Skip to content

Commit

Permalink
refactor: middleware
Browse files Browse the repository at this point in the history
Signed-off-by: bhavanakarwade <[email protected]>
  • Loading branch information
bhavanakarwade committed Dec 4, 2024
1 parent 5e252e0 commit 6152f76
Showing 1 changed file with 62 additions and 23 deletions.
85 changes: 62 additions & 23 deletions src/middleware.ts
Original file line number Diff line number Diff line change
@@ -1,36 +1,75 @@
// import { envConfig } from "./config/envConfig";
// import { pathRoutes } from "./config/pathRoutes";

import { envConfig } from "./config/envConfig";
import { pathRoutes } from "./config/pathRoutes";

// export const onRequest = async (context: any, next: any) => {
// const response = await next();
// const html = await response.text();

// const domains = envConfig.PUBLIC_ALLOW_DOMAIN;

// const allowedDomain = `${context.url.origin} ${domains}`

// const nonce = "dynamicNONCE" + new Date().getTime().toString();

// response.headers.set('Content-Security-Policy',`default-src 'self'; script-src 'self' ${allowedDomain} 'nonce-${nonce}_scripts'; style-src 'unsafe-inline' ${allowedDomain}; font-src ${allowedDomain}; img-src 'self' data: ${allowedDomain}; frame-src 'self' ${allowedDomain}; object-src 'none'; media-src 'self'; connect-src 'self' ${allowedDomain}; form-action 'self'; frame-ancestors 'self'; `);
// response.headers.set('X-Frame-Options', "DENY");
// response.headers.set('X-Content-Type-Options', 'nosniff');
// response.headers.set('Access-Control-Allow-Origin', allowedDomain)
// response.headers.set('ServerTokens', 'dummy_server_name')
// response.headers.set('server_tokens', 'off')
// response.headers.set('server', 'dummy_server_name')
// response.headers.set('Server', 'dummy_server_name')
// response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
// response.headers.set("X-XSS-Protection", "1; mode=block")

// let updatedHtml = await html.split("<script").join(`<script nonce="${nonce}_scripts" `)

// // If Access token and refresh token is not valid then redirect user to login page
// if(response.status === 302){
// return context.redirect(pathRoutes.auth.sinIn)
// }

// return new Response(updatedHtml, {
// status: 200,
// headers: response.headers
// });
// };

export const onRequest = async (context: any, next: any) => {
const response = await next();
const html = await response.text();

const domains = envConfig.PUBLIC_ALLOW_DOMAIN;

const allowedDomain = `${context.url.origin} ${domains}`

const nonce = "dynamicNONCE" + new Date().getTime().toString();
const allowedDomain = `${context.url.origin} ${domains}`;

// Generate a dynamic nonce
const nonce = `dynamicNONCE-${new Date().getTime()}`;

response.headers.set('Content-Security-Policy',`default-src 'self'; script-src 'self' ${allowedDomain} 'nonce-${nonce}_scripts'; style-src 'unsafe-inline' ${allowedDomain}; font-src ${allowedDomain}; img-src 'self' data: ${allowedDomain}; frame-src 'self' ${allowedDomain}; object-src 'none'; media-src 'self'; connect-src 'self' ${allowedDomain}; form-action 'self'; frame-ancestors 'self'; `);
response.headers.set('X-Frame-Options', "DENY");
// Update CSP headers
response.headers.set(
'Content-Security-Policy',
`default-src 'self'; script-src 'self' ${allowedDomain} 'nonce-${nonce}'; style-src 'unsafe-inline' ${allowedDomain}; font-src ${allowedDomain}; img-src 'self' data: ${allowedDomain}; frame-src 'self' ${allowedDomain}; object-src 'none'; media-src 'self'; connect-src 'self' ${allowedDomain}; form-action 'self'; frame-ancestors 'self';`
);
response.headers.set('X-Frame-Options', 'DENY');
response.headers.set('X-Content-Type-Options', 'nosniff');
response.headers.set('Access-Control-Allow-Origin', allowedDomain)
response.headers.set('ServerTokens', 'dummy_server_name')
response.headers.set('server_tokens', 'off')
response.headers.set('server', 'dummy_server_name')
response.headers.set('Server', 'dummy_server_name')
response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
response.headers.set("X-XSS-Protection", "1; mode=block")

let updatedHtml = await html.split("<script").join(`<script nonce="${nonce}_scripts" `)

// If Access token and refresh token is not valid then redirect user to login page
if(response.status === 302){
return context.redirect(pathRoutes.auth.sinIn)
response.headers.set('Access-Control-Allow-Origin', allowedDomain);
response.headers.set('Server', 'SSI');
response.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
response.headers.set('X-XSS-Protection', '1; mode=block');

// Safely modify HTML
const updatedHtml = html.replace(/<script/g, `<script nonce="${nonce}"`);

// Redirect to login if unauthorized (status 302)
if (response.status === 302) {
return context.redirect(pathRoutes.auth.sinIn);
}

return new Response(updatedHtml, {
status: 200,
headers: response.headers
headers: response.headers,
});
};
};

0 comments on commit 6152f76

Please sign in to comment.