From 842008c87121b0a155370e1c3b9f367f0df5ed3a Mon Sep 17 00:00:00 2001
From: einhorn_b <dariofrodo@gmx.de>
Date: Mon, 22 Jan 2024 13:46:21 +0100
Subject: [PATCH] add helmet which will set https header for more security

---
 backend/package.json                     |  1 +
 backend/src/server/createServer.ts       |  5 ++
 backend/yarn.lock                        |  7 +-
 dlt-connector/package.json               |  1 +
 dlt-connector/schema.graphql             | 98 ++++++++++++++++++++++++
 dlt-connector/src/server/createServer.ts |  4 +
 dlt-connector/yarn.lock                  |  5 ++
 federation/package.json                  |  1 +
 federation/src/server/createServer.ts    |  4 +
 federation/yarn.lock                     |  5 ++
 10 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 dlt-connector/schema.graphql

diff --git a/backend/package.json b/backend/package.json
index 45fe7b050..940af3ecb 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -32,6 +32,7 @@
     "gradido-database": "file:../database",
     "graphql": "^15.5.1",
     "graphql-request": "5.0.0",
+    "helmet": "^7.1.0",
     "i18n": "^0.15.1",
     "jose": "^4.14.4",
     "lodash.clonedeep": "^4.5.0",
diff --git a/backend/src/server/createServer.ts b/backend/src/server/createServer.ts
index c162d9f6f..e10b6cb5c 100644
--- a/backend/src/server/createServer.ts
+++ b/backend/src/server/createServer.ts
@@ -4,6 +4,7 @@
 import { Connection as DbConnection } from '@dbTools/typeorm'
 import { ApolloServer } from 'apollo-server-express'
 import express, { Express, json, urlencoded } from 'express'
+import helmet from 'helmet'
 import { Logger } from 'log4js'
 
 import { CONFIG } from '@/config'
@@ -56,6 +57,10 @@ export const createServer = async (
   // cors
   app.use(cors)
 
+  // Helmet helps secure Express apps by setting HTTP response headers.
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-call
+  app.use(helmet())
+
   // bodyparser json
   app.use(json())
   // bodyparser urlencoded for elopage
diff --git a/backend/yarn.lock b/backend/yarn.lock
index 0b3ceb323..253bbb178 100644
--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@@ -3679,7 +3679,7 @@ graceful-fs@^4.1.6, graceful-fs@^4.2.0:
   integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==
 
 "gradido-database@file:../database":
-  version "2.0.1"
+  version "2.1.1"
   dependencies:
     "@types/uuid" "^8.3.4"
     cross-env "^7.0.3"
@@ -3826,6 +3826,11 @@ he@1.2.0, he@^1.2.0:
   resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
   integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==
 
+helmet@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
+  integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
+
 highlight.js@^10.7.1:
   version "10.7.3"
   resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-10.7.3.tgz#697272e3991356e40c3cac566a74eef681756531"
diff --git a/dlt-connector/package.json b/dlt-connector/package.json
index 5a4c54394..54a31669a 100644
--- a/dlt-connector/package.json
+++ b/dlt-connector/package.json
@@ -31,6 +31,7 @@
     "express": "4.17.1",
     "graphql": "^16.7.1",
     "graphql-scalars": "^1.22.2",
+    "helmet": "^7.1.0",
     "log4js": "^6.7.1",
     "nodemon": "^2.0.20",
     "protobufjs": "^7.2.5",
diff --git a/dlt-connector/schema.graphql b/dlt-connector/schema.graphql
new file mode 100644
index 000000000..4ee07180d
--- /dev/null
+++ b/dlt-connector/schema.graphql
@@ -0,0 +1,98 @@
+# -----------------------------------------------
+# !!! THIS FILE WAS GENERATED BY TYPE-GRAPHQL !!!
+# !!!   DO NOT MODIFY THIS FILE BY YOURSELF   !!!
+# -----------------------------------------------
+
+type Community {
+  confirmedAt: String!
+  createdAt: String!
+  foreign: Boolean!
+  id: Int!
+  iotaTopic: String!
+  rootPublicKeyHex: String!
+}
+
+input CommunityDraft {
+  createdAt: String!
+  foreign: Boolean!
+  uuid: String!
+}
+
+"""The `Decimal` scalar type to represent currency values"""
+scalar Decimal
+
+"""Type of the transaction"""
+enum InputTransactionType {
+  CREATION
+  RECEIVE
+  SEND
+}
+
+type Mutation {
+  addCommunity(data: CommunityDraft!): TransactionResult!
+  sendTransaction(data: TransactionDraft!): TransactionResult!
+}
+
+type Query {
+  communities(confirmed: Boolean, foreign: Boolean, uuid: String): [Community!]!
+  community(confirmed: Boolean, foreign: Boolean, uuid: String): Community!
+  isCommunityExist(confirmed: Boolean, foreign: Boolean, uuid: String): Boolean!
+}
+
+input TransactionDraft {
+  amount: Decimal!
+  backendTransactionId: Int!
+  createdAt: String!
+  recipientUser: UserIdentifier!
+  senderUser: UserIdentifier!
+  targetDate: String
+  type: InputTransactionType!
+}
+
+type TransactionError {
+  message: String!
+  name: String!
+  type: TransactionErrorType!
+}
+
+"""Transaction Error Type"""
+enum TransactionErrorType {
+  ALREADY_EXIST
+  DB_ERROR
+  INVALID_SIGNATURE
+  LOGIC_ERROR
+  MISSING_PARAMETER
+  NOT_FOUND
+  NOT_IMPLEMENTED_YET
+  PROTO_DECODE_ERROR
+  PROTO_ENCODE_ERROR
+}
+
+type TransactionRecipe {
+  createdAt: String!
+  id: Int!
+  topic: String!
+  type: TransactionType!
+}
+
+type TransactionResult {
+  error: TransactionError
+  recipe: TransactionRecipe
+  succeed: Boolean!
+}
+
+"""Type of the transaction"""
+enum TransactionType {
+  COMMUNITY_ROOT
+  GRADIDO_CREATION
+  GRADIDO_DEFERRED_TRANSFER
+  GRADIDO_TRANSFER
+  GROUP_FRIENDS_UPDATE
+  REGISTER_ADDRESS
+}
+
+input UserIdentifier {
+  accountNr: Int = 1
+  communityUuid: String
+  uuid: String!
+}
\ No newline at end of file
diff --git a/dlt-connector/src/server/createServer.ts b/dlt-connector/src/server/createServer.ts
index ed87d54ac..66b9f18b3 100755
--- a/dlt-connector/src/server/createServer.ts
+++ b/dlt-connector/src/server/createServer.ts
@@ -6,6 +6,7 @@ import bodyParser from 'body-parser'
 import cors from 'cors'
 import express, { Express } from 'express'
 // graphql
+import helmet from 'helmet'
 import { Logger } from 'log4js'
 
