Add some default (security) headers / remove unmaintained deps

2025-02-09 16:07:29 +01:00 · 2025-02-09 16:07:29 +01:00 · 64d317115c
commit 64d317115c
parent 5a583a94ff
9 changed files with 158 additions and 32836 deletions
--- a/docs/index.html
+++ b/docs/index.html
--- a/docs/schema.dbml
+++ b/docs/schema.dbml
@ -1,98 +0,0 @@
-//// ------------------------------------------------------
-//// THIS FILE WAS AUTOMATICALLY GENERATED (DO NOT MODIFY)
-//// ------------------------------------------------------
-
-Project "ATAS" {
-  database_type: ''
-  Note: ''
-}
-
-Table alerts {
-  id Int [pk, increment]
-  type alertType [not null]
-  state alertState [not null]
-  description String
-  date DateTime [not null]
-  actionplan actionPlan
-  actionplanId Int
-  acknowledged_by alertContacts [not null]
-  acknowledged_at DateTime
-}
-
-Table alertContacts {
-  id Int [pk, increment]
-  name String [not null]
-  phone String [unique, not null]
-  comment String
-  prios priorities [not null]
-  alerts alerts [not null]
-}
-
-Table actionPlan {
-  id Int [pk, increment]
-  name String [unique, not null]
-  comment String
-  alerthook String [unique, not null]
-  prio priorities [not null]
-  content content [not null]
-  alerts alerts [not null]
-}
-
-Table priorities {
-  id Int [pk, increment]
-  Contact alertContacts [not null]
-  contactId Int [not null]
-  priority Int [not null]
-  actionplan actionPlan [not null]
-  actionplanId Int [not null]
-
-  indexes {
-    (priority, actionplanId) [unique]
-  }
-}
-
-Table content {
-  id Int [pk, increment]
-  type contentType [not null]
-  name String [not null]
-  filename String [not null]
-  actionplan actionPlan [not null]
-}
-
-Table alertContactsToalerts {
-  acknowledged_byId Int [ref: > alertContacts.id]
-  alertsId Int [ref: > alerts.id]
-}
-
-Table actionPlanTocontent {
-  contentId Int [ref: > content.id]
-  actionplanId Int [ref: > actionPlan.id]
-}
-
-Enum contentType {
-  voice_alarm
-  voice_explainer
-  voice_acknowledgement
-  voice_ending
-}
-
-Enum alertType {
-  generic
-  fire
-  fault
-  intrusion
-  clear
-}
-
-Enum alertState {
-  incoming
-  running
-  failed
-  acknowledged
-}
-
-Ref: alerts.actionplanId > actionPlan.id
-
-Ref: priorities.contactId > alertContacts.id
-
-Ref: priorities.actionplanId > actionPlan.id
--- a/docs/styles/main.css
+++ b/docs/styles/main.css
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -33,8 +33,6 @@
 		"eslint": "^9.18.0",
 		"eslint-config-prettier": "^9.1.0",
 		"prisma": "^6.2.1",
-		"prisma-dbml-generator": "^0.12.0",
-		"prisma-docs-generator": "^0.8.0",
 		"tsx": "^4.19.2",
 		"typescript": "^5.7.3"
 	},
@ -46,6 +44,7 @@
 		"express": "^4.21.2",
 		"express-fileupload": "^1.5.1",
 		"express-session": "^1.18.1",
+		"helmet": "^8.0.0",
 		"joi": "^17.13.3",
 		"jquery": "^3.7.1",
 		"lodash": "^4.17.21",
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@ -13,23 +13,6 @@ datasource db {
 	url      = env("DATABASE_URL")
 }

-
-// https://github.com/pantharshit00/prisma-docs-generator
-generator docs {
-	provider = "node node_modules/prisma-docs-generator"
-	output   = "../docs"
-}
-
-// https://github.com/notiz-dev/prisma-dbml-generator
-// Viewer: https://dbdiagram.io/d
-generator dbml {
-	provider    = "prisma-dbml-generator"
-	output      = "../docs"
-	outputName  = "schema.dbml"
-	projectName = "ATAS"
-}
-
-
 enum contentType {
 	voice_alarm
 	voice_explainer
--- a/src/handlers/config.ts
+++ b/src/handlers/config.ts
@ -1,6 +1,7 @@
 import ConfigManager from '../libs/configManager.js';
 import __path from "./path.js";
 import _ from 'lodash';
+import log from './log.js';


 // Create a new config instance.
@ -8,7 +9,12 @@ const config = new ConfigManager(__path + '/config.json', true, {
 	db_connection_string: 'mysql://USER:PASSWORD@HOST:3306/DATABASE',
 	http_listen_address: '0.0.0.0',
 	http_port: 3000,
-	debug: true,
+	http_domain: 'example.org',
+	http_enable_hsts: false,
+	devmode: true,
+
+
+
 	auth: {
 		cookie_secret: 'gen',
 		cookie_secure: true,
@ -30,4 +36,6 @@ if (_.isEqual(config.global.auth.local.users, {})) {
 	config.save_config();
 }

