-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.js
84 lines (75 loc) · 2.62 KB
/
server.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
const express = require('express');
const path = require('path');
const bodyParser = require('body-parser');
const connectDB = require('./db');
const expressSanitizer = require('express-sanitizer');
const helmet = require('helmet');
const session = require('express-session');
const cors = require('cors');
//Cors Settings
var corsOptions = {
origin: '*',
methods: 'GET,HEAD,PUT,PATCH,POST, DELETE, OPTIONS',
preflightContinue: true,
optionsSuccessStatus: 204,
exposedHeaders: 'Auth'
};
const app = express();
app.use(cors(corsOptions));
app.use(
session({
secret: process.env.sessionSecret,
resave: false,
saveUninitialized: true,
cookie: {
// Only allow cookies to be sent over HTTPS in production
secure: app.get('env') === 'production' ? true : false,
// Cookies only accessed through HTTPS calls and not scripts
httpOnly: true,
// Only allow cookies to be sent to the below domains
domain: app.get('env') === 'production' ? 'office-pool.com' : 'localhost',
// Max age of cookies
maxAge: 72000000,
// Similar to domain, only allow cookies from same site
sameSite: true
},
// Default name is connect.sid, betting to change it away from default
name: 'officePoolSecurity'
})
);
// Only allow scripts, styles and font be run from whitelisted domains
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'fonts.googleapis.com'],
fontSrc: ["'self'", 'fonts.gstatic.com', 'data:'],
scriptSrc: ["'self'", 'code.jquery.com'],
// Send report data to the below endpoint (not coded yet)
reportUri: '/api/securityreport'
}
})
);
// Blocks our site from being used in iframes on malicious sites
app.use(helmet.frameguard({ action: 'deny' }));
app.use(bodyParser.json());
// Can be used to sanitize outputs incase malicious code stored in database
app.use(expressSanitizer());
// Connect to DB
connectDB();
// Routes
app.use('/api/users', require('./routes/users.js'));
app.use('/api/auth', require('./routes/auth'));
app.use('/api/tournaments', require('./routes/tournaments'));
app.use('/api/seasons', require('./routes/seasons'));
app.use('/api/matches', require('./routes/matches'));
// Serve static assets in production - USED FOR HEROKU DEPLOYMENT
if (process.env.NODE_ENV === 'production') {
// Set static folder
app.use(express.static('client/build'));
app.get('*', (req, res) =>
res.sendFile(path.resolve(__dirname, 'client', 'build', 'index.html'))
);
}
const PORT = process.env.PORT || 5000;
app.listen(PORT, () => console.log('Server started on port: ' + PORT));