0.161.2-121167a • Published 2 years ago
api-gateway-service v0.161.2-121167a
api-gateway-service
Enter your description here
Development
docker-compose up localhost:8080/documentationDependencies
- docker
- docker-compose
Requirements
- eslint linting
- 100% unit test coverage
Scripts
| Command | Description |
|---|---|
| start | Starts the service |
| start:watch | Starts the service with watch and inspect |
| lint | Checks project linting |
| lint:fix | Checks project linting and fixes what it can |
| test | Test runner |
| test:watch | Test runner with watch |
| coverage | Coverage checker |
| coverage:watch | Coverage checker with watch |
| ci | Run CI checks |
Coveralls
$COVERALLS_REPO_TOKEN env var must be provided in the project settings
CSRF
CSRF_ALLOW_ANY_ACCOUNT_ROUTES is semicolon separated value. Note that if you want to allow root call use '/;' not ';'. Also avoid using trailing semicolon.
Is not vulnerable if:
- has no referrer header
req.pathstarts with anyCSRF_ALLOW_ANY_ACCOUNT_ROUTESandreq.headers.refererdomain is corresponding any existingaccount.fqdn- isWildCardOriginRequest:
req.path === '/graphql'and query is allowed inconfig.cors.allowedGQLQueriesconfig.cors.allowedRoutesincludesreq.pathreq.pathstarts with any ofconfig.cors.allowedWildcardRoutes
Then using originProvider:
- if
req.headers['x-elateral-fqdn'], then get account fromreq.headers['x-elateral-fqdn']if exists, return itshttp(s)://fqdnFromAccount.comnamedORIGIN - isWildCardOriginRequest (same as in step 2) returned
true, returnfalsenamedORIGIN - if
req.pathstarts with aid, then get account from aid if exists, return itshttp(s)://fqdnFromAccount.comnamedORIGIN
- if
req.headers.refererstarts withORIGIN - if
ORIGIN === false - if
req.headers.origin === ${config.cors.protocol}://${config.apiHost}// callingFromApiHost
Is vulnerable if:
- using originProvider returned Error. Possible if:
- no account with such
req.headers['x-elateral-fqdn'] - if aid is in route and no account with such aid // originProvider can return undefined if it was unable to solve origin, in that case we can’t assume if req is CSRF or not, we get to next step. Undefined origin is used in CORS check.
- all above checks passed and still have no info if req is CSRF or not
CORS
CORS_ALLOWED_WILDCARD_ROUTES and CORS_ALLOWED_ROUTES are semicolon separated values. Note that if you want to allow root call use '/;' route not ';'. Also avoid using trailing semicolon.
Is not CORS vulnerable if:
- Using originProvider returned origin:
- from req.headers'x-elateral-fqdn', then get account from req.headers'x-elateral-fqdn' if exists, return its
http(s)://fqdnFromAccount.comnamedORIGIN - isWildCardOriginRequest (same as in step 2) returned true, return 'false' named
ORIGIN - from req.path starts with aid, then get account from aid if exists, return its
http(s)://fqdnFromAccount.com namedORIGIN
- Using originProvider returned origin as
false:
- isWildCardOriginRequest (same as in step 2 of not vulnerable CSRF), return
falsenamedORIGINIn this case we disable CORS for this request - making itsAccess-Control-Allow-Origin: *- wildcard
Is CORS vulnerable if:
- Using originProvider returned Error. Possible if:
- no account with such
req.headers['x-elateral-fqdn'] - if aid is in route and no account found with such aid
- if originProvider passed all steps and conditions and was unable to solve origin and returned undefined
0.161.2-121167a
2 years ago
1.0.53
3 years ago