add helmet which will set https header for more security

2026-02-06 09:56:05 +00:00 · 2024-01-22 13:46:21 +01:00 · 2024-01-22 13:46:21 +01:00 · 842008c871
commit 842008c871
parent c7d4997ecc
10 changed files with 130 additions and 1 deletions
--- a/backend/package.json
+++ b/backend/package.json
@ -32,6 +32,7 @@
    "gradido-database": "file:../database",
    "graphql": "^15.5.1",
    "graphql-request": "5.0.0",
+    "helmet": "^7.1.0",
    "i18n": "^0.15.1",
    "jose": "^4.14.4",
    "lodash.clonedeep": "^4.5.0",
--- a/backend/src/server/createServer.ts
+++ b/backend/src/server/createServer.ts
@ -4,6 +4,7 @@
 import { Connection as DbConnection } from '@dbTools/typeorm'
 import { ApolloServer } from 'apollo-server-express'
 import express, { Express, json, urlencoded } from 'express'
+import helmet from 'helmet'
 import { Logger } from 'log4js'

 import { CONFIG } from '@/config'
@ -56,6 +57,10 @@ export const createServer = async (
  // cors
  app.use(cors)

+  // Helmet helps secure Express apps by setting HTTP response headers.
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+  app.use(helmet())
+
  // bodyparser json
  app.use(json())
  // bodyparser urlencoded for elopage
--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@ -3679,7 +3679,7 @@ graceful-fs@^4.1.6, graceful-fs@^4.2.0:
  integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==

 "gradido-database@file:../database":
-  version "2.0.1"
+  version "2.1.1"
  dependencies:
    "@types/uuid" "^8.3.4"
    cross-env "^7.0.3"
@ -3826,6 +3826,11 @@ he@1.2.0, he@^1.2.0:
  resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
  integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==

+helmet@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
+  integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
+
 highlight.js@^10.7.1:
  version "10.7.3"
  resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-10.7.3.tgz#697272e3991356e40c3cac566a74eef681756531"
--- a/dlt-connector/package.json
+++ b/dlt-connector/package.json
@ -31,6 +31,7 @@
    "express": "4.17.1",
    "graphql": "^16.7.1",
    "graphql-scalars": "^1.22.2",
+    "helmet": "^7.1.0",
    "log4js": "^6.7.1",
    "nodemon": "^2.0.20",
    "protobufjs": "^7.2.5",
--- a/dlt-connector/schema.graphql
+++ b/dlt-connector/schema.graphql
@ -0,0 +1,98 @@
+# -----------------------------------------------
+# !!! THIS FILE WAS GENERATED BY TYPE-GRAPHQL !!!
+# !!!   DO NOT MODIFY THIS FILE BY YOURSELF   !!!
+# -----------------------------------------------
+
+type Community {
+  confirmedAt: String!
+  createdAt: String!
+  foreign: Boolean!
+  id: Int!
+  iotaTopic: String!
+  rootPublicKeyHex: String!
+}
+
+input CommunityDraft {
+  createdAt: String!
+  foreign: Boolean!
+  uuid: String!
+}
+
+"""The `Decimal` scalar type to represent currency values"""
+scalar Decimal
+
+"""Type of the transaction"""
+enum InputTransactionType {
+  CREATION
+  RECEIVE
+  SEND
+}
+
+type Mutation {
+  addCommunity(data: CommunityDraft!): TransactionResult!
+  sendTransaction(data: TransactionDraft!): TransactionResult!
+}
+
+type Query {
+  communities(confirmed: Boolean, foreign: Boolean, uuid: String): [Community!]!
+  community(confirmed: Boolean, foreign: Boolean, uuid: String): Community!
+  isCommunityExist(confirmed: Boolean, foreign: Boolean, uuid: String): Boolean!
+}
+
+input TransactionDraft {
+  amount: Decimal!
+  backendTransactionId: Int!
+  createdAt: String!
+  recipientUser: UserIdentifier!
+  senderUser: UserIdentifier!
+  targetDate: String
+  type: InputTransactionType!
+}
+
+type TransactionError {
+  message: String!
+  name: String!
+  type: TransactionErrorType!
+}
+
+"""Transaction Error Type"""
+enum TransactionErrorType {
+  ALREADY_EXIST
+  DB_ERROR
+  INVALID_SIGNATURE
+  LOGIC_ERROR
+  MISSING_PARAMETER
+  NOT_FOUND
+  NOT_IMPLEMENTED_YET
+  PROTO_DECODE_ERROR
+  PROTO_ENCODE_ERROR
+}
+
+type TransactionRecipe {
+  createdAt: String!
+  id: Int!
+  topic: String!
+  type: TransactionType!
+}
+
+type TransactionResult {
+  error: TransactionError
+  recipe: TransactionRecipe
+  succeed: Boolean!
+}
+
+"""Type of the transaction"""
+enum TransactionType {
+  COMMUNITY_ROOT
+  GRADIDO_CREATION
+  GRADIDO_DEFERRED_TRANSFER
+  GRADIDO_TRANSFER
+  GROUP_FRIENDS_UPDATE
+  REGISTER_ADDRESS
+}
+
+input UserIdentifier {
+  accountNr: Int = 1
+  communityUuid: String
+  uuid: String!
+}
--- a/dlt-connector/src/server/createServer.ts
+++ b/dlt-connector/src/server/createServer.ts
@ -6,6 +6,7 @@ import bodyParser from 'body-parser'
 import cors from 'cors'
 import express, { Express } from 'express'
 // graphql
+import helmet from 'helmet'
 import { Logger } from 'log4js'

