Whitelist ACME from FORCE_HTTPS

.eslintrc.yml

@@ -32,7 +32,7 @@ rules:
 
 overrides:
   # server:
-  - files: [ "index.html.js", "server.js", "webpack.config.js" ]
+  - files: [ "server/*.js", "server.js", "sslify.js", "webpack.config.js" ]
     parser: esprima
     env:
       browser: false

server.js

@@ -2,24 +2,31 @@ const fs = require('fs');
 const bodyParser = require('body-parser');
 const express = require('express');
 const helmet = require('helmet');
+const sslify = require('./server/sslify');
 
 const PORT = process.env.PORT || 8080;
-const { ENFORCE_SSL } = process.env;
+const { FORCE_HTTPS } = process.env;
 
 const app = express();
 
 app.use(helmet({
+  // HSTS is more trouble than it's worth (in our use case), since it wreaks
+  // havoc if accidentally enabled in the wrong environment.
   hsts: false,
 }));
-if (ENFORCE_SSL) {
-  app.use((req, res, next) =>
-    (req.secure ? next() : res.redirect(`https://${req.get('Host')}${req.url}`)));
+if (FORCE_HTTPS) {
+  app.use(sslify);
 }
 
 app.use(bodyParser.json({ type: 'application/*+json' }));
 app.use(express.static(__dirname));
 
-// Check if we're running on a local dev machine
+// The presence of `.env` signals to run in development mode.
+//
+// In this mode, the server loads environment variables from `.env` and runs
+// webpack-dev-server as middleware.
+//
+// Otherwise it depeends on a prior webpack build step.
 if (fs.existsSync('./.env')) {
   // Load environment variables from .env
   require('dotenv').config();
@@ -31,13 +38,13 @@ if (fs.existsSync('./.env')) {
   const compiler = webpack(webpackConfig);
 
   app.use(middleware(compiler, {
-    // webpack-dev-middleware options
+    // Options from https://github.com/webpack/webpack-dev-middleware#options
   }));
 }
 
-const getHtml = require('./index.html.js');
-// Ugly HTML template TODO: Do this better
-const html = getHtml();
+const html = fs
+  .readFileSync('./public/index.html', 'utf-8')
+  .replace(/\bsrc="\/public\/build(\/(.*\.)?bundle.js)"/g, 'src="$1"');
 
 app.get('*', (req, res) => {
   res.send(html);
@@ -49,5 +56,5 @@ const server = app.listen(PORT, () => {
   // address bar
   const host = address.replace(/^::$/, '0.0.0.0');
   // Printed thus, some terminals display a clickable link
-  console.log(`Dev server is listening at http://${host}:${port}/`);
+  console.log(`Server is listening at http://${host}:${port}/`);
 });

server/sslify.js

@@ -0,0 +1,13 @@
+// ACME (Let's Encrypt) requires HTTP access to paths with this prefix.
+const ACME_CHALLENGE_PATH = '/.well-known/acme-challenge/';
+
+// skip rewriting this request?
+const skip = req => req.secure || req.path.startsWith(ACME_CHALLENGE_PATH);
+
+// rewrite this request's URL as HTTPS
+const rewrite = req => `https://${req.get('Host')}${req.url}`;
+
+// ExpressJS middleware
+const sslify = (req, res, next) => (skip(req) ? next() : res.redirect(rewrite(req)));
+
+module.exports = sslify;