pinafore/src/server.js

import * as sapper from '../__sapper__/server.js'
import express from 'express'
import compression from 'compression'
import serveStatic from 'serve-static'
import helmet from 'helmet'
import fetch from 'node-fetch'
import inlineScriptChecksum from './inline-script/checksum'
import { sapperInlineScriptChecksums } from './server/sapperInlineScriptChecksums'

const { PORT = 4002 } = process.env
const app = express()

const MAX_AGE = 3600

// this allows us to do e.g. `fetch('/_api/blog')` on the server
global.fetch = (url, opts) => {
  if (url[0] === '/') {
    url = `http://localhost:${PORT}${url}`
  }
  return fetch(url, opts)
}

app.use(compression({ threshold: 0 }))

// CSP only needs to apply to core HTML files, not debug files
// like report.html or the JS/CSS/JSON/image files
const coreHtmlFilesOnly = (fn) => (req, res, next) => {
  let coreHtml = !/\.(js|css|json|png|svg|jpe?g|map)$/.test(req.path) &&
    !(/\/report.html/.test(req.path))
  return coreHtml ? fn(req, res, next) : next()
}

app.use(coreHtmlFilesOnly(helmet({
  contentSecurityPolicy: {
    directives: {
      scriptSrc: [
        `'self'`,
        `'sha256-${inlineScriptChecksum}'`,
        ...sapperInlineScriptChecksums.map(_ => `'sha256-${_}'`)
      ],
      workerSrc: [`'self'`],
      styleSrc: [`'self'`, `'unsafe-inline'`],
      frameSrc: [`'none'`],
      objectSrc: [`'none'`],
      manifestSrc: [`'self'`]
    }
  },
  referrerPolicy: {
    policy: 'no-referrer'
  }
})))

app.use(serveStatic('static', {
  setHeaders: (res) => {
    res.setHeader('Cache-Control', `public,max-age=${MAX_AGE}`)
  }
}))

app.use(express.static('__sapper__/build/client/report.html'))
app.use(express.static('__sapper__/build/client/stats.json'))

// TODO: hack to override Sapper's default cache-control
function overrideSetHeader (req, res, next) {
  const origSetHeader = res.setHeader
  res.setHeader = function (key, value) {
    if (key === 'Cache-Control') {
      if (value === 'max-age=31536000, immutable') { // webpack assets
        return origSetHeader.apply(this, ['Cache-Control', 'public,max-age=31536000,immutable'])
      }
      if (value === 'max-age=600') { // HTML files
        return origSetHeader.apply(this, ['Cache-Control', `public,max-age=${MAX_AGE}`])
      }
    }

    return origSetHeader.apply(this, arguments)
  }
  return next()
}

app.use(overrideSetHeader, sapper.middleware())

app.listen(PORT, () => {
  console.log(`listening on port ${PORT}`)
})

// Handle SIGINT (source: https://git.io/vhJgF)
process.on('SIGINT', function () {
  process.exit(0)
})
fix: update Sapper to latest (#775) * fix: update to latest sapper fixes #416 * fix error and debug pages * requestIdleCallback makes column switching feel way nicer than double rAF * add export feature * add better csp info * workaround for sapper sub-page issue * clarify in readme about exporting * fix now config * switch from rIC to triple raf * style-loader is no longer used * update theming guide 2018-12-11 15:31:48 +00:00			`import * as sapper from '../__sapper__/server.js'`
fix: increase cache, use csp checksums over nonce (#988) attempt to address #985 2019-02-15 03:39:24 +00:00			`import express from 'express'`
			`import compression from 'compression'`
			`import serveStatic from 'serve-static'`
			`import helmet from 'helmet'`
			`import fetch from 'node-fetch'`
			`import inlineScriptChecksum from './inline-script/checksum'`
			`import { sapperInlineScriptChecksums } from './server/sapperInlineScriptChecksums'`
initial commit 2018-01-06 23:51:25 +00:00
use standard 2018-02-09 06:29:29 +00:00			`const { PORT = 4002 } = process.env`
fix: increase cache, use csp checksums over nonce (#988) attempt to address #985 2019-02-15 03:39:24 +00:00			`const app = express()`
initial commit 2018-01-06 23:51:25 +00:00
fix: set max-age to 3600 for html (#989) another attempt to address #985 2019-02-15 05:26:20 +00:00			`const MAX_AGE = 3600`