 import { schema } from '@/graphql/schema'
@ -40,6 +41,9 @@ const createServer = async (
    // plugins
    logger,
  })
+  // Helmet helps secure Express apps by setting HTTP response headers.
+  app.use(helmet())
+
  await apollo.start()
  app.use(
    '/',
--- a/dlt-connector/yarn.lock
+++ b/dlt-connector/yarn.lock
@ -3407,6 +3407,11 @@ hash.js@^1.0.0, hash.js@^1.0.3, hash.js@^1.1.7:
    inherits "^2.0.3"
    minimalistic-assert "^1.0.1"

+helmet@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
+  integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
+
 highlight.js@^10.7.1:
  version "10.7.3"
  resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-10.7.3.tgz#697272e3991356e40c3cac566a74eef681756531"
--- a/federation/package.json
+++ b/federation/package.json
@ -26,6 +26,7 @@
    "express": "4.17.1",
    "graphql": "15.5.1",
    "graphql-request": "5.0.0",
+    "helmet": "^7.1.0",
    "lodash.clonedeep": "^4.5.0",
    "log4js": "^6.7.1",
    "reflect-metadata": "^0.1.13",
--- a/federation/src/server/createServer.ts
+++ b/federation/src/server/createServer.ts
@ -24,6 +24,7 @@ import { Connection } from '@dbTools/typeorm'

 import { apolloLogger } from './logger'
 import { Logger } from 'log4js'
+import helmet from 'helmet'

 // i18n
 // import { i18n } from './localization'
@ -62,6 +63,9 @@ export const createServer = async (
  // cors
  app.use(cors)

+  // Helmet helps secure Express apps by setting HTTP response headers.
+  app.use(helmet())
+
  // bodyparser json
  app.use(express.json())
  // bodyparser urlencoded for elopage
--- a/federation/yarn.lock
+++ b/federation/yarn.lock
@ -3127,6 +3127,11 @@ has@^1.0.3:
  dependencies:
    function-bind "^1.1.1"

+helmet@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
+  integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
+
 html-encoding-sniffer@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/html-encoding-sniffer/-/html-encoding-sniffer-2.0.1.tgz#42a6dc4fd33f00281176e8b23759ca4e4fa185f3"