Merge pull request #149 from PierreBrisorgueil/checkSSL

Check ssl
weareopensource · Apr 12, 2019 · da77899 · da77899
2 parents 5c2c64a + 95309cf
commit da77899
Show file tree

Hide file tree

Showing 6 changed files with 175 additions and 151 deletions.
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ Our stack node is actually in Beta.
 | DataBase  | [Mongo 4.x LTS](https://www.mongodb.com/download-center/community) &  [mongoose](https://github.com/Automattic/mongoose) (user management & crud Task example) <br> [Sequelize](https://github.com/sequelize/sequelize) : PostgreSQL, MySQL, SQLit 4.x (option - crud Task example) <br> [JOI](https://github.com/hapijs/joi) Models & Repository for database code abstraction <br> seed functions
 | Testing |  [Jest](https://github.com/facebook/jest) & [SuperTest](https://github.com/visionmedia/supertest) (Coverage & Watch) <br> *example of mocha with gulp available*
 | Linter  | [ESLint](https://github.com/eslint/eslint) ecmaVersion 10 (2019)
-| Security | JWT Stateless - [passport-jwt](https://github.com/themikenicholson/passport-jwt) <br> Passwords: [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) - [zxcvbn](https://github.com/dropbox/zxcvbn) <br> DataBases options available (auth, ssl ..) <br> SSL options availble 
+| Security | JWT Stateless - [passport-jwt](https://github.com/themikenicholson/passport-jwt) <br> Passwords: [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) - [zxcvbn](https://github.com/dropbox/zxcvbn) <br> DataBases options available (auth, ssl ..) <br> [SSL](https://github.com/weareopensource/Node/blob/master/WIKI.md#SSL) Express / Reverse Proxy (must be activated, otherwise => plain text password)
 | API | Default answer wrapper (helper) : [jsend](https://github.com/omniti-labs/jsend) like : status, message, data or error <br>  Default error handling (helper) : formatted by the controller, Custom ES6 errors for other layers
 | CI  | [Travis CI](https://travis-ci.org/weareopensource/Node) 
 | Developer  | [Coveralls](https://coveralls.io/github/weareopensource/Node) - [Code Climate](https://codeclimate.com/github/weareopensource/Node) - [Dependency status](https://david-dm.org/weareopensource/node) - [GreenKeeper](https://greenkeeper.io) - [Snyk](https://snyk.io/test/github/weareopensource/node) <br> [standard-version](https://github.com/conventional-changelog/standard-version) - [commitlint](https://github.com/conventional-changelog/commitlint) - [commitizen](https://github.com/commitizen/cz-cli) - [waos-conventional-changelog](https://github.com/WeAreOpenSourceProjects/waos-conventional-changelog)

diff --git a/WIKI.md b/WIKI.md
@@ -11,7 +11,8 @@ Welcome to the Node wiki! Here you will find various information about this repo
 #### Node Wiki 
 
 * [Api](https://github.com/weareopensource/Node/blob/master/WIKI.md#API)
-* [Errors](https://github.com/weareopensource/Node/blob/master/WIKI.md#Errors)
+* [SSL](https://github.com/weareopensource/Node/blob/master/WIKI.md#SSL)
+
 
 #### Other informations
 
@@ -31,9 +32,7 @@ Welcome to the Node wiki! Here you will find various information about this repo
 
 ## API
 
-### API answers rules : 
-
-#### success
+### success
 
 `responses.success(res, 'task created')({});`
 
@@ -47,25 +46,11 @@ body :
 }
 ```
 
-#### error
+### errors
 
-`responses.error(res, 422, 'task creation failed')({err});`
-
-body : 
+#### default
 
-```
-{ 
-	type: 'error', 
-	message: 'task creation failed' 
-	error: {err}
-}
-```
-
-## Errors
-
-#### controller
-
-`responses.error(res, 422, errors.getMessage(err))({err});`
+`responses.error(res, 422, 'task creation failed')({err});`
 
 body : 
 
@@ -77,7 +62,7 @@ body :
 }
 ```
 
-#### schema errors
+#### schema
 
 `responses.error(res, 422, errors.getMessage(err))({err});`
 
@@ -86,21 +71,21 @@ body :
 ```
 { 
 	type: 'error',
-   message: 'schema validation error',
-   error: { 
-       original: { 
-            title: 2, 
-            description: 'do something about something else' 
-       },
-       details: [{ 
+	message: 'schema validation error',
+	error: { 
+		original: { 
+			title: 2, 
+			description: 'do something about something else' 
+		},
+       details: [{
        	message: 'title must be a string', 
-       	type: 'string.base' 
-       } ] 
+       	type: 'string.base'
+       }] 
    } 
 }
 ```
 
-#### service & others errors
+#### service & others
 
 `throw new AppError('invalid user or password.', { code: 'SERVICE_ERROR', details: [] });`
 
