-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapp.js
More file actions
107 lines (89 loc) · 3.05 KB
/
app.js
File metadata and controls
107 lines (89 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
const express = require('express');
const path = require('path');
const bodyParser = require('body-parser');
const session = require('express-session');
const dotenv = require('dotenv');
const csrf = require('csurf');
const cookieParser = require('cookie-parser');
// Import security configuration
const setupSecurity = require('./config/securityConfig');
dotenv.config(); // Load environment variables
// Initialize express app
const app = express();
// Setup security middleware
setupSecurity(app);
// Basic middleware setup
app.use(express.static(path.join(__dirname, 'public')));
app.use(cookieParser());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
// Session setup
app.use(session({
name: "apms_session", // Session name in the cookie
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: true,
cookie: { secure: false } // Secure cookie in production
}));
// View engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
// List of paths that should be exempt from CSRF protection
const csrfExcludedPaths = [
'/admin/grades/upload',
'/student/profile/image',
'/api'
];
// Custom CSRF middleware that excludes specific paths
app.use((req, res, next) => {
if (csrfExcludedPaths.some(path => req.path.startsWith(path))) {
return next();
}
csrf({ cookie: false })(req, res, next);
});
// Make CSRF token available to all views
app.use((req, res, next) => {
if (req.csrfToken) {
res.locals.csrfToken = req.csrfToken();
}
next();
});
// Import routes
const adminRoutes = require('./routes/admin/index');
const studentRoutes = require('./routes/student');
const authRoutes = require('./routes/auth');
const apiRoutes = require('./routes/api');
// Home route
app.get('/', (req, res) => {
res.redirect('/auth/login');
});
// Use routes
app.use('/admin', adminRoutes);
app.use('/student', studentRoutes);
app.use('/auth', authRoutes);
// app.use('/api', apiRoutes); // Add this line and comment the code below to use API routes without api key
// API key middleware for /api routes
app.use('/api', (req, res, next) => {
const apiKey = req.headers['x-api-key'];
if (!apiKey || apiKey !== process.env.API_KEY) {
return res.status(401).json({ error: 'Unauthorized: Invalid or missing API key' });
}
next();
}, apiRoutes); // Protect all /api routes
// Error handling middleware for CSRF errors
app.use((err, req, res, next) => {
if (err.code === 'EBADCSRFTOKEN') {
// Handle CSRF token errors
console.error('CSRF Error:', req.method, req.path);
return res.status(403).render('error', {
title: 'Security Error: CSRF Token Validation Failed',
message: 'Your form submission could not be processed due to a security check failure.'
});
}
next(err);
});
// Import and use error middleware
const errorMiddleware = require('./middlewares/errorMiddleware');
app.use(errorMiddleware.notFound);
app.use(errorMiddleware.internalServerError);
module.exports = app;