis client is reconnecting'))	×
68	redisClient.on('ready', () => console.log('Redis client is ready'))	×
69	await redisClient.connect().catch(console.error)	×
70	return new RedisStore({ client: redisClient })	×
71	}
72
73	// middleware
74	app.use(	×
75	helmet({
76	crossOriginResourcePolicy: { policy: 'cross-origin' },
77	crossOriginEmbedderPolicy: false
78	})
79	)
80
81	app.use(	×
82	Sentry.Handlers.requestHandler({
83	request: ['headers', 'method', 'url'], // omit cookies, data, query_string
84	user: ['id'] // omit username, email
85	})
86	)
87
88	const imgSrc = [	×
89	"'self'",
90	'https://www.googletagmanager.com', // Support GA4 per https://developers.google.com/tag-platform/tag-manager/web/csp
91	'https://firefoxusercontent.com',
92	'https://mozillausercontent.com/',
93	'https://monitor.cdn.mozilla.net/'
94	]
95
96	if (AppConstants.FXA_ENABLED) {	×
97	const fxaSrc = new URL(AppConstants.OAUTH_PROFILE_URI).origin	×
98	imgSrc.push(fxaSrc)	×
99	}
100
101	app.use((_req, res, _next) => {	×
102	res.locals.nonce = crypto.randomBytes(16).toString('hex')	×
103	helmet.contentSecurityPolicy({	×
104	directives: {
105	upgradeInsecureRequests: isDev ? null : [], // disable forced https to allow localhost on Safari	×
106	scriptSrc: [
107	"'self'",
108	// Support GA4 per https://developers.google.com/tag-platform/tag-manager/web/csp
109	`'nonce-${res.locals.nonce}'`
110	],
111	imgSrc,
112	connectSrc: [
113	"'self'",
114	// Support GA4 per https://developers.google.com/tag-platform/tag-manager/web/csp
115	'https://*.google-analytics.com',
116	'https://*.analytics.google.com',
117	'https://*.googletagmanager.com'
118	]
119	}
120	})(_req, res, _next)
121	})
122
123	// fallback to default 'no-referrer' only when 'strict-origin-when-cross-origin' not available
124	app.use(	×
125	helmet.referrerPolicy({
126	policy: ['no-referrer', 'strict-origin-when-cross-origin']
127	})
128	)
129
130	// For text/html or / (if Accept has not been set), negotiate and store the requested language.
131	// This filter avoids running unecessary locale functions for every image/webp request, for example.
132	// Using AsyncLocalStorage avoids having to pass req context down through every function (e.g. for getMessage())
133	app.use((req, res, next) => {	×
134	if (!['text/html', '/'].includes(accepts(req).types()[0])) return next()	×
135
136	req.locale = updateLocale(accepts(req).languages())	×
137	localStorage.run(new Map(), () => {	×
138	localStorage.getStore().set('locale', req.locale)	×
139	next() // call next() inside this function to pass asyncLocalStorage context to other middleware.	×
140	})
141	})
142
143	// MNTOR-1009, 1117:
144	// Because of proxy settings, request / cookies are not persisted between calls
145	// Setting the trust proxy to high and securing the cookie allowed the cookie to persist
146	// If cookie.secure is set as true, for nodejs behind proxy, "trust proxy" needs to be set
147	app.set('trust proxy', 1)	×
148
149	// session
150	const SESSION_DURATION_HOURS = AppConstants.SESSION_DURATION_HOURS \|\| 48	×
151	app.use(	×
152	session({
153	cookie: {
154	maxAge: SESSION_DURATION_HOURS * 60 * 60 * 1000, // 48 hours
155	rolling: true,
156	sameSite: 'lax',
157	secure: !isDev
158	},
159	resave: false,
160	saveUninitialized: true,
161	secret: AppConstants.COOKIE_SECRET,
162	store: await getRedisStore()
163	})
164	)
165
166	// Load breaches into namespaced cache
167	try {	×
168	await loadBreachesIntoApp(app)	×
169	} catch (error) {
170	console.error('Error loading breaches into app.locals', error)	×
171	}
172
173	app.use(noSearchEngineIndex)	×
174	app.use(express.static(staticPath))	×
175	app.use(express.json())	×
176	app.use(cookieParser(AppConstants.COOKIE_SECRET))	×
177
178	const apiLimiter = rateLimit({	×
179	windowMs: 15 * 60 * 1000, // 15 minutes
180	max: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes)
181	standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
182	legacyHeaders: false // Disable the `X-RateLimit-*` headers
183	})
184
185	app.use('/api', apiLimiter)	×
186
187	// routing
188	app.use('/', indexRouter)	×
189
190	// sentry error handler
191	app.use(Sentry.Handlers.errorHandler({	×
192	shouldHandleError (error) {
193	if (error instanceof RateLimitError) return true	×
194	}
195	}))
196
197	// app error handler
198	app.use(errorHandler)	×
199
200	app.listen(AppConstants.PORT, async function () {	×
201	console.info(`MONITOR V2: Server listening at ${this.address().port}`)	×
202	console.info(`Static files served from ${staticPath}`)	×
203	try {	×
204	await initEmail()	×
205	console.info('Email initialized')	×
206	} catch (ex) {
207	console.error('try-initialize-email-error', { ex })	×
208	}
209	})

mozilla / blurts-server / 4b2d91d7-54ea-4aec-a5bb-d3ff4b026f45

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous