BallStudios/eagler-tiers
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4fc36781d5a065938b093b8e9a9b0dd4431bbfa3
eagler-tiers/server/middleware/security.js
starified 08bf320b57 uploaded
2026-04-21 22:03:19 -04:00

157 lines
4.1 KiB
JavaScript
Raw Blame History

const crypto = require("crypto");
const cors = require("cors");
const { sendError } = require("../utils/http");
const WRITE_KEY_REGEX = /^[A-Za-z0-9_-]{16,128}$/;
let warnedAboutOpenWriteAccess = false;
function parseAllowedOrigins(value) {
const legacy = process.env.FRONTEND_ORIGIN || "";
const source = value || legacy;
if (!source) {
return ["http://localhost:3000", "http://127.0.0.1:3000"];
}
return source
.split(",")
.map((item) => item.trim())
.filter(Boolean);
}
function createCorsMiddleware() {
const allowedOrigins = new Set(parseAllowedOrigins(process.env.CORS_ALLOWED_ORIGINS));
return cors({
origin(origin, callback) {
// Allow same-origin/browser requests with no Origin header.
if (!origin) {
callback(null, true);
return;
}
if (allowedOrigins.has(origin)) {
callback(null, true);
return;
}
callback(new Error("CORS origin blocked"));
},
credentials: false,
methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
allowedHeaders: ["Content-Type", "X-API-Key"],
maxAge: 600,
});
}
function securityHeaders(req, res, next) {
const trustProxy = String(process.env.TRUST_PROXY || "false").toLowerCase() === "true";
res.setHeader(
"Content-Security-Policy",
[
"default-src 'self'",
"script-src 'self'",
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
"img-src 'self' data: https://render.crafty.gg",
"font-src 'self' https://fonts.gstatic.com",
"connect-src 'self'",
"object-src 'none'",
"base-uri 'self'",
"form-action 'self'",
"frame-ancestors 'none'",
"upgrade-insecure-requests",
].join("; ")
);
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("X-Frame-Options", "DENY");
res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
if (req.secure || (trustProxy && String(req.get("x-forwarded-proto") || "").toLowerCase() === "https")) {
res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
}
next();
}
function enforceHttps(req, res, next) {
const enforce = String(process.env.ENFORCE_HTTPS || "false").toLowerCase() === "true";
const trustProxy = String(process.env.TRUST_PROXY || "false").toLowerCase() === "true";
if (!enforce) {
next();
return;
}
const isSecure =
req.secure || (trustProxy && String(req.get("x-forwarded-proto") || "").toLowerCase() === "https");
if (isSecure) {
next();
return;
}
const host = req.get("host");
if (!host) {
return sendError(res, 400, "HTTPS_REQUIRED", "HTTPS is required.");
}
return res.redirect(301, `https://${host}${req.originalUrl}`);
}
function getWriteKeys() {
const raw = process.env.API_WRITE_KEYS || process.env.API_WRITE_KEY || "";
const keys = raw
.split(",")
.map((key) => key.trim())
.filter(Boolean)
.filter((key) => WRITE_KEY_REGEX.test(key));
return keys;
}
function safeEqual(a, b) {
const left = Buffer.from(a);
const right = Buffer.from(b);
if (left.length !== right.length) {
return false;
}
return crypto.timingSafeEqual(left, right);
}
function requireWriteApiKey(req, res, next) {
const writeKeys = getWriteKeys();
if (writeKeys.length === 0) {
if (!warnedAboutOpenWriteAccess) {
warnedAboutOpenWriteAccess = true;
console.warn("Write API key protection is disabled. Set API_WRITE_KEYS to enforce write authentication.");
}
next();
return;
}
const apiKey = String(req.get("x-api-key") || "").trim();
if (!WRITE_KEY_REGEX.test(apiKey)) {
return sendError(res, 401, "AUTH_REQUIRED", "Missing or invalid API key.");
}
const matched = writeKeys.some((key) => safeEqual(key, apiKey));
if (!matched) {
return sendError(res, 401, "AUTH_REQUIRED", "Missing or invalid API key.");
}
next();
}
module.exports = {
createCorsMiddleware,
securityHeaders,
enforceHttps,
requireWriteApiKey,
};
Reference in New Issue View Git Blame Copy Permalink