@emartech/boar-koa-server

Boar Koa Server

Example usage for app

put these lines in your server.js

  const Koa = require('koa');
  const path = require('path');
  const koaApp = module.exports = new Koa();
  const config = require('./config');
  const App = require('@emartech/boar-koa-server').app;

  const app = new App(koaApp);
  app.loadControllers(path.join(config.root, 'controllers'));

  if (!module.parent) { app.listen(config.port); }

Add middleware for your app

  const cors = require('koa-cors');
  const app = new App(koaApp);
  app.addMiddleware(cors());

Build-in Middlewares

Cors Support (@koa/cors)

  app.addCorsSupportMiddleware();

Allowed settings :

  app.addCorsSupportMiddleware({
    allowOrigin: '*', // `Access-Control-Allow-Origin`, * or a regex to filter allowed origins (for instance /emarsys.(com|net)$/)
    allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH', // `Access-Control-Allow-Methods`
  });

⚠️ WARNING ⚠️ : Not specifying an allowed origin made the middleware always return an Access-Control-Allow-Origin header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware.

Since version 2.0.0, the package is based @koa/cors@5.0.0 which disables this behavior. It is highly recommended to specify a list of allowed origins.

Method Override (koa-methodoverwrite)

  app.addMethodOverrideMiddleware();

Body Parse (koa-bodyparser)

Param	Type	Description
options	Object	More info.

  app.addBodyParseMiddleware(options);

Request Id (koa-requestid)

Param	Type	Description
options	Object	optional
↳header	String	The name of the header to read the id on the request, false to disable.
↳query	String	The name of the header to read the id on the query string, false to disable.
↳expose	String	The name of the header to expose the id on the response, false to disable.

  app.addRequestIdmiddleware(options);

Enforce SSL (koa-ssl)

Param	Type	Description
options	Object	More info.

  app.addEnforceSSLMiddleware();

If your application is running behind reverse proxy (like Heroku) you should set the trustProxy configuration option to true in order to process the x-forwarded-proto header.

  const app = new App(koaApp);
  app.addEnforceSSLMiddleware({ trustProxy: true });

Note: if you use this middleware EnforceSSL middleware should be the first you add.

Security

Provides middlewares for setting up various security related HTTP headers.

Param	Type	Description
options	Object
↳csp	Object	More info. Learn more: CSP quick reference
↳hsts	Object	More info. Learn more: OWASP HSTS page
↳useXssFilter	Boolean	If true, x-xss-protection middleware will be included. Default: true
↳useNoSniff	Boolean	If true, dont-sniff-mimetype middleware will be included. Default: true
↳referrerPolicy	Boolean,Object	If{ policy: 'same-origin'}, referrer-policy middleware will be included. Default false

  app.addSecurityMiddlewares(options);

Default configuration

  {
    csp: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: ["'self'"],
        styleSrc: ["'self'"],
        imgSrc: ["'self'"],
        frameAncestors: ["'self'"],
        reportUri: 'about:blank'
      },
      reportOnly: true
    },
    hsts: {
      maxAge: 30,
      includeSubDomains: true,
      preload: false
    },
    useXssFilter: true,
    useNoSniff: true,
    referrerPolicy: false
  }

Libraries

ControllerFactory

  var ControllerFactory = require('@emartech/boar-koa-server').lib.controllerFactory;

  module.exports = ControllerFactory.create(function(router) {
    router.get('/', ControllerFactory.load('main/actions/get'));
    router.get('/healthcheck', ControllerFactory.load('main/actions/healthcheck/get'));
    router.get('/list', ControllerFactory.loadByAcceptType('main/actions/list/get'));
  });