add useProxies config to support x-forwarded headers in express

artlowel · artlowel · commit 941e71a75b99 · 2022-09-28T13:10:46.000+02:00
diff --git a/server.ts b/server.ts
@@ -75,6 +75,10 @@ export function app() {
    */
   const server = express();
 
+  // Tell Express to trust X-FORWARDED-* headers from proxies
+  // See https://expressjs.com/en/guide/behind-proxies.html
+  server.set('trust proxy', environment.ui.useProxies);
+
   /*
    * If production mode is enabled in the environment file:
    * - Enable Angular's production mode
diff --git a/src/config/config.util.spec.ts b/src/config/config.util.spec.ts
@@ -10,6 +10,7 @@ describe('Config Util', () => {
       expect(appConfig.cache.msToLive.default).toEqual(15 * 60 * 1000); // 15 minute
       expect(appConfig.ui.rateLimiter.windowMs).toEqual(1 * 60 * 1000); // 1 minute
       expect(appConfig.ui.rateLimiter.max).toEqual(500);
+      expect(appConfig.ui.useProxies).toEqual(true);
 
       expect(appConfig.submission.autosave.metadata).toEqual([]);
 
@@ -25,6 +26,8 @@ describe('Config Util', () => {
       };
       appConfig.ui.rateLimiter = rateLimiter;
 
+      appConfig.ui.useProxies = false;
+
       const autoSaveMetadata = [
         'dc.author',
         'dc.title'
@@ -44,6 +47,7 @@ describe('Config Util', () => {
       expect(environment.cache.msToLive.default).toEqual(msToLive);
       expect(environment.ui.rateLimiter.windowMs).toEqual(rateLimiter.windowMs);
       expect(environment.ui.rateLimiter.max).toEqual(rateLimiter.max);
+      expect(environment.ui.useProxies).toEqual(false);
       expect(environment.submission.autosave.metadata[0]).toEqual(autoSaveMetadata[0]);
       expect(environment.submission.autosave.metadata[1]).toEqual(autoSaveMetadata[1]);
 
diff --git a/src/config/default-app-config.ts b/src/config/default-app-config.ts
@@ -37,7 +37,10 @@ export class DefaultAppConfig implements AppConfig {
     rateLimiter: {
       windowMs: 1 * 60 * 1000, // 1 minute
       max: 500 // limit each IP to 500 requests per windowMs
-    }
+    },
+
+    // Trust X-FORWARDED-* headers from proxies
+    useProxies: true,
   };
 
   // The REST API server settings
diff --git a/src/config/ui-server-config.interface.ts b/src/config/ui-server-config.interface.ts
@@ -11,4 +11,6 @@ export class UIServerConfig extends ServerConfig {
     max: number;
   };
 
+  // Trust X-FORWARDED-* headers from proxies
+  useProxies: boolean;
 }
diff --git a/src/environments/environment.test.ts b/src/environments/environment.test.ts
@@ -25,7 +25,8 @@ export const environment: BuildConfig = {
     rateLimiter: {
       windowMs: 1 * 60 * 1000, // 1 minute
       max: 500 // limit each IP to 500 requests per windowMs
-    }
+    },
+    useProxies: true,
   },
 
   // The REST API server settings.

Original file line number	Diff line number	Diff line change
`@@ -11,4 +11,6 @@ export class UIServerConfig extends ServerConfig {`
`11`	`11`	`max: number;`
`12`	`12`	`};`
`13`	`13`
	`14`	`+ // Trust X-FORWARDED-* headers from proxies`
	`15`	`+ useProxies: boolean;`
`14`	`16`	`}`