Merge pull request #27 from Canner/feature/enforce-https

Feature: Add enforce HTTPS middleware

Author: oscar60310

package.json

@@ -20,6 +20,7 @@
     "koa-bodyparser": "^4.3.0",
     "koa-compose": "^4.1.0",
     "koa-router": "^10.1.1",
+    "koa-sslify": "^5.0.0",
     "koa2-ratelimit": "^1.1.1",
     "lodash": "^4.17.21",
     "md5": "^2.3.0",
@@ -49,6 +50,7 @@
     "@types/koa": "^2.13.4",
     "@types/koa-compose": "^3.2.5",
     "@types/koa-router": "^7.4.4",
+    "@types/koa-sslify": "^4.0.3",
     "@types/koa2-ratelimit": "^0.9.3",
     "@types/koa__cors": "^3.3.0",
     "@types/lodash": "^4.14.182",

packages/integration-testing/src/example1/buildAndServe.spec.ts

@@ -44,6 +44,9 @@ const projectConfig: ServeConfig & IBuildOptions = {
   'rate-limit': {
     options: { interval: { min: 1 }, max: 10000 },
   },
+  'enforce-https': {
+    enabled: false,
+  },
 };
 
 let server: VulcanServer;
@@ -56,7 +59,7 @@ it('Example1: Build and serve should work', async () => {
   const builder = new VulcanBuilder(projectConfig);
   await builder.build();
   server = new VulcanServer(projectConfig);
-  const httpServer = await server.start(3000);
+  const httpServer = (await server.start())['http'];
 
   const agent = supertest(httpServer);
   const result = await agent.get(

packages/serve/src/containers/types.ts

@@ -7,7 +7,6 @@ export const TYPES = {
   RouteGenerator: Symbol.for('RouteGenerator'),
 
   // Application
-  AppConfig: Symbol.for('AppConfig'),
   VulcanApplication: Symbol.for('VulcanApplication'),
   // Extensions
   Extension_RouteMiddleware: Symbol.for('Extension_RouteMiddleware'),

packages/serve/src/lib/app.ts

@@ -1,7 +1,7 @@
 import { APISchema } from '@vulcan-sql/core';
 import * as Koa from 'koa';
 import * as KoaRouter from 'koa-router';
-import { isEmpty, uniq } from 'lodash';
+import { uniq } from 'lodash';
 import {
   RestfulRoute,
   BaseRoute,
@@ -42,7 +42,7 @@ export class VulcanApplication {
   }
   public async buildRoutes(
     schemas: Array<APISchema>,
-    apiTypes: Array<APIProviderType>
+    apiTypes?: Array<APIProviderType>
   ) {
     // setup API route according to api types and api schemas
     const routeMapper = {
@@ -52,9 +52,8 @@ export class VulcanApplication {
         this.setGraphQL(routes as Array<GraphQLRoute>),
     };
 
-    // check existed at least one type
-    const types = uniq(apiTypes);
-    if (isEmpty(types)) throw new Error(`The API type must provided.`);
+    // check existed at least one type, if not provide, default is restful
+    const types = uniq(apiTypes || [APIProviderType.RESTFUL]);
 
     for (const type of types) {
       const routes = await this.generator.multiGenerate(schemas, type);

