Security upgrades
This commit is contained in:
124
app.js
124
app.js
@@ -1,16 +1,47 @@
|
||||
require("dotenv").config();
|
||||
/*
|
||||
|
||||
|
||||
CONFIGS
|
||||
|
||||
|
||||
*/
|
||||
require("dotenv").config(); //require environment variables
|
||||
const mongoose = require("mongoose");
|
||||
const express = require("express");
|
||||
const helmet = require("helmet");
|
||||
const multer = require("multer");
|
||||
const bcrypt = require("bcrypt");
|
||||
const validators = require("./validation");
|
||||
var sanitizer = require("string-sanitizer");
|
||||
const app = express();
|
||||
const bodyParser = require("body-parser");
|
||||
app.use(bodyParser.json());
|
||||
app.use(bodyParser.urlencoded({ extended: true }));
|
||||
app.use(helmet());
|
||||
const port = 3000;
|
||||
const rateLimit = require("express-rate-limit");
|
||||
const limiter = rateLimit({
|
||||
windowMs: 15 * 60 * 1000, //time window
|
||||
max: 100, //requests from a single IP for a time window
|
||||
});
|
||||
app.use(limiter);
|
||||
const bodyParser = require("body-parser");
|
||||
app.use(bodyParser.json({ limit: "100kb" })); // limit body payload size
|
||||
app.use(bodyParser.urlencoded({ extended: true }));
|
||||
/*
|
||||
|
||||
|
||||
Mongoose schemas
|
||||
|
||||
|
||||
*/
|
||||
const Restaurant = require("./models/restaurant");
|
||||
const Dish = require("./models/dish");
|
||||
const User = require("./models/users");
|
||||
const validators = require("./validation");
|
||||
/*
|
||||
|
||||
|
||||
Image upload config (multer)
|
||||
|
||||
|
||||
*/
|
||||
var storage = multer.diskStorage({
|
||||
destination: function (req, file, cb) {
|
||||
cb(null, "./images");
|
||||
@@ -27,8 +58,22 @@ var storage = multer.diskStorage({
|
||||
);
|
||||
},
|
||||
});
|
||||
const upload = multer({ storage: storage, limits: { fileSize: 4000000 } });
|
||||
const upload = multer({
|
||||
storage: storage,
|
||||
fileFilter: function (req, file, cb) {
|
||||
if (file.mimetype !== "image/jpg") {
|
||||
return cb(null, false);
|
||||
}
|
||||
cb(null, true);
|
||||
},
|
||||
limits: { fileSize: 4000000 },
|
||||
}); //max file size = 4Mb
|
||||
/*
|
||||
|
||||
Code
|
||||
|
||||
*/
|
||||
// Connect to DB
|
||||
mongoose.connect(
|
||||
"mongodb+srv://menui_db_user:" +
|
||||
process.env.DB_PASS +
|
||||
@@ -45,11 +90,15 @@ mongoose.connect(
|
||||
app.get("/restaurant", function (req, res) {
|
||||
//validate restaurant
|
||||
validators.validateRestaurant(req.body.restaurantId, (result) => {
|
||||
if (!result) res.sendStatus(400);
|
||||
Restaurant.findById(req.body.restaurantId, (err, data) => {
|
||||
if (err) res.sendStatus(404);
|
||||
else res.send(data);
|
||||
});
|
||||
if (!result) {
|
||||
res.sendStatus(400);
|
||||
} else {
|
||||
Restaurant.findById(req.body.restaurantId, (err, data) => {
|
||||
if (err) {
|
||||
res.sendStatus(404);
|
||||
} else res.send(data);
|
||||
});
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
@@ -57,8 +106,9 @@ app.get("/restaurant", function (req, res) {
|
||||
|
||||
app.get("/city", function (req, res) {
|
||||
Restaurant.find({ city: req.body.city }, (err, data) => {
|
||||
if (err) res.sendStatus(404);
|
||||
else res.send(data);
|
||||
if (err) {
|
||||
res.sendStatus(404);
|
||||
} else res.send(data);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -66,8 +116,9 @@ app.get("/city", function (req, res) {
|
||||
|
||||
app.get("/dish", (req, res) => {
|
||||
Dish.findById(req.body.dishId, (err, data) => {
|
||||
if (err) res.sendStatus(404);
|
||||
res.send(data);
|
||||
if (err) {
|
||||
res.sendStatus(404);
|
||||
} else res.send(data);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -80,8 +131,8 @@ app.post("/restaurant", (req, res) => {
|
||||
//create restaurant
|
||||
const restaurant = new Restaurant({
|
||||
_id: new mongoose.Types.ObjectId(),
|
||||
name: req.body.name,
|
||||
city: req.body.city,
|
||||
name: sanitizer.sanitize.keepUnicode(req.body.name),
|
||||
city: sanitizer.sanitize.keepUnicode(req.body.city),
|
||||
imgUrl: req.body.imgUrl,
|
||||
workingHours: req.body.workingHours,
|
||||
hidden: req.body.hidden,
|
||||
@@ -112,10 +163,10 @@ app.post("/dish", (req, res) => {
|
||||
//construct dish
|
||||
const dish = new Dish({
|
||||
_id: new mongoose.Types.ObjectId(),
|
||||
name: req.body.dish.name,
|
||||
name: sanitizer.sanitize.keepUnicode(req.body.dish.name),
|
||||
category: req.body.dish.category,
|
||||
price: req.body.dish.price,
|
||||
notes: req.body.dish.notes,
|
||||
notes: sanitizer.sanitize.keepUnicode(req.body.dish.notes),
|
||||
imgUrl: req.body.dish.imgUrl,
|
||||
weight: req.body.dish.weight,
|
||||
allergens: {
|
||||
@@ -199,14 +250,35 @@ app.put("/dish", (req, res) => {
|
||||
res.sendStatus(401);
|
||||
} else {
|
||||
//replace dish in DB
|
||||
Dish.replaceOne({ _id: req.body.dishId }, req.body.dish, (err) => {
|
||||
if (err) {
|
||||
res.sendStatus(304);
|
||||
} else {
|
||||
console.log("Dish Replaced with: " + req.body.dish);
|
||||
res.sendStatus(200);
|
||||
Dish.replaceOne(
|
||||
{ _id: req.body.dishId },
|
||||
{
|
||||
name: sanitizer.sanitize.keepUnicode(req.body.dish.name),
|
||||
category: req.body.dish.category,
|
||||
price: req.body.dish.price,
|
||||
notes: sanitizer.sanitize.keepUnicode(req.body.dish.notes),
|
||||
imgUrl: req.body.dish.imgUrl,
|
||||
weight: req.body.dish.weight,
|
||||
allergens: {
|
||||
gluten: req.body.dish.allergens.gluten,
|
||||
lactose: req.body.dish.allergens.lactose,
|
||||
soy: req.body.dish.allergens.soy,
|
||||
eggs: req.body.dish.allergens.eggs,
|
||||
seaFood: req.body.dish.allergens.seaFood,
|
||||
peanuts: req.body.dish.allergens.peanuts,
|
||||
sesame: req.body.dish.allergens.sesame,
|
||||
},
|
||||
vegan: req.body.dish.vegan,
|
||||
vegetarian: req.body.dish.vegetarian,
|
||||
},
|
||||
(err) => {
|
||||
if (err) {
|
||||
res.sendStatus(304);
|
||||
} else {
|
||||
res.sendStatus(200);
|
||||
}
|
||||
}
|
||||
});
|
||||
);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user