chore(release): 0.0.70

Merge pull request #161 from sasjs/csp-disable
Added additional options for HELMET
2025-12-11 19:44:35 +00:00 · 2022-05-06 14:45:31 +00:00 · 2022-05-06 17:44:18 +03:00 · 2022-05-06 19:41:02 +05:00 · 2022-05-06 13:40:48 +00:00 · 2022-05-06 13:40:40 +00:00
19 changed files with 199 additions and 103 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,20 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 ### [0.0.70](https://github.com/sasjs/server/compare/v0.0.69...v0.0.70) (2022-05-06)
 ### Features
 * CSP_DISABLE env option ([dd3acce](https://github.com/sasjs/server/commit/dd3acce3935e7cfc0b2c44a401314306915a3a10))
 ### [0.0.69](https://github.com/sasjs/server/compare/v0.0.68...v0.0.69) (2022-05-02)
 ### Bug Fixes
 * **upload:** appStream uses CSRF + Session authentication ([1f89279](https://github.com/sasjs/server/commit/1f8927926405887f3d134c0a1dd6452ffa33876e))
 ### [0.0.68](https://github.com/sasjs/server/compare/v0.0.67...v0.0.68) (2022-05-02)
--- a/README.md
+++ b/README.md
@@ -48,15 +48,22 @@ When launching the app, it will make use of specific environment variables. Thes
 Example contents of a `.env` file:
 ```
-# options: [desktop|server] default: `desktop`
+#
 ## Core Settings
 #
 # MODE options: [desktop|server] default: `desktop`
 # Desktop mode is single user and designed for workstation use
 # Server mode is multi-user and suitable for intranet / internet use
 MODE=
-# options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
+# Path to SAS executable (sas.exe / sas.sh)
-# If enabled, be sure to also configure the WHITELIST of third party servers.
+SAS_PATH=/path/to/sas/executable.exe
 CORS=
-# options: <http://localhost:3000 https://abc.com ...> space separated urls
+# Path to working directory
-WHITELIST=
+# This location is for SAS WORK, staged files, DRIVE, configuration etc
 DRIVE_PATH=/tmp
 # options: [http|https] default: http
 PROTOCOL=
@@ -65,16 +72,22 @@ PROTOCOL=
 PORT=
-# optional
+#
-# for MODE: `desktop`, prompts user
+## Additional SAS Options
-# for MODE: `server` gets value from api/package.json `configuration.sasPath`
+#
 SAS_PATH=/path/to/sas/executable.exe
-# optional
+# On windows use SAS_OPTIONS and on unix use SASV9_OPTIONS
-# for MODE: `desktop`, prompts user
+# Any options set here are automatically applied in the SAS session
-# for MODE: `server` defaults to /tmp
+# See: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostunx/p0wrdmqp8k0oyyn1xbx3bp3qy2wl.htm
-DRIVE_PATH=/tmp
+# And: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostwin/p0drw76qo0gig2n1kcoliekh605k.htm#p09y7hx0grw1gin1giuvrjyx61m6
 SAS_OPTIONS= -NOXCMD
 SASV9_OPTIONS= -NOXCMD
 #
 ## Additional Web Server Options
 #
 # ENV variables required for PROTOCOL: `https`
 PRIVATE_KEY=privkey.pem
@@ -87,13 +100,30 @@ AUTH_CODE_SECRET=<secret>
 SESSION_SECRET=<secret>
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
-# SAS Options
+# options: [disable|enable] default: `disable` for `server` & `enable` for `desktop`
-# On windows use SAS_OPTIONS and on unix use SASV9_OPTIONS
+# If enabled, be sure to also configure the WHITELIST of third party servers.
