f1f913f63f
Without trust proxy, the rate limiter uses the reverse proxy IP instead of the real client IP, making all requests appear to come from one IP. Set TRUST_PROXY=1 in production when behind a single nginx/Apache hop.
47 lines
1.4 KiB
JavaScript
47 lines
1.4 KiB
JavaScript
var express = require('express'),
|
|
session = require('express-session'),
|
|
cors = require('cors'),
|
|
helmet = require('helmet'),
|
|
errorhandler = require('errorhandler');
|
|
|
|
const config = require('./config'),
|
|
swaggerUi = require('swagger-ui-express'),
|
|
swaggerSpec = require('./config/swagger');
|
|
|
|
function createApp() {
|
|
const app = express();
|
|
if (process.env.TRUST_PROXY) {
|
|
app.set('trust proxy', parseInt(process.env.TRUST_PROXY, 10) || process.env.TRUST_PROXY);
|
|
}
|
|
app.use(helmet({ contentSecurityPolicy: false }));
|
|
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
|
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
|
: [];
|
|
app.use(cors({
|
|
origin: allowedOrigins.length > 0 ? allowedOrigins : false,
|
|
credentials: true
|
|
}));
|
|
app.use(express.json());
|
|
app.use(express.urlencoded({ extended: true }));
|
|
app.use(require('method-override')());
|
|
app.use(express.static(__dirname + '/../public'));
|
|
app.use(session({
|
|
secret: process.env.SESSION_SECRET || config.secret,
|
|
cookie: { maxAge: config.session_lifetime },
|
|
resave: false,
|
|
saveUninitialized: false
|
|
}));
|
|
|
|
if (process.env.APP_ENV !== 'production') {
|
|
app.use(errorhandler());
|
|
}
|
|
|
|
app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerSpec, {
|
|
swaggerOptions: { persistAuthorization: true },
|
|
}));
|
|
|
|
return app;
|
|
}
|
|
|
|
module.exports = createApp;
|