feat(core): added helmet, rate limit in sequence when respective conf…

…igs are present (#101)
sourcefuse · Dec 18, 2020 · cbcc00c · cbcc00c
1 parent dc9c7fc
commit cbcc00c
Show file tree

Hide file tree

Showing 96 changed files with 64,800 additions and 70,837 deletions.
diff --git a/packages/core/.eslintignore b/packages/core/.eslintignore
@@ -1,3 +1,5 @@
 node_modules/
 dist/
 coverage/
+
+.eslintrc.js
diff --git a/packages/core/package-lock.json b/packages/core/package-lock.json
diff --git a/packages/core/package.json b/packages/core/package.json
@@ -40,40 +40,41 @@
     "!*/__tests__"
   ],
   "dependencies": {
-    "@loopback/boot": "^2.3.1",
-    "@loopback/context": "^3.9.4",
-    "@loopback/core": "^2.7.0",
-    "@loopback/repository": "^2.5.1",
-    "@loopback/rest": "^5.0.1",
-    "@loopback/service-proxy": "^2.2.6",
+    "@loopback/boot": "^3.1.0",
+    "@loopback/context": "^3.13.0",
+    "@loopback/core": "^2.12.0",
+    "@loopback/openapi-v3": "^5.1.2",
+    "@loopback/repository": "^3.2.0",
+    "@loopback/rest": "^9.0.0",
+    "@loopback/service-proxy": "^3.0.3",
     "i18n": "^0.10.0",
     "jsonwebtoken": "^8.5.1",
-    "lodash": "^4.17.19",
+    "lodash": "^4.17.20",
     "logform": "^2.1.2",
     "loopback-datasource-juggler": "^4.21.2",
-    "loopback4-authentication": "^4.0.1",
-    "loopback4-authorization": "3.1.1",
-    "loopback4-helmet": "^1.0.3",
-    "loopback4-ratelimiter": "^1.0.0",
-    "loopback4-soft-delete": "^2.0.0",
+    "loopback4-authentication": "^4.1.0",
+    "loopback4-authorization": "^3.2.0",
+    "loopback4-helmet": "^2.0.0",
+    "loopback4-ratelimiter": "^2.0.0",
+    "loopback4-soft-delete": "^3.1.0",
     "moment": "^2.26.0",
     "moment-timezone": "^0.5.31",
-    "tslib": "^1.10.0",
+    "tslib": "^2.0.0",
     "winston": "^3.2.1"
   },
   "devDependencies": {
-    "@loopback/build": "^5.4.1",
-    "@loopback/eslint-config": "^7.0.1",
-    "@loopback/testlab": "^3.1.5",
+    "@loopback/build": "^6.2.6",
+    "@loopback/eslint-config": "^10.0.2",
+    "@loopback/testlab": "^3.2.8",
     "@types/i18n": "^0.8.6",
     "@types/jsonwebtoken": "^8.5.0",
     "@types/lodash": "^4.14.153",
     "@types/moment": "^2.13.0",
     "@types/moment-timezone": "^0.5.13",
-    "@types/node": "^10.17.24",
-    "eslint": "^7.0.0",
+    "@types/node": "^10.17.44",
+    "eslint": "^7.12.1",
     "source-map-support": "^0.5.19",
-    "typescript": "~3.9.3"
+    "typescript": "~4.0.5"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",

diff --git a/packages/core/src/component.ts b/packages/core/src/component.ts
@@ -12,6 +12,8 @@ import {LocaleKey} from './enums';
 import {SFCoreBindings} from './keys';
 import {LoggerExtensionComponent} from './components';
 import {CoreConfig} from './types';
+import {Loopback4HelmetComponent} from 'loopback4-helmet';
+import {RateLimiterComponent} from 'loopback4-ratelimiter';
 
 export class CoreComponent implements Component {
   constructor(
@@ -23,9 +25,12 @@ export class CoreComponent implements Component {
     // Mount logger component
     this.application.component(LoggerExtensionComponent);
 
+    this.application.component(Loopback4HelmetComponent);
+    this.application.component(RateLimiterComponent);
+
     // Configure locale provider
 
