pinafore/server.js

const express = require('express')
const shrinkRay = require('shrink-ray-current')
const sapper = require('sapper')
const serveStatic = require('serve-static')
const app = express()
const helmet = require('helmet')

const headScriptChecksum = require('./inline-script-checksum').checksum

const { PORT = 4002 } = process.env

// this allows us to do e.g. `fetch('/_api/blog')` on the server
const fetch = require('node-fetch')
global.fetch = (url, opts) => {
  if (url[0] === '/') {
    url = `http://localhost:${PORT}${url}`
  }
  return fetch(url, opts)
}

const debugPaths = ['/report.html', '/stats.json']

const debugOnly = (fn) => (req, res, next) => (
  !~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)

const nonDebugOnly = (fn) => (req, res, next) => (
  ~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)
)

app.use(shrinkRay({threshold: 0}))

// report.html needs to have CSP disable because it has inline scripts
app.use(debugOnly(helmet()))
app.use(nonDebugOnly(helmet({
  contentSecurityPolicy: {
    directives: {
      scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
      workerSrc: [`'self'`],
      styleSrc: [`'self'`, `'unsafe-inline'`],
      frameSrc: [`'none'`],
      objectSrc: [`'none'`],
      manifestSrc: [`'self'`]
    }
  },
  referrerPolicy: {
    policy: 'no-referrer'
  }
})))

app.use(serveStatic('assets', {
  setHeaders: (res) => {
    res.setHeader('Cache-Control', 'public,max-age=600')
  }
}))

debugPaths.forEach(debugPath => {
  app.use(debugPath, express.static(`.sapper/client${debugPath}`))
})

app.use(sapper())

app.listen(PORT, () => {
  console.log(`listening on port ${PORT}`)
})

// Handle SIGINT (source: https://git.io/vhJgF)
process.on('SIGINT', function () {
  process.exit(0)
})
expose report.html and stats.json 2018-03-25 21:47:01 +01:00			`const express = require('express')`
add zopfli/brotli encoding (#200) fixes #196 2018-04-21 15:06:08 +01:00			`const shrinkRay = require('shrink-ray-current')`
use standard 2018-02-09 06:29:29 +00:00			`const sapper = require('sapper')`
			`const serveStatic = require('serve-static')`
expose report.html and stats.json 2018-03-25 21:47:01 +01:00			`const app = express()`
use full helmet() middleware (#135) fixes #132 2018-04-15 23:39:45 +01:00			`const helmet = require('helmet')`
Add CSP (#119) Fixes #25 2018-04-14 23:50:16 +01:00
			`const headScriptChecksum = require('./inline-script-checksum').checksum`
initial commit 2018-01-06 23:51:25 +00:00
use standard 2018-02-09 06:29:29 +00:00			`const { PORT = 4002 } = process.env`
initial commit 2018-01-06 23:51:25 +00:00
refactor 2018-02-08 16:22:14 +00:00			// this allows us to do e.g. `fetch('/_api/blog')` on the server
use standard 2018-02-09 06:29:29 +00:00			`const fetch = require('node-fetch')`
initial commit 2018-01-06 23:51:25 +00:00			`global.fetch = (url, opts) => {`
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 02:38:14 +01:00			`if (url[0] === '/') {`
			url = `http://localhost:${PORT}${url}`
			`}`
use standard 2018-02-09 06:29:29 +00:00			`return fetch(url, opts)`
			`}`
initial commit 2018-01-06 23:51:25 +00:00
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 02:38:14 +01:00			`const debugPaths = ['/report.html', '/stats.json']`

			`const debugOnly = (fn) => (req, res, next) => (`
			`!~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)`
			`)`

			`const nonDebugOnly = (fn) => (req, res, next) => (`
			`~debugPaths.indexOf(req.path) ? next() : fn(req, res, next)`
			`)`

add zopfli/brotli encoding (#200) fixes #196 2018-04-21 15:06:08 +01:00			`app.use(shrinkRay({threshold: 0}))`
initial commit 2018-01-06 23:51:25 +00:00
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 02:38:14 +01:00			`// report.html needs to have CSP disable because it has inline scripts`
			`app.use(debugOnly(helmet()))`
			`app.use(nonDebugOnly(helmet({`
use full helmet() middleware (#135) fixes #132 2018-04-15 23:39:45 +01:00			`contentSecurityPolicy: {`
			`directives: {`
			scriptSrc: [`'self'`, `'sha256-${headScriptChecksum}'`],
			workerSrc: [`'self'`],
			styleSrc: [`'self'`, `'unsafe-inline'`],
			frameSrc: [`'none'`],
			objectSrc: [`'none'`],
			manifestSrc: [`'self'`]
			`}`
add Referrer-Policy: no-referrer (#187) fixes #139 2018-04-20 05:38:22 +01:00			`},`
			`referrerPolicy: {`
			`policy: 'no-referrer'`
Add CSP (#119) Fixes #25 2018-04-14 23:50:16 +01:00			`}`
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 02:38:14 +01:00			`})))`
Add CSP (#119) Fixes #25 2018-04-14 23:50:16 +01:00
fix Cache-Control in sapper 2018-03-21 03:46:37 +00:00			`app.use(serveStatic('assets', {`
			`setHeaders: (res) => {`
fix service worker caching issues hopefully 2018-03-26 05:31:40 +01:00			`res.setHeader('Cache-Control', 'public,max-age=600')`
fix Cache-Control in sapper 2018-03-21 03:46:37 +00:00			`}`
			`}))`
initial commit 2018-01-06 23:51:25 +00:00
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 02:38:14 +01:00			`debugPaths.forEach(debugPath => {`
			app.use(debugPath, express.static(`.sapper/client${debugPath}`))
			`})`
expose report.html and stats.json 2018-03-25 21:47:01 +01:00
use standard 2018-02-09 06:29:29 +00:00			`app.use(sapper())`
initial commit 2018-01-06 23:51:25 +00:00
			`app.listen(PORT, () => {`
use standard 2018-02-09 06:29:29 +00:00			console.log(`listening on port ${PORT}`)
			`})`
Added Dockerfile (#313) * Added Dockerfile * Better comments in Dockerfile * Added SIGINT handler * Keeping code-check happy * Keeping code-check happy v2 * Keeping code-check happy v2 2018-05-25 03:59:48 +01:00
			`// Handle SIGINT (source: https://git.io/vhJgF)`
			`process.on('SIGINT', function () {`
			`process.exit(0)`
			`})`