versia-pub/server
2
0
Fork 0
mirror of https://github.com/versia-pub/server.git synced 2025-12-06 16:38:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: Add more utility middleware

Browse source
This commit is contained in:
Jesse Wierzbinski 2024-08-19 21:17:25 +02:00
parent 866692c1dc
commit 26749e576a
No known key found for this signature in database
3 changed files with 44 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
app.ts
View file

@ -1,6 +1,9 @@
import { response } from "@/response"; import { response } from "@/response";
import { sentry } from "@/sentry"; import { sentry } from "@/sentry";
import { Hono } from "@hono/hono"; import { Hono } from "@hono/hono";
import { cors } from "@hono/hono/cors";
import { prettyJSON } from "@hono/hono/pretty-json";
import { secureHeaders } from "@hono/hono/secure-headers";
import { getLogger } from "@logtape/logtape"; import { getLogger } from "@logtape/logtape";
import { config } from "~/packages/config-manager/index"; import { config } from "~/packages/config-manager/index";
import { agentBans } from "./middlewares/agent-bans"; import { agentBans } from "./middlewares/agent-bans";
@ -24,6 +27,47 @@ export const appFactory = async () => {
app.use(bait); app.use(bait);
app.use(logger); app.use(logger);
app.use(boundaryCheck); app.use(boundaryCheck);
app.use(
secureHeaders({
contentSecurityPolicy: {
// We will not be returning HTML, so everything should be blocked
defaultSrc: ["'none'"],
scriptSrc: ["'none'"],
styleSrc: ["'none'"],
imgSrc: ["'none'"],
connectSrc: ["'none'"],
fontSrc: ["'none'"],
objectSrc: ["'none'"],
mediaSrc: ["'none'"],
frameSrc: ["'none'"],
frameAncestors: ["'none'"],
baseUri: ["'none'"],
formAction: ["'none'"],
childSrc: ["'none'"],
workerSrc: ["'none'"],
manifestSrc: ["'none'"],
},
referrerPolicy: "no-referrer",
xFrameOptions: "DENY",
xContentTypeOptions: "nosniff",
crossOriginEmbedderPolicy: "require-corp",
crossOriginOpenerPolicy: "same-origin",
crossOriginResourcePolicy: "same-origin",
}),
);
app.use(
prettyJSON({
space: 4,
}),
);
app.use(
cors({
origin: "*",
allowHeaders: ["Content-Type", "Authorization"],
allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
credentials: true,
}),
);
// Disabled as federation now checks for this // Disabled as federation now checks for this
// app.use(urlCheck); // app.use(urlCheck);

14
server/api/objects/:id/index.ts
View file

@ -27,12 +27,6 @@ export const schemas = {
param: z.object({ param: z.object({
id: z.string().uuid(), id: z.string().uuid(),
}), }),
query: z.object({
debug: z
.string()
.transform((v) => ["true", "1", "on"].includes(v.toLowerCase()))
.optional(),
}),
}; };
export default apiRoute((app) => export default apiRoute((app) =>
@ -40,10 +34,8 @@ export default apiRoute((app) =>
meta.allowedMethods, meta.allowedMethods,
meta.route, meta.route,
zValidator("param", schemas.param, handleZodError), zValidator("param", schemas.param, handleZodError),
zValidator("query", schemas.query, handleZodError),
async (context) => { async (context) => {
const { id } = context.req.valid("param"); const { id } = context.req.valid("param");
const { debug } = context.req.valid("query");
let foundObject: Note | LikeType | null = null; let foundObject: Note | LikeType | null = null;
let foundAuthor: User | null = null; let foundAuthor: User | null = null;
@ -88,12 +80,6 @@ export default apiRoute((app) =>
); );
} }
if (debug) {
return response(JSON.stringify(apiObject, null, 4), 200, {
"Content-Type": "application/json",
});
}
const objectString = JSON.stringify(apiObject); const objectString = JSON.stringify(apiObject);
// If base_url uses https and request uses http, rewrite request to use https // If base_url uses https and request uses http, rewrite request to use https

14
server/api/users/:uuid/index.ts
View file

@ -21,12 +21,6 @@ export const schemas = {
param: z.object({ param: z.object({
uuid: z.string().uuid().or(z.literal("actor")), uuid: z.string().uuid().or(z.literal("actor")),
}), }),
query: z.object({
debug: z
.string()
.transform((v) => ["true", "1", "on"].includes(v.toLowerCase()))
.optional(),
}),
}; };
export default apiRoute((app) => export default apiRoute((app) =>
@ -34,10 +28,8 @@ export default apiRoute((app) =>
meta.allowedMethods, meta.allowedMethods,
meta.route, meta.route,
zValidator("param", schemas.param, handleZodError), zValidator("param", schemas.param, handleZodError),
zValidator("query", schemas.query, handleZodError),
async (context) => { async (context) => {
const { uuid } = context.req.valid("param"); const { uuid } = context.req.valid("param");
const { debug } = context.req.valid("query");
const user = const user =
uuid === "actor" uuid === "actor"
@ -55,12 +47,6 @@ export default apiRoute((app) =>
); );
} }
if (debug) {
return response(JSON.stringify(user.toVersia(), null, 4), 200, {
"Content-Type": "application/json",
});
}
// Try to detect a web browser and redirect to the user's profile page // Try to detect a web browser and redirect to the user's profile page
if ( if (
context.req.header("user-agent")?.includes("Mozilla") && context.req.header("user-agent")?.includes("Mozilla") &&