packages/serve/src/lib/middleware/enforceHttpsMiddleware.ts

@@ -0,0 +1,147 @@
+import { isUndefined, omit } from 'lodash';
+import { inject } from 'inversify';
+import { TYPES as CORE_TYPES } from '@vulcan-sql/core';
+import { VulcanInternalExtension } from '@vulcan-sql/core';
+import { BuiltInMiddleware } from '@vulcan-sql/serve/models';
+import { KoaContext, Next } from '@vulcan-sql/serve/models';
+import {
+  Options as SslOptions,
+  httpsResolver,
+  xForwardedProtoResolver,
+  customProtoHeaderResolver,
+  azureResolver,
+  forwardedResolver,
+} from 'koa-sslify';
+import sslify from 'koa-sslify';
+
+// resolver type for sslify options
+export enum ResolverType {
+  /* use local server to run https server, suit for local usage. */
+  LOCAL = 'LOCAL',
+  /*
+   * RFC standard header (RFC7239) to carry information in a organized way for reverse proxy used.
+   *  However, currently only little reverse proxies support it. e.g: nginx supported.
+   *  refer: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
+   *  refer: https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+   */
+  FORWARDED = 'FORWARDED',
+  /*
+   * X-Forwarded-Proto header flag is one of the de-facto standard (But not RFC standard) to check and enforce https or not, almost reverse proxies supported.
+   * e.g: Heroku, GKE ingress, AWS ELB, nginx.
+   */
+  X_FORWARDED_PROTO = 'X_FORWARDED_PROTO',
+  /*
+   * if use Azure Application Request Routing as reverse proxy, then it use X-ARR-SSL header flag to check and enforce https.
+   * refer: https://abhimantiwari.github.io/blog/ARR/
+   */
+  AZURE_ARR = 'AZURE_ARR',
+  /* customize the header flag to check and enforce https, when use the type, need to define an custom header flag for checking and enforcing https */
+  CUSTOM = 'CUSTOM',
+}
+
+export type EnforceHttpsOptions = Omit<SslOptions, 'resolver'> & {
+  type?: string;
+  /* custom proto name when when type is CUSTOM */
+  proto?: string;
+};
+
+export interface EnforceHttpsConfig {
+  enabled: boolean;
+  options: EnforceHttpsOptions;
+}
+
+// enforce https middleware
+@VulcanInternalExtension('enforce-https')
+export class EnforceHttpsMiddleware extends BuiltInMiddleware<EnforceHttpsOptions> {
+  private koaEnforceHttps = sslify(
+    // if not setup "enforce-https", default sslify is LOCAL type
+    this.getOptions() ? this.transformOptions(this.getOptions()!) : undefined
+  );
+
+  constructor(
+    @inject(CORE_TYPES.ExtensionConfig) config: any,
+    @inject(CORE_TYPES.ExtensionName) name: string
+  ) {
+    super(config, name);
+    const rawOptions = this.getOptions() as EnforceHttpsOptions;
+
+    const options = rawOptions ? this.transformOptions(rawOptions) : undefined;
+    this.koaEnforceHttps = sslify(options);
+  }
+
+  public async handle(context: KoaContext, next: Next) {
+    if (!this.enabled) return next();
+    else return this.koaEnforceHttps(context, next);
+  }
+
+  private transformOptions(rawOptions: EnforceHttpsOptions) {
+    // given default value if not exist.
+    rawOptions.type = rawOptions.type || ResolverType.LOCAL;
+
+    // check incorrect type
+    this.checkResolverType(rawOptions.type);
+    const type = rawOptions.type.toUpperCase();
+
+    const resolverMapper = {
+      [ResolverType.LOCAL.toString()]: () => httpsResolver,
+      [ResolverType.FORWARDED.toString()]: () => forwardedResolver,
+      [ResolverType.X_FORWARDED_PROTO.toString()]: () =>
+        xForwardedProtoResolver,
+      [ResolverType.AZURE_ARR.toString()]: () => azureResolver,
+    };
+    // if type is CUSTOM
+    if (type === ResolverType.CUSTOM) {
+      if (!rawOptions.proto)
+        throw new Error(
+          'The "CUSTOM" type need also provide "proto" in options.'
+        );
+
+      return {
+        resolver: customProtoHeaderResolver(rawOptions.proto),
+        ...omit(rawOptions, ['type', 'proto']),
+      } as SslOptions;
+    }
+    // if not CUSTOM.
+    return {
+      resolver: resolverMapper[type](),
+      ...omit(rawOptions, ['type', 'proto']),
+    } as SslOptions;
+  }
+
+  private checkResolverType(type: string) {
+    // check incorrect type
+    if (!(type.toUpperCase() in ResolverType))
+      throw new Error(
+        `The type is incorrect, only support type in ${JSON.stringify(
+          Object.keys(ResolverType)
+        )}.`
+      );
+  }
+}
+
+/**
+ * Get enforce https options in config
+ * @param options EnforceHttpsOptions
+ * @returns beside you disabled it, or it return enforce https options when setup "enforce-https"( if not found options, default is LOCAL type ).
+ */
+export const getEnforceHttpsOptions = (options?: {
+  enabled: boolean;
+  options: EnforceHttpsOptions;
+}): {
+  enabled: boolean;
+  options: EnforceHttpsOptions;
+} => {
+  // if not given "enforce-https" options, return default options
+  if (!options)
+    return {
+      enabled: true,
+      options: { type: ResolverType.LOCAL } as EnforceHttpsOptions,
+    };
+
+  return {
+    enabled: isUndefined(options['enabled']) ? true : false,
+    options:
+      options['options'] ||
+      ({ type: ResolverType.LOCAL } as EnforceHttpsOptions),
+  };
+};

packages/serve/src/lib/middleware/index.ts

@@ -4,21 +4,24 @@ export * from './auditLogMiddleware';
 export * from './rateLimitMiddleware';
 export * from './authMiddleware';
 export * from './response-format';
+export * from './enforceHttpsMiddleware';
 
 import { CorsMiddleware } from './corsMiddleware';
 import { AuthMiddleware } from './authMiddleware';
 import { RateLimitMiddleware } from './rateLimitMiddleware';
 import { RequestIdMiddleware } from './requestIdMiddleware';
 import { AuditLoggingMiddleware } from './auditLogMiddleware';
 import { ResponseFormatMiddleware } from './response-format';
+import { EnforceHttpsMiddleware } from './enforceHttpsMiddleware';
 import { ClassType, ExtensionBase } from '@vulcan-sql/core';
 