-    if (this.coreConfig && this.coreConfig.configObject) {
+    if (this.coreConfig?.configObject) {
       configure({...this.coreConfig.configObject, register: this.localeObj});
     } else {
       configure({

diff --git a/packages/core/src/components/logger-extension/keys.ts b/packages/core/src/components/logger-extension/keys.ts
@@ -18,6 +18,7 @@ export namespace LOGGER {
   /**
    * Enum to define the supported log levels
    */
+  /* eslint-disable-next-line  @typescript-eslint/naming-convention */
   export enum LOG_LEVEL {
     DEBUG,
     INFO,

diff --git a/packages/core/src/constants/file-extensions.ts b/packages/core/src/constants/file-extensions.ts
@@ -1,4 +1,5 @@
 export class FileExtensions {
+  /* eslint-disable-next-line  @typescript-eslint/naming-convention */
   static readonly Prohibited = [
     '.0xe',
     '.A6P',

diff --git a/packages/core/src/enums/status-codes.enum.ts b/packages/core/src/enums/status-codes.enum.ts
@@ -1,3 +1,4 @@
+/* eslint-disable-next-line  @typescript-eslint/naming-convention */
 export const enum STATUS_CODE {
   // sonarignore:start
   OK = 200,

diff --git a/packages/core/src/secure-sequence.ts b/packages/core/src/secure-sequence.ts
@@ -65,6 +65,10 @@ export class SecureSequence implements SequenceHandler {
     protected rateLimitAction: RateLimitAction,
     @inject(SFCoreBindings.i18n)
     protected i18n: i18nAPI, // sonarignore:end
+    @inject(RateLimitSecurityBindings.CONFIG, {optional: true})
+    private readonly rateLimitConfig?: object,
+    @inject(HelmetSecurityBindings.CONFIG, {optional: true})
+    private readonly helmetConfig?: object,
   ) {}
 
   async handle(context: RequestContext) {
@@ -87,8 +91,13 @@ export class SecureSequence implements SequenceHandler {
       const route = this.findRoute(request);
       const args = await this.parseParams(request, route);
 
-      await this.rateLimitAction(request, response);
-      await this.helmetAction(request, response);
+      if (this.rateLimitConfig) {
+        await this.rateLimitAction(request, response);
+      }
+
+      if (this.helmetConfig) {
+        await this.helmetAction(request, response);
+      }
 
       const authUser: IAuthUserWithPermissions = await this.authenticateRequest(
         request,
@@ -167,8 +176,7 @@ export class SecureSequence implements SequenceHandler {
     ) {
       return JSON.parse(err.message).error as Error;
     } else if (
-      err.message &&
-      err.message.message &&
+      err.message?.message &&
       isJsonString(err.message.message) &&
       JSON.parse(err.message.message).error
     ) {

diff --git a/packages/core/src/service-sequence.ts b/packages/core/src/service-sequence.ts
@@ -168,8 +168,7 @@ export class ServiceSequence implements SequenceHandler {
     ) {
       return JSON.parse(err.message).error as Error;
     } else if (
-      err.message &&
-      err.message.message &&
+      err.message?.message &&
       isJsonString(err.message.message) &&
       JSON.parse(err.message.message).error
     ) {

diff --git a/packages/core/src/utils.ts b/packages/core/src/utils.ts
@@ -27,12 +27,7 @@ export const getDOBFromAge = (age: number): Date => {
 };
 
 export const rateLimitKeyGen = (req: Request) => {
-  return (
-    (req.headers &&
-      req.headers.authorization &&
-      req.headers.authorization.replace(/bearer /i, '')) ||
-    req.ip
-  );
+  return req.headers?.authorization?.replace(/bearer /i, '') ?? req.ip;
 };
 
 export const rateLimitKeyGenPublic = (req: Request) =>

diff --git a/sandbox/auth-multitenant-example/.env.example b/sandbox/auth-multitenant-example/.env.example
@@ -27,4 +27,7 @@ KEYCLOAK_HOST=
 KEYCLOAK_REALM=
 KEYCLOAK_CLIENT_ID=
 KEYCLOAK_CLIENT_SECRET=
-KEYCLOAK_CALLBACK_URL=
+KEYCLOAK_CALLBACK_URL=
+RATE_LIMITER_WINDOW_MS=
+RATE_LIMITER_MAX_REQS=
+X_FRAME_OPTIONS=
diff --git a/sandbox/auth-multitenant-example/.eslintignore b/sandbox/auth-multitenant-example/.eslintignore
@@ -1,3 +1,5 @@
 node_modules/
 dist/
 coverage/
+
+.eslintrc.js
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,6 +18,7 @@ export namespace LOGGER { @@
       /**
        * Enum to define the supported log levels
        */
+      /* eslint-disable-next-line  @typescript-eslint/naming-convention */
       export enum LOG_LEVEL {
         DEBUG,
         INFO,
@@ Expand Down @@