-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapp.js
More file actions
128 lines (105 loc) · 3.48 KB
/
app.js
File metadata and controls
128 lines (105 loc) · 3.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
const path = require('path');
const express = require('express');
const morgan = require('morgan');
const rateLimit = require('express-rate-limit');
const AppError = require('./utils/appError');
const globalErrorHandler = require('./controllers/errorController');
const tourRouter = require('./routes/tourRoutes');
const userRouter = require('./routes/userRoutes');
const reviewRouter = require('./routes/reviewRoutes');
const bookingRouter = require('./routes/bookingRoutes');
const bookingController = require('./controllers/bookingController');
const viewRouter = require('./routes/viewRoutes');
const helmet = require('helmet');
const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');
const hpp = require('hpp');
const cookieParser = require('cookie-parser');
const compression = require('compression');
const app = express();
// Set security HTTP headers
app.use(helmet());
// app.use(helmet.crossOriginResourcePolicy({ policy: 'cross-origin' }));
// Use pug templates to render front end
app.set('view engine', 'pug');
app.set('views', path.join(__dirname, 'views'));
// Serve static content (HTML files)
app.use(express.static(path.join(__dirname, 'public')));
// Global Middlewares
if (process.env.NODE_ENV === 'development') {
app.use(morgan('dev')); // Shows GET, POST, status codes etc. on server console
}
const limiter = rateLimit({
max: 100,
windowMs: 60 * 60 * 1000,
message: 'Too many requests from this IP, please try again in 1 hour.',
});
// Limit access to the API route
app.use('/api', limiter);
// Body coming from stripe is not JSON
app.post(
'/webhook-checkout',
express.raw({ type: 'application/json' }),
bookingController.webhookCheckout
);
// Body parser, reading data from the body into req.body
app.use(express.json({ limit: '10kb' })); // Middleware, allows post routes
// Middleware to allow to parse data coming from a form (in user account route /me)
app.use(express.urlencoded({ extended: true, limit: '10kb' })); // Allows to pass more complex data, max 10k
app.use(cookieParser());
// Data sanitization against NoSQL query injection, XSS
app.use(mongoSanitize());
app.use(xss());
// Prevent parameter pollution
app.use(
hpp({
// Allow multiple "duration", other parameters
whitelist: [
'duration',
'ratingsQuantity',
'ratingsAverage',
'maxGroupSize',
'difficulty',
'price',
],
})
);
app.use(compression());
// ------------------------------------------------------------------
// Middleware to get time
// Testing
app.use((req, res, next) => {
req.requestTime = new Date().toISOString();
next();
});
// ------------------------------------------------------------------
// Route mounting
// app.get('/', (req, res) => {
// res.status(200).render('base');
// });
// app.get('/overview', (req, res) => {
// res.status(200).render('overview', {
// title: 'All Tours',
// });
// });
// app.get('/tour', (req, res) => {
// res.status(200).render('overview', {
// title: 'TBD',
// });
// });
app.use('/', viewRouter);
app.use('/api/v1/tours', tourRouter);
app.use('/api/v1/users', userRouter);
app.use('/api/v1/reviews', reviewRouter);
app.use('/api/v1/bookings', bookingRouter);
// Catch unhandled routes
app.all('*', (req, res, next) => {
// Anything passed into next assumes error
next(
new AppError(`Unable to locate ${req.originalUrl} on this server!`, 404)
);
});
// Middleware error handling
app.use(globalErrorHandler);
// Server code done separately
module.exports = app;