 // The order is the middleware running order
 export const BuiltInRouteMiddlewares: ClassType<ExtensionBase>[] = [
   CorsMiddleware,
-  RateLimitMiddleware,
+  EnforceHttpsMiddleware,
   RequestIdMiddleware,
   AuditLoggingMiddleware,
+  RateLimitMiddleware,
   AuthMiddleware,
   ResponseFormatMiddleware,
 ];

packages/serve/src/lib/server.ts

@@ -1,24 +1,40 @@
+import { isEmpty } from 'lodash';
+import * as fs from 'fs';
+import * as http from 'http';
+import * as https from 'https';
 import {
   VulcanArtifactBuilder,
   TYPES as CORE_TYPES,
   CodeLoader,
 } from '@vulcan-sql/core';
-import * as http from 'http';
 import { Container, TYPES } from '../containers';
-import { ServeConfig } from '../models';
+import { ServeConfig, sslFileOptions } from '../models';
 import { VulcanApplication } from './app';
+import {
+  EnforceHttpsOptions,
+  getEnforceHttpsOptions,
+  ResolverType,
+} from './middleware';
 export class VulcanServer {
   private config: ServeConfig;
   private container: Container;
-  private server?: http.Server;
-
+  private servers?: {
+    http: http.Server;
+    https?: https.Server;
+  };
   constructor(config: ServeConfig) {
     this.config = config;
     this.container = new Container();
   }
-
-  public async start(port = 3000) {
-    if (this.server)
+  /**
+   * Start the vulcan server. default http port is 3000, you could also change it by setting "port" under config.
+   *
+   * When you enabled "enforce-https" options and add "ssl" options in the config, it will run the https server too locally (default "type" = LOCAL under "enforce-https" options).
+   *
+   * If you don't set the "port" under "enforce-https" options, it will use the default 3001 as https port.
+   */
+  public async start() {
+    if (!isEmpty(this.servers))
       throw new Error('Server has created, please close it first.');
 
     // Load container
@@ -42,15 +58,67 @@ export class VulcanServer {
     // Create application
     const app = this.container.get<VulcanApplication>(TYPES.VulcanApplication);
     await app.useMiddleware();
-    await app.buildRoutes(schemas, this.config.types);
+    await app.buildRoutes(schemas, this.config['types']);
     // Run server
-    const server = http.createServer(app.getHandler()).listen(port);
-    this.server = server;
-    return server;
+    this.servers = this.runServer(app);
+    return this.servers;
   }
-
   public async close() {
-    if (this.server) this.server.close();
+    if (this.servers) {
+      if (this.servers['http']) this.servers['http'].close();
+      if (this.servers['https']) this.servers['https'].close();
+      this.servers = undefined;
+    }
     this.container.unload();
   }
+
+  /**
+   * Run server
+   * for https when config has setup ssl and middleware 'enforce-https' enabled with "LOCAL" type, or keep http
+   */
+  private runServer(app: VulcanApplication) {
+    const { enabled, options } = getEnforceHttpsOptions(
+      this.config['enforce-https']
+    );
+
+    const httpPort = this.config['port'] || 3000;
+    const httpServer = http.createServer(app.getHandler()).listen(httpPort);
+
+    if (enabled && options['type'] === ResolverType.LOCAL) {
+      const httpsServer = this.createHttpsServer(
+        app,
+        options,
+        this.config['ssl']!
+      );
+      return { http: httpServer, https: httpsServer };
+    }
+
+    return { http: httpServer };
+  }
+
+  private createHttpsServer(
+    app: VulcanApplication,
+    options: EnforceHttpsOptions,
+    ssl: sslFileOptions
+  ) {
+    // check ssl file
+    if (!fs.existsSync(ssl.key) || !fs.existsSync(ssl.cert))
+      throw new Error(
+        'Must need key and cert file at least when open https server.'
+      );
+
+    // create https server
+    const httpsPort = options['port'] || 3001;
+    return https
+      .createServer(
+        {
+          key: fs.readFileSync(ssl.key),
+          cert: fs.readFileSync(ssl.cert),
+          // if ca not exist, set undefined
+          ca: fs.existsSync(ssl.ca) ? fs.readFileSync(ssl.ca) : undefined,
+        },
+        app.getHandler()
+      )
+      .listen(httpsPort);
+  }
 }

packages/serve/src/models/serveOptions.ts

@@ -1,10 +1,21 @@
 import { ICoreOptions } from '@vulcan-sql/core';
 import { APIProviderType } from '@vulcan-sql/serve/route';
 
+export interface sslFileOptions {
+  /* key file path */
+  key: string;
+  /* certificate file path */
+  cert: string;
+  /** certificate bundle */
+  ca: string;
+}
+
 // The serve package config
 export interface ServeConfig extends ICoreOptions {
+  /* http port, if not setup, default is 3000 */
+  ['port']?: number;
   /* The API types would like to build */
-  ['types']: Array<APIProviderType>;
+  ['types']?: Array<APIProviderType>;
+  /** When 'enforce-https' is enabled and type is LOCAL in middleware, need the ssl key and cert*/
+  ['ssl']?: sslFileOptions;
 }
-
-export type AppConfig = Omit<ServeConfig, 'artifact' | 'template' | 'types'>;