 import { schema } from '@/graphql/schema'
@@ -40,6 +41,9 @@ const createServer = async (
     // plugins
     logger,
   })
+  // Helmet helps secure Express apps by setting HTTP response headers.
+  app.use(helmet())
+
   await apollo.start()
   app.use(
     '/',
diff --git a/dlt-connector/yarn.lock b/dlt-connector/yarn.lock
index 3c7a8bf36..e4a057dd5 100644
--- a/dlt-connector/yarn.lock
+++ b/dlt-connector/yarn.lock
@@ -3407,6 +3407,11 @@ hash.js@^1.0.0, hash.js@^1.0.3, hash.js@^1.1.7:
     inherits "^2.0.3"
     minimalistic-assert "^1.0.1"
 
+helmet@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
+  integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
+
 highlight.js@^10.7.1:
   version "10.7.3"
   resolved "https://registry.yarnpkg.com/highlight.js/-/highlight.js-10.7.3.tgz#697272e3991356e40c3cac566a74eef681756531"
diff --git a/federation/package.json b/federation/package.json
index fa21e04a1..0b2809754 100644
--- a/federation/package.json
+++ b/federation/package.json
@@ -26,6 +26,7 @@
     "express": "4.17.1",
     "graphql": "15.5.1",
     "graphql-request": "5.0.0",
+    "helmet": "^7.1.0",
     "lodash.clonedeep": "^4.5.0",
     "log4js": "^6.7.1",
     "reflect-metadata": "^0.1.13",
diff --git a/federation/src/server/createServer.ts b/federation/src/server/createServer.ts
index b79847254..3a75f6764 100644
--- a/federation/src/server/createServer.ts
+++ b/federation/src/server/createServer.ts
@@ -24,6 +24,7 @@ import { Connection } from '@dbTools/typeorm'
 
 import { apolloLogger } from './logger'
 import { Logger } from 'log4js'
+import helmet from 'helmet'
 
 // i18n
 // import { i18n } from './localization'
@@ -62,6 +63,9 @@ export const createServer = async (
   // cors
   app.use(cors)
 
+  // Helmet helps secure Express apps by setting HTTP response headers.
+  app.use(helmet())
+
   // bodyparser json
   app.use(express.json())
   // bodyparser urlencoded for elopage
diff --git a/federation/yarn.lock b/federation/yarn.lock
index ca33138dd..7a9ec6814 100644
--- a/federation/yarn.lock
+++ b/federation/yarn.lock
@@ -3127,6 +3127,11 @@ has@^1.0.3:
   dependencies:
     function-bind "^1.1.1"
 
+helmet@^7.1.0:
+  version "7.1.0"
+  resolved "https://registry.yarnpkg.com/helmet/-/helmet-7.1.0.tgz#287279e00f8a3763d5dccbaf1e5ee39b8c3784ca"
+  integrity sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==
+
 html-encoding-sniffer@^2.0.1:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/html-encoding-sniffer/-/html-encoding-sniffer-2.0.1.tgz#42a6dc4fd33f00281176e8b23759ca4e4fa185f3"