pinafore/server.js

82 lines
2.1 KiB
JavaScript
Raw Normal View History

2018-03-25 21:47:01 +01:00
const express = require('express')
const shrinkRay = require('shrink-ray-current')
2018-02-09 06:29:29 +00:00
const sapper = require('sapper')
const serveStatic = require('serve-static')
2018-03-25 21:47:01 +01:00
const app = express()
const helmet = require('helmet')
2018-04-14 23:50:16 +01:00
const headScriptChecksum = require('./inline-script-checksum').checksum
2018-01-06 23:51:25 +00:00
2018-02-09 06:29:29 +00:00
const { PORT = 4002 } = process.env
2018-01-06 23:51:25 +00:00
2018-02-08 16:22:14 +00:00
// this allows us to do e.g. `fetch('/_api/blog')` on the server
2018-02-09 06:29:29 +00:00
const fetch = require('node-fetch')
2018-01-06 23:51:25 +00:00
global.fetch = (url, opts) => {
if (url[0] === '/') {
url = `http://localhost:${PORT}${url}`
}
2018-02-09 06:29:29 +00:00
return fetch(url, opts)
}
2018-01-06 23:51:25 +00:00
const debugPaths = ['/report.html', '/stats.json']
const debugOnly = (fn) => (req, res, next) => (
!~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)
const nonDebugOnly = (fn) => (req, res, next) => (
~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)
app.use(shrinkRay({threshold: 0}))
2018-01-06 23:51:25 +00:00
// report.html needs to have CSP disable because it has inline scripts
app.use(debugOnly(helmet()))
app.use(nonDebugOnly(helmet({
contentSecurityPolicy: {
directives: {
scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
workerSrc: [`'self'`],
styleSrc: [`'self'`, `'unsafe-inline'`],
frameSrc: [`'none'`],
objectSrc: [`'none'`],
manifestSrc: [`'self'`]
}
},
referrerPolicy: {
policy: 'no-referrer'
2018-04-14 23:50:16 +01:00
}
})))
2018-04-14 23:50:16 +01:00
// TODO: remove this hack when Safari works with cross-origin window.open()
// in a PWA: https://github.com/nolanlawson/pinafore/issues/45
app.get('/manifest.json', (req, res, next) => {
if (/iP(?:hone|ad|od)/.test(req.headers['user-agent'])) {
return res.status(404).send({
error: 'manifest.json is disabled for iOS. see https://github.com/nolanlawson/pinafore/issues/45'
})
}
return next()
})
2018-03-21 03:46:37 +00:00
app.use(serveStatic('assets', {
setHeaders: (res) => {
res.setHeader('Cache-Control', 'public,max-age=600')
2018-03-21 03:46:37 +00:00
}
}))
2018-01-06 23:51:25 +00:00
debugPaths.forEach(debugPath => {
app.use(debugPath, express.static(`.sapper/client${debugPath}`))
})
2018-03-25 21:47:01 +01:00
2018-02-09 06:29:29 +00:00
app.use(sapper())
2018-01-06 23:51:25 +00:00
app.listen(PORT, () => {
2018-02-09 06:29:29 +00:00
console.log(`listening on port ${PORT}`)
})
// Handle SIGINT (source: https://git.io/vhJgF)
process.on('SIGINT', function () {
process.exit(0)
})