CoSheet/security-wrapper.js at master · phucdhh/CoSheet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
/**
 * CoSheet Security Integration Wrapper
 * Injects security middleware into Zappajs app
 */

const security = require('./middleware/security');
const logger = require('./middleware/logger');
const healthCheck = require('./middleware/health');

/**
 * Wrap Zappajs app with security middleware
 */
function wrapZappaApp(zappaApp) {
  // Trust proxy (Cloudflare/nginx)
  security.trustProxy(zappaApp);

  // Cookie parser (required for CSRF)
  zappaApp.use(security.cookieParser());

  // Security headers (Helmet)
  security.configureHelmet(zappaApp);

  // Request logging
  zappaApp.use(logger.httpLogger);

  // Request counter for metrics
  zappaApp.use(healthCheck.requestCounter());

  // CSRF token generation
  zappaApp.use(security.generateCsrfToken);

  // Apply rate limiting (skip for static files)
  zappaApp.use((req, res, next) => {
    // Skip rate limiting for static assets
    if (req.path.startsWith('/static/') ||
        req.path.startsWith('/images/') ||
        req.path.match(/\.(css|js|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot)$/)) {
      return next();
    }
    security.apiLimiter(req, res, next);
  });

  // Specific rate limits for sheet operations
  zappaApp.use('/_new', security.sheetLimiter);
  zappaApp.use('/_save', security.sheetLimiter);
  zappaApp.use('/_upload', security.uploadLimiter);

  // CSRF protection for state-changing operations
  // Skip for GET/HEAD/OPTIONS and WebSocket upgrades
  zappaApp.use((req, res, next) => {
    // Skip CSRF for static files
    if (req.path.startsWith('/static/') || req.path.startsWith('/images/')) {
      return next();
    }

    // Skip CSRF for health checks
    if (req.path.startsWith('/health') || req.path === '/metrics') {
      return next();
    }

    security.csrfProtection(req, res, next);
  });

  // Setup health check routes
  healthCheck.setupRoutes(zappaApp);

  // Error logging middleware (must be last)
  zappaApp.use(logger.errorLogger);

  logger.info('Security middleware initialized', {
    features: [
      'Rate Limiting',
      'CSRF Protection',
      'Security Headers (Helmet)',
      'Request Logging',
      'Health Checks',
      'Metrics Endpoint'
    ]
  });
}

module.exports = wrapZappaApp;