refactor 2018-02-08 16:22:14 +00:00			// this allows us to do e.g. `fetch('/_api/blog')` on the server
initial commit 2018-01-06 23:51:25 +00:00			`global.fetch = (url, opts) => {`
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 01:38:14 +00:00			`if (url[0] === '/') {`
			url = `http://localhost:${PORT}${url}`
			`}`
use standard 2018-02-09 06:29:29 +00:00			`return fetch(url, opts)`
			`}`
initial commit 2018-01-06 23:51:25 +00:00
fix(server): use compression instead of shrink-ray-current (#629) 2018-11-11 19:31:32 +00:00			`app.use(compression({ threshold: 0 }))`
initial commit 2018-01-06 23:51:25 +00:00
fix: increase cache, use csp checksums over nonce (#988) attempt to address #985 2019-02-15 03:39:24 +00:00			`// CSP only needs to apply to core HTML files, not debug files`
			`// like report.html or the JS/CSS/JSON/image files`
			`const coreHtmlFilesOnly = (fn) => (req, res, next) => {`
			`let coreHtml = !/\.(js\|css\|json\|png\|svg\|jpe?g\|map)$/.test(req.path) &&`
			`!(/\/report.html/.test(req.path))`
			`return coreHtml ? fn(req, res, next) : next()`
			`}`
fix: update Sapper to latest (#775) * fix: update to latest sapper fixes #416 * fix error and debug pages * requestIdleCallback makes column switching feel way nicer than double rAF * add export feature * add better csp info * workaround for sapper sub-page issue * clarify in readme about exporting * fix now config * switch from rIC to triple raf * style-loader is no longer used * update theming guide 2018-12-11 15:31:48 +00:00
fix: increase cache, use csp checksums over nonce (#988) attempt to address #985 2019-02-15 03:39:24 +00:00			`app.use(coreHtmlFilesOnly(helmet({`
use full helmet() middleware (#135) fixes #132 2018-04-15 22:39:45 +00:00			`contentSecurityPolicy: {`
			`directives: {`
fix: update Sapper to latest (#775) * fix: update to latest sapper fixes #416 * fix error and debug pages * requestIdleCallback makes column switching feel way nicer than double rAF * add export feature * add better csp info * workaround for sapper sub-page issue * clarify in readme about exporting * fix now config * switch from rIC to triple raf * style-loader is no longer used * update theming guide 2018-12-11 15:31:48 +00:00			`scriptSrc: [`
			`'self'`,
fix: increase cache, use csp checksums over nonce (#988) attempt to address #985 2019-02-15 03:39:24 +00:00			`'sha256-${inlineScriptChecksum}'`,
			...sapperInlineScriptChecksums.map(_ => `'sha256-${_}'`)
fix: update Sapper to latest (#775) * fix: update to latest sapper fixes #416 * fix error and debug pages * requestIdleCallback makes column switching feel way nicer than double rAF * add export feature * add better csp info * workaround for sapper sub-page issue * clarify in readme about exporting * fix now config * switch from rIC to triple raf * style-loader is no longer used * update theming guide 2018-12-11 15:31:48 +00:00			`],`
use full helmet() middleware (#135) fixes #132 2018-04-15 22:39:45 +00:00			workerSrc: [`'self'`],
			styleSrc: [`'self'`, `'unsafe-inline'`],
			frameSrc: [`'none'`],
			objectSrc: [`'none'`],
			manifestSrc: [`'self'`]
			`}`
add Referrer-Policy: no-referrer (#187) fixes #139 2018-04-20 04:38:22 +00:00			`},`
