Api-gateway-service NPM

api-gateway-service

Enter your description here

Development

  docker-compose up

  localhost:8080/documentation

Dependencies

docker
docker-compose

Requirements

eslint linting
100% unit test coverage

Scripts

Command	Description
start	Starts the service
start:watch	Starts the service with watch and inspect
lint	Checks project linting
lint:fix	Checks project linting and fixes what it can
test	Test runner
test:watch	Test runner with watch
coverage	Coverage checker
coverage:watch	Coverage checker with watch
ci	Run CI checks

Coveralls

$COVERALLS_REPO_TOKEN env var must be provided in the project settings

CSRF

CSRF_ALLOW_ANY_ACCOUNT_ROUTES is semicolon separated value. Note that if you want to allow root call use '/;' not ';'. Also avoid using trailing semicolon.

Is not vulnerable if:

has no referrer header
req.path starts with any CSRF_ALLOW_ANY_ACCOUNT_ROUTES and req.headers.referer domain is corresponding any existing account.fqdn
isWildCardOriginRequest:

req.path === '/graphql' and query is allowed in config.cors.allowedGQLQueries
config.cors.allowedRoutes includes req.path
req.path starts with any of config.cors.allowedWildcardRoutes

Then using originProvider:

if req.headers['x-elateral-fqdn'], then get account from req.headers['x-elateral-fqdn'] if exists, return its http(s)://fqdnFromAccount.com named ORIGIN
isWildCardOriginRequest (same as in step 2) returned true, return false named ORIGIN
if req.path starts with aid, then get account from aid if exists, return its http(s)://fqdnFromAccount.com named ORIGIN

if req.headers.referer starts with ORIGIN
if ORIGIN === false
if req.headers.origin === ${config.cors.protocol}://${config.apiHost} // callingFromApiHost

Is vulnerable if:

using originProvider returned Error. Possible if:

no account with such req.headers['x-elateral-fqdn']
if aid is in route and no account with such aid // originProvider can return undefined if it was unable to solve origin, in that case we can’t assume if req is CSRF or not, we get to next step. Undefined origin is used in CORS check.

all above checks passed and still have no info if req is CSRF or not

CORS

CORS_ALLOWED_WILDCARD_ROUTES and CORS_ALLOWED_ROUTES are semicolon separated values. Note that if you want to allow root call use '/;' route not ';'. Also avoid using trailing semicolon.

Is not CORS vulnerable if:

Using originProvider returned origin:

from req.headers'x-elateral-fqdn', then get account from req.headers'x-elateral-fqdn' if exists, return its http(s)://fqdnFromAccount.com named ORIGIN
isWildCardOriginRequest (same as in step 2) returned true, return 'false' named ORIGIN
from req.path starts with aid, then get account from aid if exists, return its http(s)://fqdnFromAccount.com named ORIGIN

Using originProvider returned origin as false:

isWildCardOriginRequest (same as in step 2 of not vulnerable CSRF), return false named ORIGIN In this case we disable CORS for this request - making its Access-Control-Allow-Origin: * - wildcard

Is CORS vulnerable if:

Using originProvider returned Error. Possible if:

no account with such req.headers['x-elateral-fqdn']
if aid is in route and no account found with such aid

if originProvider passed all steps and conditions and was unable to solve origin and returned undefined