@@ -112,12 +97,12 @@ body :
    message: 'invalid user or password.',
    error: { 
 	   code: 'SERVICE_ERROR',
-       details: [] 
+	   details: [] 
    } 
 }
 ```
 
-#### Authentication errors
+#### Authentication
 
 status : 401 
 error : 
@@ -127,3 +112,40 @@ error :
 	text: 'Unauthorized'
 }
 ```
+
+## SSL
+
+There are two ways to set up https, the most used way is to set up a reverse proxy in front of the server node, and enable let's encrypt.
+
+The second is to set up https directly at the node server.
+
+Both are possible with the stack.
+
+### Reverse Proxy with Let's Encrypt 
+
+We recommend this method, however we will not explain it. Many [tutorials](https://www.google.com/search?client=safari&rls=en&ei=ZFqwXNGMB43jgweCnbXgCg&q=node+let%27s+encrypt+nginx&oq=node+let%27s+encrypt+nginx&gs_l=psy-ab.3..0i8i13i30l3.9384.13054..13286...0.0..0.52.1036.24......0....1..gws-wiz.......0i71j0i67j0j0i131j0i22i30j0i13i30j0i13i10i30j0i19j0i13i30i19j0i22i30i19j0i22i10i30i19j0i8i13i30i19.ejqWS4vw2Qs) already exist, and it depends on what you use, [apache](https://httpd.apache.org), [nginx](https://www.nginx.com), [traeffik](https://traefik.io), [Let's Encrypt](https://letsencrypt.org) ...
+
+### Express TLS - SSL
+
+To run your application in a secure manner with express you'll need to use OpenSSL and generate a set of self-signed certificates. 
+
+* Unix-based users can use the following command:
+
+	```bash
+	$ npm run generate-ssl-certs
+	```
+this will create cert and key files and place them in *config/sslcerts* folder.
+
+* Windows users can follow instructions found [here](http://www.websense.com/support/article/kbarticle/How-to-use-OpenSSL-and-Microsoft-Certification-Authority).
+After you've generated the key and certificate, place them in the *config/sslcerts* folder.
+
+Finally, uncomment and activate ssl in configuration (*config/defaults/development.js*) :
+
+```
+// SSL on express server (FYI : Wiki)
+secure: {
+   ssl: true,
+   key: './config/sslcerts/key.pem',
+   cert: './config/sslcerts/cert.pem',
+},
+```
diff --git a/config/defaults/development.js b/config/defaults/development.js
@@ -33,15 +33,12 @@ module.exports = {
     },
     promise: global.Promise,
   },
-  secure: {
-    ssl: false,
-    /**
-     ssl: true,
-     privateKey: './config/sslcerts/key.pem',
-     certificate: './config/sslcerts/cert.pem',
-     caBundle: './config/sslcerts/cabundle.crt'
-    */
-  },
+  // SSL on express server (FYI : Wiki)
+  // secure: {
+  //   ssl: false,
+  //   key: './config/sslcerts/key.pem',
+  //   cert: './config/sslcerts/cert.pem',
+  // },
   log: {
     fileLogger: {
       directoryPath: process.cwd(),

diff --git a/config/index.js b/config/index.js
@@ -76,22 +76,28 @@ const validateDomainIsSet = (config) => {
 };
 
 /**
- * Validate Secure=true parameter can actually be turned on
- * because it requires certs and key files to be available
+ * validate secure parameters and create credentials in consequence value for ssl
+ * @param config
  */
-const validateSecureMode = (config) => {
-  if (!(!config.secure || config.secure.ssl !== true)) {
-    const privateKey = fs.existsSync(path.resolve(config.secure.privateKey));
-    const certificate = fs.existsSync(path.resolve(config.secure.certificate));
-    if (!privateKey || !certificate) {
-      console.log(chalk.red('+ Error: Certificate file or key file is missing, falling back to non-SSL mode'));
-      console.log(chalk.red('  To create them, simply run the following from your shell: sh ./scripts/generate-ssl-certs.sh'));
-      console.log();
-      config.secure.ssl = false;
-    }
-    return false;
+const initSecureMode = (config) => {
+  if (!config.secure || config.secure.ssl !== true) {
+    return true;
+  }
+
+  const key = fs.existsSync(path.resolve(config.secure.key));
+  const cert = fs.existsSync(path.resolve(config.secure.cert));
+
+  if (!key || !cert) {
+    console.log(chalk.red('+ Error: Certificate file or key file is missing, falling back to non-SSL mode'));
+    console.log(chalk.red('  To create them, simply run the following from your shell: sh ./scripts/generate-ssl-certs.sh'));
+    console.log();
+    config.secure.ssl = false;
+  } else {
+    config.secure.credentials = {
+      key: fs.readFileSync(path.resolve(config.secure.key)),
+      cert: fs.readFileSync(path.resolve(config.secure.cert)),
+    };
   }
-  return true;
 };
 
 /**
@@ -155,8 +161,8 @@ const initGlobalConfig = () => {
   // Initialize global globbed files
   initGlobalConfigFiles(config, assets);
 
-  // Validate Secure SSL mode can be used
-  validateSecureMode(config);
+  // Init Secure SSL if can be used
+  initSecureMode(config);
 
   // Print a warning if config.domain is not set
   validateDomainIsSet(config);