Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix ident and add extra test to env.test.js
  • Loading branch information
PieterGit committed Feb 2, 2019
1 parent 8098cda commit a6b98c3
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 51 deletions.
45 changes: 23 additions & 22 deletions app.js
Expand Up @@ -14,35 +14,38 @@ function create(env, ctx) {
var appInfo = env.name + ' ' + env.version;
app.set('title', appInfo);
app.enable('trust proxy'); // Allows req.secure test on heroku https connections.
if (!process.env.insecureUseHttp) {
var insecureUseHttp = process.env.insecureUseHttp;
var secureHstsHeader = process.env.secureHstsHeader;
console.info('Security settings: INSECURE_USE_HTTP=', insecureUseHttp, ', SECURE_HSTS_HEADER=', secureHstsHeader);
if (!insecureUseHttp) {
app.use((req, res, next) => {
if (req.header('x-forwarded-proto') !== 'https')
res.redirect(`https://${req.header('host')}${req.url}`);
else
next()
})
if (process.env.secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header
if (secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header
const helmet = require('helmet');
var includeSubDomainsValue = process.env.secureHstsHeaderIncludeSubdomains;
var preloadValue = process.env.secureHstsHeaderPreload;
app.use(helmet({
hsts: {
maxAge: 31536000,
includeSubDomains: includeSubDomainsValue,
preload: preloadValue
}
}))
//if (env.settings.isEnabled('secureCsp')) { // Add Content-Security-Policy directive by default
if (process.env.secureCsp) {
app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline'
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
}
}));
var preloadValue = process.env.secureHstsHeaderPreload;
app.use(helmet({
hsts: {
maxAge: 31536000,
includeSubDomains: includeSubDomainsValue,
preload: preloadValue
}
}))
//if (env.settings.isEnabled('secureCsp')) { // Add Content-Security-Policy directive by default
if (process.env.secureCsp) {
app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline'
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
}
}));
}
}
}

Expand Down Expand Up @@ -192,7 +195,6 @@ function create(env, ctx) {
console.log('Production environment detected, enabling Minify');

var minify = require('express-minify');
var myUglifyJS = require('uglify-js');
var myCssmin = require('cssmin');

app.use(minify({
Expand All @@ -203,7 +205,6 @@ function create(env, ctx) {
stylus_match: /stylus/,
coffee_match: /coffeescript/,
json_match: /json/,
uglifyJS: myUglifyJS,
cssmin: myCssmin,
cache: __dirname + '/tmp',
onerror: undefined,
Expand Down
59 changes: 30 additions & 29 deletions tests/env.test.js
Expand Up @@ -3,68 +3,69 @@
require('should');

describe('env', function ( ) {
it('show the right plugins', function () {
it( 'show the right plugins', function () {
process.env.SHOW_PLUGINS = 'iob';
process.env.ENABLE = 'iob cob';

var env = require('../env')();
var env = require( '../env' )();
var showPlugins = env.settings.showPlugins;
showPlugins.should.containEql('iob');
showPlugins.should.containEql('delta');
showPlugins.should.containEql('direction');
showPlugins.should.containEql('upbat');
showPlugins.should.containEql( 'iob' );
showPlugins.should.containEql( 'delta' );
showPlugins.should.containEql( 'direction' );
showPlugins.should.containEql( 'upbat' );

delete process.env.SHOW_PLUGINS;
delete process.env.ENABLE;
});
} );

it('get extended settings', function () {
it( 'get extended settings', function () {
process.env.ENABLE = 'scaryplugin';
process.env.SCARYPLUGIN_DO_THING = 'yes';

var env = require('../env')();
env.settings.isEnabled('scaryplugin').should.equal(true);
var env = require( '../env' )();
env.settings.isEnabled( 'scaryplugin' ).should.equal( true );

//Note the camelCase
env.extendedSettings.scaryplugin.doThing.should.equal('yes');
env.extendedSettings.scaryplugin.doThing.should.equal( 'yes' );

delete process.env.ENABLE;
delete process.env.SCARYPLUGIN_DO_THING;
});
} );

it('add pushover to enable if one of the env vars is set', function () {
it( 'add pushover to enable if one of the env vars is set', function () {
process.env.PUSHOVER_API_TOKEN = 'abc12345';

var env = require('../env')();
env.settings.enable.should.containEql('pushover');
env.extendedSettings.pushover.apiToken.should.equal('abc12345');
var env = require( '../env' )();
env.settings.enable.should.containEql( 'pushover' );
env.extendedSettings.pushover.apiToken.should.equal( 'abc12345' );

delete process.env.PUSHOVER_API_TOKEN;
});
} );

it('add pushover to enable if one of the weird azure env vars is set', function () {
it( 'add pushover to enable if one of the weird azure env vars is set', function () {
process.env.CUSTOMCONNSTR_PUSHOVER_API_TOKEN = 'abc12345';

var env = require('../env')();
env.settings.enable.should.containEql('pushover');
env.extendedSettings.pushover.apiToken.should.equal('abc12345');
var env = require( '../env' )();
env.settings.enable.should.containEql( 'pushover' );
env.extendedSettings.pushover.apiToken.should.equal( 'abc12345' );

delete process.env.PUSHOVER_API_TOKEN;
});
} );

it('readENVTruthy ', function () {
it( 'readENVTruthy ', function () {
process.env.INSECURE_USE_HTTP = 'true';
var env = require('../env')();
var env = require( '../env' )();
env.insecureUseHttp.should.be.true();
process.env.INSECURE_USE_HTTP = 'false';
env = require('../env')();
env = require( '../env' )();
env.insecureUseHttp.should.be.false();
process.env.INSECURE_USE_HTTP = 'not set ok, so use default value false';
env = require('../env')();
env = require( '../env' )();
env.insecureUseHttp.should.be.false();
delete process.env.INSECURE_USE_HTTP; // unset INSECURE_USE_HTTP
env = require('../env')();
process.env.SECURE_HSTS_HEADER = 'true';
env = require( '../env' )();
env.insecureUseHttp.should.be.false(); // not defined should be false
env.secureHstsHeader.should.be.true();
});

});
})

0 comments on commit a6b98c3

Please sign in to comment.