Skip to content

Commit

Permalink
NEW: add further security: rate-limiter, cors, request size limit, he…
Browse files Browse the repository at this point in the history 
…lmet
  • Loading branch information
@lajosf
lajosf committed Jan 27, 2025
1 parent 50f0707 commit f576831
Show file tree
Hide file tree
Showing 4 changed files with 101 additions and 6 deletions.
51 changes: 50 additions & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 8 additions & 5 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,22 @@
"private": true,
"dependencies": {
"@sap/cds": "^8",
"express": "^4"
"cors": "^2.8.5",
"express": "^4.21.2",
"express-rate-limit": "^7.5.0",
"helmet": "^8.0.0"
},
"devDependencies": {
"@cap-js/sqlite": "^1.7.8",
"@cap-js/cds-types": "^0.8.0",
"eslint": "^8.56.0",
"@cap-js/sqlite": "^1.7.8",
"@eslint/js": "^8.x.x",
"globals": "^13.x.x",
"@types/jest": "^29.5.14",
"axios": "^1.7.9",
"chai": "^4.5.0",
"chai-as-promised": "^7.1.2",
"chai-subset": "^1.6.0",
"eslint": "^8.56.0",
"globals": "^13.x.x",
"jest": "^29.7.0"
},
"scripts": {
Expand Down Expand Up @@ -68,4 +71,4 @@
}
}
}
}
}
33 changes: 33 additions & 0 deletions srv/middleware/security.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
const helmet = require('helmet');
const cors = require('cors');
const rateLimit = require('express-rate-limit');
const express = require('express');

function setupSecurityMiddleware(app) {
// Security headers
app.use(helmet());

// Rate limiting
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
message: 'Too many requests from this cosmic sector, please try again later',
standardHeaders: true,
legacyHeaders: false
});
app.use(limiter);

// CORS configuration
app.use(cors({
origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:4004'],
methods: ['GET', 'POST', 'PATCH', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
credentials: true
}));

// Request size limiting
app.use(express.json({ limit: '10kb' }));
app.use(express.urlencoded({ extended: true, limit: '10kb' }));
}

module.exports = { setupSecurityMiddleware };
10 changes: 10 additions & 0 deletions srv/spacefarer-service.js
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
const cds = require('@sap/cds');
const { passwordService } = require('./lib/password-service');
const { setupSecurityMiddleware } = require('./middleware/security');

const LOG = cds.log('spacefarer-service');

Expand All @@ -8,8 +9,15 @@ const LOG = cds.log('spacefarer-service');
*/
class SpacefarerService extends cds.ApplicationService {
async init() {
const app = cds.app;

// Initialize parent
await super.init();

// Setup security middleware
setupSecurityMiddleware(app);

// Register event handlers
this.after(['READ', 'CREATE', 'UPDATE', 'DELETE'], 'GalacticSpacefarers', async (data, req) => {
LOG.info('Operation performed on GalacticSpacefarers', {
user: req.user?.id,
Expand All @@ -30,6 +38,8 @@ class SpacefarerService extends cds.ApplicationService {
this.after(['READ', 'CREATE'], 'GalacticSpacefarers', (each) => {
if (each.password) delete each.password;
});

await super.init();
}
}

Expand Down

0 comments on commit f576831

Please sign in to comment.