-
Notifications
You must be signed in to change notification settings - Fork 1
/
app.js
79 lines (72 loc) · 2.09 KB
/
app.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/**
* * @imports => node registry packages imports
*/
const cors = require("cors");
const express = require("express");
const csrf = require("csurf");
const bodyParser = require("body-parser");
const cookieParser = require("cookie-parser");
const helmet = require("helmet");
const rateLimit = require("express-rate-limit");
const NodeCache = require("node-cache");
// const customCache = new NodeCache();
/**
* * @setups => application setups
* * Contains security and middleware setups
*/
const app = express();
app.use(cors());
// parse application/json
app.use(bodyParser.json());
/**
* @dev Cross-site request forgery protection
*/
const csrfProtection = csrf({ cookie: true });
app.use(cookieParser());
// parse application/x-www-form-urlencoded
var parseForm = bodyParser.urlencoded({ extended: false });
/**
* @dev X-Powered-By for Security, Save Bandwidth in ExpressJS(Node.js)
* */
app.use(helmet());
app.use(helmet.hidePoweredBy());
app.use(helmet.noSniff());
/**
* @dev Rate Limiting
*/
const apiLimiter = rateLimit({
windowMs: 10 * 60 * 1000, // 10 minutes
max: 100, // Limit each IP to 100 requests per `window` (here, per 10 minutes)
standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
legacyHeaders: false, // Disable the `X-RateLimit-*` headers
});
/**
* * @routes => application routes
*/
app
.get("/", apiLimiter, csrfProtection, (req, res) => {
const csrfToken = req.csrfToken();
// customCache.set("csrfToken", token, 10 * 60);
res.json({
msg: "Welcome to The Boring School's IP Address Banner API 🚀.",
csrfToken,
});
})
/**
* @dev POST /ip => may raise Invalid CSRF Token error, solution explained
* * Add header on client request
* * {CSRF-Token = "Cross-site request forgery protection token"}
* * Note: "Call "/" to get the CSRF-Token" once and set to
* * localStorage or Cookie in client side.
*/
.post("/ip", parseForm, csrfProtection, (req, res) => {
res.json({
body: req.body,
});
})
.get("*", (req, res) =>
res.json({
msg: "404 Not Found!",
})
);
module.exports = app;