@mashroom/mashroom-helmet

Mashroom Helmet

Plugin for Mashroom Server, a Integration Platform for Microfrontends.

This plugin adds the Helmet middleware which sets a bunch of protective HTTP headers on each response.

Usage

If node_modules/@mashroom is configured as plugin path just add @mashroom/mashroom-helmet as dependency.

You can override the default config in your Mashroom config file like this:

{
    "plugins": {
        "Mashroom Helmet Middleware": {
            "helmet": {
                "contentSecurityPolicy": false,
                "dnsPrefetchControl ": {
                    "allow": false
                },
                "expectCt": false,
                "featurePolicy": false,
                "frameguard": {
                    "action": "deny"
                },
                "hidePoweredBy": false,
                "hsts": {
                    "maxAge": 31536000
                },
                "ieNoOpen": false,
                "noSniff": {},
                "permittedCrossDomainPolicies": false,
                "referrerPolicy": false,
                "xssFilter": {
                    "mode": null
                }
            }
        }
    }
}

• helmet: The configuration will directly be passed to Helmet middelware. Checkout the Helmet Documentation for available options. You should enable the noCache module because this would significantly decrease the performance of the Mashroom Portal.

Changelog

1.8.0 (August 9, 2021)

• Portal: Fixed login failures due to "ENOENT: no such file or directory" errors when using mashroom-session-provider-filestore under Windows
• Portal: Reduced the number of session expiration checks to the server
• OpenID Connect Security Provider: Allowed multiple parallel auth requests. This fixes the problem that the login failed if multiple browser tabs were open and triggered the login at the same time.
• OpenID Connect Security Provider: Reduced the number of token refreshes
• Added a demo App for WebSocket proxy usage (@mashroom/mashroom-portal-demo-websocket-proxy-app)
• Portal: The App proxy supports now WebSocket. This means, that Apps (Microfrontends) can open WebSocket connections to servers "behind" the Portal. The usual (optional) Security headers going to be sent with the initial upgrade/handshake request. Proxy interceptors are ignored for WebSocket connections.
• HTTP Proxy: Added WebSocket support
• HTTP Proxy: Fixed rewriting the host header, so forwarding works even if the target server uses virtual hosting
• HTTP Proxy: The node-http-proxy based implementation is now default
• Added HTTP/2 support for HTTPS - this currently uses the node-spdy modules which has a known problem with compressed data. So, don't use this if your API server compresses responses. Also, don't use this if you rely on WebSocket or SSE. To enable it add this to you your server config:

  {
     "enableHttp2": true
  }
  

• Added TLS support (HTTPS). Can be enabled like this in the server config:

  {
     "httpsPort": 5443,
     "tlsOptions": {
         "key": "./certs/key.pem",
         "cert": "./certs/cert.pem"
     }
  }
  

  The tlsOptions are passed to https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
• Remote App Registry and Remote App Registry Kubernetes: Added support external plugin definitions. The need to be in JSON format and also expose on / by the server.
• Core: Mashroom supports now "external" plugin definition files, so the "mashroom" node in package.json can be in a separate file, by default mashroom.json or mashroom.js. E.g.:

  {
      "$schema": "https://www.mashroom-server.com/schemas/mashroom-plugins.json",
      "devModeBuildScript": "build",
      "plugins": [
          {
              "name": "Mashroom Portal Demo React App",
              "type": "portal-app",
              "bootstrap": "startReactDemoApp",
              "resources": {
                  "js": [
                      "bundle.js"
                  ],
                  "css": []
              },
              "defaultConfig": {
                  "resourcesRoot": "./dist"
              }
          }
      ]
  }
  

  The possible file name can be changed in the server config via the externalPluginConfigFileNames config property.
• Introduced JSON Schemas for all config files:
  • package.json: schemas/mashroom-packagejson-extension.json
  • mashroom.json (Server config): schemas/mashroom-server-config.json
  • acl.json: schemas/mashroom-security-acl.json
  • groupToRoleMapping.json: schemas/mashroom-security-ldap-provider-group-to-role-mapping.json
  • userToRoleMapping.json: schemas/mashroom-security-ldap-provider-user-to-role-mapping.json
  • users.json: schemas/mashroom-security-simple-provider-users.json
  • topicACL.json: schemas/mashroom-security-topic-acl.json
  • remotePortalApps.json: schemas/mashroom-portal-remote-apps.json The schema can be applied by adding @mashroom/mashroom-json-schemas to your dependencies:

  {
     "$schema": "./node_modules/@mashroom/mashroom-json-schemas/schemas/mashroom-packagejson-extension.json",
     "name": "my-package"
  }
  

  or by using the remote location:

  {
     "$schema": "https://www.mashroom-server.com/schemas/mashroom-packagejson-extension.json",
     "name": "my-package"
  }
  

• BREAKING CHANGE: All default config file names are now in camel case. The following config files had been renamed:
  • remote-portal-apps.json -> remotePortalApps.json
  • topic_acl.json -> topicACL.json
• Tabify App: Added the possibility to have fixed titles for the tabs (appConfig.fixedTabTitles)
• Portal: Added metaInfo and screenshots to MashroomPortalAppService.getAvailableApps() response. This allows an App to launch another App based on metadata and could be used to show a preview image.
• OpenID Connect Security Provider: Allow mapping arbitrary claims to user.extraData
• OpenID Connect Security Provider: Allow configuring HTTP timeout and number of retries when contacting the Authorization Server