			`referrerPolicy: {`
			`policy: 'no-referrer'`
Add CSP (#119) Fixes #25 2018-04-14 22:50:16 +00:00			`}`
disable CSP for /report.html (#151) * disable CSP for /report.html Fixes #150 * enable minimal helmet() for debug paths 2018-04-18 01:38:14 +00:00			`})))`
Add CSP (#119) Fixes #25 2018-04-14 22:50:16 +00:00
fix: update Sapper to latest (#775) * fix: update to latest sapper fixes #416 * fix error and debug pages * requestIdleCallback makes column switching feel way nicer than double rAF * add export feature * add better csp info * workaround for sapper sub-page issue * clarify in readme about exporting * fix now config * switch from rIC to triple raf * style-loader is no longer used * update theming guide 2018-12-11 15:31:48 +00:00			`app.use(serveStatic('static', {`
fix Cache-Control in sapper 2018-03-21 03:46:37 +00:00			`setHeaders: (res) => {`
fix: set max-age to 3600 for html (#989) another attempt to address #985 2019-02-15 05:26:20 +00:00			res.setHeader('Cache-Control', `public,max-age=${MAX_AGE}`)
fix Cache-Control in sapper 2018-03-21 03:46:37 +00:00			`}`
			`}))`
initial commit 2018-01-06 23:51:25 +00:00
fix: increase cache, use csp checksums over nonce (#988) attempt to address #985 2019-02-15 03:39:24 +00:00			`app.use(express.static('__sapper__/build/client/report.html'))`
			`app.use(express.static('__sapper__/build/client/stats.json'))`
expose report.html and stats.json 2018-03-25 20:47:01 +00:00
fix: use "public" for cache-control (#993) another attempt to address #985 2019-02-15 06:54:18 +00:00			`// TODO: hack to override Sapper's default cache-control`
fix: set max-age to 3600 for html (#989) another attempt to address #985 2019-02-15 05:26:20 +00:00			`function overrideSetHeader (req, res, next) {`
			`const origSetHeader = res.setHeader`
			`res.setHeader = function (key, value) {`
fix: use "public" for cache-control (#993) another attempt to address #985 2019-02-15 06:54:18 +00:00			`if (key === 'Cache-Control') {`
			`if (value === 'max-age=31536000, immutable') { // webpack assets`
			`return origSetHeader.apply(this, ['Cache-Control', 'public,max-age=31536000,immutable'])`
			`}`
			`if (value === 'max-age=600') { // HTML files`
			return origSetHeader.apply(this, ['Cache-Control', `public,max-age=${MAX_AGE}`])
			`}`
fix: set max-age to 3600 for html (#989) another attempt to address #985 2019-02-15 05:26:20 +00:00			`}`
fix: use "public" for cache-control (#993) another attempt to address #985 2019-02-15 06:54:18 +00:00
fix: set max-age to 3600 for html (#989) another attempt to address #985 2019-02-15 05:26:20 +00:00			`return origSetHeader.apply(this, arguments)`
			`}`
			`return next()`
			`}`

			`app.use(overrideSetHeader, sapper.middleware())`
initial commit 2018-01-06 23:51:25 +00:00
			`app.listen(PORT, () => {`
use standard 2018-02-09 06:29:29 +00:00			console.log(`listening on port ${PORT}`)
			`})`
Added Dockerfile (#313) * Added Dockerfile * Better comments in Dockerfile * Added SIGINT handler * Keeping code-check happy * Keeping code-check happy v2 * Keeping code-check happy v2 2018-05-25 02:59:48 +00:00
			`// Handle SIGINT (source: https://git.io/vhJgF)`
			`process.on('SIGINT', function () {`
			`process.exit(0)`
			`})`