radziel/spotlightcam
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a110ddb6a65aaa69a9609490861c4f7ffbf0734e
spotlightcam/backend/src/app.js
Radosław Gierwiało 901b046a34 feat(backend): implement dashboard API endpoint 
- Add GET /api/dashboard endpoint for authenticated users
- Returns active events with user heats
- Returns accepted matches with partner info
- Detects video exchange status from message parsing
- Tracks rating completion status (rated by me/partner)
- Returns incoming/outgoing pending match requests
- Add comprehensive test suite (12 tests, 93% coverage)
- Add DASHBOARD_PLAN.md with full design documentation
2025-11-21 21:00:50 +01:00

153 lines
4.0 KiB
JavaScript
Raw Blame History

const express = require('express');
const cors = require('cors');
const helmet = require('helmet');
const cookieParser = require('cookie-parser');
const csrf = require('csurf');
const securityConfig = require('./config/security');
const { apiLimiter } = require('./middleware/rateLimiter');
const app = express();
// Security Headers (helmet)
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'", "https://ui-avatars.com"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", "data:", "https:", "https://ui-avatars.com"],
connectSrc: ["'self'"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
},
noSniff: true,
xssFilter: true,
hidePoweredBy: true,
}));
// CORS
app.use(cors({
origin: (origin, callback) => {
const allowedOrigins = securityConfig.cors.origin;
// Allow requests with no origin (mobile apps, curl, etc.)
if (!origin) return callback(null, true);
if (allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: securityConfig.cors.credentials,
maxAge: 86400, // 24 hours
}));
// Body parsing with size limits
app.use(express.json({ limit: securityConfig.bodyLimit }));
app.use(express.urlencoded({ extended: true, limit: securityConfig.bodyLimit }));
// Cookie parser (required for CSRF protection)
app.use(cookieParser());
// CSRF Protection (Phase 3 - Security Hardening)
if (securityConfig.csrf.enabled) {
const csrfProtection = csrf({
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production', // HTTPS only in production
sameSite: 'strict',
}
});
// Apply CSRF protection to all routes
app.use(csrfProtection);
// CSRF token endpoint - provides token to clients
app.get('/api/csrf-token', (req, res) => {
res.json({ csrfToken: req.csrfToken() });
});
// CSRF error handler
app.use((err, req, res, next) => {
if (err.code === 'EBADCSRFTOKEN') {
return res.status(403).json({
success: false,
error: 'Invalid CSRF token',
message: 'Form submission failed. Please refresh the page and try again.',
});
}
next(err);
});
}
// Request logging middleware
app.use((req, res, next) => {
console.log(`${new Date().toISOString()} - ${req.method} ${req.path}`);
next();
});
// Health check endpoint
app.get('/api/health', (req, res) => {
res.status(200).json({
status: 'ok',
message: 'Backend is running',
timestamp: new Date().toISOString(),
environment: process.env.NODE_ENV || 'development'
});
});
// Apply rate limiting to all API routes
app.use('/api/', apiLimiter);
// API routes
app.use('/api/auth', require('./routes/auth'));
app.use('/api/users', require('./routes/users'));
app.use('/api/dashboard', require('./routes/dashboard'));
app.use('/api/events', require('./routes/events'));
app.use('/api/wsdc', require('./routes/wsdc'));
app.use('/api/divisions', require('./routes/divisions'));
app.use('/api/competition-types', require('./routes/competitionTypes'));
app.use('/api/matches', require('./routes/matches'));
// app.use('/api/ratings', require('./routes/ratings'));
// 404 handler
app.use((req, res) => {
res.status(404).json({
error: 'Not Found',
message: `Cannot ${req.method} ${req.path}`
});
});
// Error handler
app.use((err, req, res, next) => {
// Log full error for debugging
console.error('Error:', err);
// Determine if we should show detailed errors
const isDevelopment = process.env.NODE_ENV === 'development';
// Generic error response
const errorResponse = {
success: false,
error: isDevelopment ? err.message : 'Internal Server Error',
};
// Add stack trace only in development
if (isDevelopment && err.stack) {
errorResponse.stack = err.stack;
}
res.status(err.status || 500).json(errorResponse);
});
module.exports = app;
Reference in New Issue View Git Blame Copy Permalink