Setup logger, configloader, middleware & endpoints

api/webserver/middleware/addIdToRequest.js

@@ -0,0 +1,23 @@
+const crypto = require("crypto");
+const httpContext = require("express-http-context");
+
+const addIdToRequest = (req, res, next) => {
+  try {
+    crypto.randomBytes(16, (err, buf) => {
+      if (err) {
+        // log err
+        id = null;
+      }
+      id = buf.toString("hex");
+
+      httpContext.set("sessionId", id);
+      next();
+    });
+  } catch (err) {
+    // log err
+    httpContext.set("sessionId", null);
+    next();
+  }
+};
+
+module.exports = addIdToRequest;

api/webserver/middleware/setupCORS.js

@@ -0,0 +1,6 @@
+const openCORS = (req, res, next) => {
+  res.set("Access-Control-Allow-Origin", "*")
+  return next();
+};
+
+module.exports = openCORS;

api/webserver/middleware/setupHeaders.js

@@ -0,0 +1,37 @@
+const camelToKebabCase = str => str.replace(/[A-Z]/g, letter => `-${letter.toLowerCase()}`);
+
+const mapFeaturePolicyToString = (features) => {
+  return Object.entries(features).map(([key, value]) => {
+    key = camelToKebabCase(key)
+    value = value == "*" ? value : `'${ value }'`
+    return `${key} ${value}`
+  }).join("; ")
+}
+
+const setupHeaders = (req, res, next) => {
+  res.set("Access-Control-Allow-Headers", "Content-Type")
+
+  // Security
+  res.set("X-Content-Type-Options", "nosniff");
+  res.set("X-XSS-Protection", "1; mode=block");
+  res.set("X-Frame-Options", "SAMEORIGIN");
+  res.set("X-DNS-Prefetch-Control", "off");
+  res.set("X-Download-Options", "noopen");
+  res.set("Strict-Transport-Security", "max-age=15552000; includeSubDomains")
+
+  // Feature policy
+  const features = {
+    fullscreen: "*",
+    payment: "none",
+    microphone: "none",
+    camera: "self",
+    speaker: "*",
+    syncXhr: "self"
+  }
+  const featureString = mapFeaturePolicyToString(features);
+  res.set("Feature-Policy", featureString)
+
+  return next();
+}
+
+module.exports = setupHeaders;