+!config.global.devmode && log.core.error('devmode active! Do NOT use this in prod!');
+
 export default config;
--- a/src/index.ts
+++ b/src/index.ts
@ -1,17 +1,18 @@
 // MARK: Imports
 import path from 'node:path';
-import __path from "./handlers/path.js";
-import log from "./handlers/log.js";
-import db from "./handlers/db.js";
+import __path from './handlers/path.js';
+import log from './handlers/log.js';
+import db from './handlers/db.js';
 import config from './handlers/config.js';

 // Express & more
 import express from 'express';
-import cors from 'cors'
+import cors from 'cors';
+import helmet from 'helmet';
 import session from 'express-session';
 import fileUpload from 'express-fileupload';
 import bodyParser, { Options } from 'body-parser';
-import { Eta } from "eta";
+import { Eta } from 'eta';
 import passport from 'passport';

 import ChildProcess from 'child_process';
@ -20,28 +21,26 @@ import routes from './routes/index.js';

 import fs from 'node:fs';

-log.core.trace("Running from path: " + __path);
-
+log.core.trace('Running from path: ' + __path);

 // MARK: Express
 const app = express();

 // Versioning
 try {
-	const rawPkg = fs.readFileSync("package.json", 'utf8');
+	const rawPkg = fs.readFileSync('package.json', 'utf8');
 	const pkgJson = JSON.parse(rawPkg);
 	app.locals.version = pkgJson.version;
 } catch (error) {
-	log.core.error("Failed to get version from package.json.");
-	app.locals.version = "0.0.0";
+	log.core.error('Failed to get version from package.json.');
+	app.locals.version = '0.0.0';
 }

-
-try { 
+try {
 	app.locals.versionRevLong = ChildProcess.execSync('git rev-parse HEAD').toString().trim();
 	app.locals.versionRev = app.locals.versionRevLong.substring(0, 7);
 } catch (error) {
-	log.core.error("Failed to get git revision hash.");
+	log.core.error('Failed to get git revision hash.');
 	app.locals.versionRev = '0';
 	app.locals.versionRevLong = '0';
 }
@ -49,7 +48,7 @@ try {
 try {
 	app.locals.versionRevLatest = ChildProcess.execSync('git ls-remote --refs -q').toString().trim().split('\t')[0];
 } catch (error) {
-	log.core.error("Failed to get latest git revision hash.");
+	log.core.error('Failed to get latest git revision hash.');
 	app.locals.versionRevLatest = '0';
 }

@ -61,19 +60,31 @@ if (app.locals.versionRevLong === app.locals.versionRevLatest) {
 	app.locals.versionUpdateAvailable = true;
 }

-
-
 // ETA Init
-const eta = new Eta({ views: path.join(__path, "views") })
-app.engine("eta", buildEtaEngine())
-app.set("view engine", "eta")
-
+const eta = new Eta({ views: path.join(__path, 'views') });
+app.engine('eta', buildEtaEngine());
+app.set('view engine', 'eta');

 // MARK: Express Middleware & Config
-app.set('x-powered-by', false);
+app.set('x-powered-by', false); // helmet does this too. But not in devmode
+if (!config.global.devmode) {
+	app.use(
+		helmet({
+			strictTransportSecurity: config.global.http_enable_hsts,
+			contentSecurityPolicy: {
+				useDefaults: false,
+				directives: {
+					defaultSrc: ["'self'"],
+					scriptSrc: ["'self'", config.global.http_domain],
+					objectSrc: ["'none'"],
+					upgradeInsecureRequests: config.global.devmode ? null : []
+				}
+			}
+		})
+	); // Add headers
+}

 app.use(fileUpload());
-//app.use(cors());
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(bodyParser.json());

@ -90,16 +101,13 @@ app.use(
 app.use(passport.authenticate('session'));
 app.use(routes);

-
 app.listen(config.global.http_port, config.global.http_listen_address, () => {
 	log.web.info(`Listening at http://${config.global.http_listen_address}:${config.global.http_port}`);
 });

-
-
 // MARK: Helper Functions
 function buildEtaEngine() {
-	return (path:string, opts:Options, callback: CallableFunction) => {
+	return (path: string, opts: Options, callback: CallableFunction) => {
 		try {
 			const fileContent = eta.readFile(path);
 			const renderedTemplate = eta.renderString(fileContent, opts);
@ -109,4 +117,3 @@ function buildEtaEngine() {
 		}
 	};
 }
-
--- a/tsconfig.json
+++ b/tsconfig.json
@ -96,7 +96,7 @@
 		// "strictBuiltinIteratorReturn": true,              /* Built-in iterators are instantiated with a 'TReturn' type of 'undefined' instead of 'any'. */
 		// "noImplicitThis": true,                           /* Enable error reporting when 'this' is given the type 'any'. */
 		// "useUnknownInCatchVariables": true,               /* Default catch clause variables as 'unknown' instead of 'any'. */
-		// "alwaysStrict": true,                             /* Ensure 'use strict' is always emitted. */
+		"alwaysStrict": true,                             /* Ensure 'use strict' is always emitted. */
 		// "noUnusedLocals": true,                           /* Enable error reporting when local variables aren't read. */
 		// "noUnusedParameters": true,                       /* Raise an error when a function parameter isn't read. */
 		// "exactOptionalPropertyTypes": true,               /* Interpret optional property types as written, rather than adding 'undefined'. */