-# Any options set here are automatically applied in the SAS session
+CORS=
-# See: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostunx/p0wrdmqp8k0oyyn1xbx3bp3qy2wl.htm
+
-# And: https://documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/hostwin/p0drw76qo0gig2n1kcoliekh605k.htm#p09y7hx0grw1gin1giuvrjyx61m6
+# options: <http://localhost:3000 https://abc.com ...> space separated urls
-SAS_OPTIONS= -NOXCMD
+WHITELIST=
-SASV9_OPTIONS= -NOXCMD
+
 # HELMET Cross Origin Embedder Policy
 # Sets the Cross-Origin-Embedder-Policy header to require-corp when `true`
 # options: [true|false] default: true
 # Docs: https://helmetjs.github.io/#reference (`crossOriginEmbedderPolicy`)
 HELMET_COEP=
 # HELMET Content Security Policy
 # Path to a json file containing HELMET `contentSecurityPolicy` directives
 # Docs: https://helmetjs.github.io/#reference
 #
 # Example config:
 # {
 #   "img-src": ["'self'", "domain.com"],
 #   "script-src": ["'self'", "'unsafe-inline'"],
 #   "script-src-attr": ["'self'", "'unsafe-inline'"]
 # }
 HELMET_CSP_CONFIG_PATH=./csp.config.json
 ```
--- a/api/.env.example
+++ b/api/.env.example
@@ -8,6 +8,9 @@ FULL_CHAIN=fullchain.pem
 PORT=[5000] default value is 5000
 HELMET_CSP_CONFIG_PATH=./csp.config.json if omitted HELMET default will be used
 HELMET_COEP=[true|false] if omitted HELMET default will be used
 ACCESS_TOKEN_SECRET=<secret>
 REFRESH_TOKEN_SECRET=<secret>
 AUTH_CODE_SECRET=<secret>
--- a/api/csp.config.example.json
+++ b/api/csp.config.example.json
@@ -0,0 +1,5 @@
 {
  "img-src": ["'self'", "domen.com"],
  "script-src": ["'self'", "'unsafe-inline'"],
  "script-src-attr": ["'self'", "'unsafe-inline'"]
 }
--- a/api/public/app-streams-script.js
+++ b/api/public/app-streams-script.js
@@ -0,0 +1,49 @@
 const inputElement = document.getElementById('fileId')
 document.getElementById('uploadButton').addEventListener('click', function () {
  inputElement.click()
 })
 inputElement.addEventListener(
  'change',
  function () {
    const fileList = this.files /* now you can work with the file list */
    updateFileUploadMessage('Requesting ...')
    const file = fileList[0]
    const formData = new FormData()
    formData.append('file', file)
    axios
      .post('/SASjsApi/drive/deploy/upload', formData)
      .then((res) => res.data)
      .then((data) => {
        return (
          data.message +
          '\nstreamServiceName: ' +
          data.streamServiceName +
          '\nrefreshing page once alert box closes.'
        )
      })
      .then((message) => {
        alert(message)
        location.reload()
      })
      .catch((error) => {
        alert(error.response.data)
        resetFileUpload()
        updateFileUploadMessage('Upload New App')
      })
  },
  false
 )
 function updateFileUploadMessage(message) {
  document.getElementById('uploadMessage').innerHTML = message
 }
 function resetFileUpload() {
  inputElement.value = null
 }
--- a/api/public/axios.min.js
+++ b/api/public/axios.min.js
--- a/api/src/app.ts
+++ b/api/src/app.ts
@@ -17,6 +17,7 @@ import {
  setProcessVariables,
  setupFolders
 } from './utils'
 import { getEnvCSPDirectives } from './utils/parseHelmetConfig'
 dotenv.config()
@@ -25,7 +26,8 @@ const app = express()
 app.use(cookieParser())
 app.use(morgan('tiny'))
-const { MODE, CORS, WHITELIST, PROTOCOL } = process.env
+const { MODE, CORS, WHITELIST, PROTOCOL, HELMET_CSP_CONFIG_PATH, HELMET_COEP } =
  process.env
 export const cookieOptions = {
  secure: PROTOCOL === 'https',
@@ -33,6 +35,10 @@ export const cookieOptions = {
  maxAge: 24 * 60 * 60 * 1000 // 24 hours
 }
 const cspConfigJson = getEnvCSPDirectives(HELMET_CSP_CONFIG_PATH)
 const coepFlag =
  HELMET_COEP === 'true' || HELMET_COEP === undefined ? true : false
 /***********************************
 *         CSRF Protection         *
 ***********************************/
@@ -41,7 +47,17 @@ export const csrfProtection = csrf({ cookie: cookieOptions })
 /***********************************
 *   Handle security and origin    *
 ***********************************/
-app.use(helmet())
+app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        ...helmet.contentSecurityPolicy.getDefaultDirectives(),
        ...cspConfigJson
      }
    },
    crossOriginEmbedderPolicy: coepFlag
  })
 )
 /***********************************
 *         Enabling CORS           *
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -14,8 +14,8 @@ export class WebController {
   *
   */
  @Get('/')
-  public async home(@Request() req: express.Request) {
+  public async home() {
-    return home(req)
+    return home()
  }
  /**
@@ -44,16 +44,13 @@ export class WebController {
  }
 }
-const home = async (req: express.Request) => {
+const home = async () => {
  const indexHtmlPath = path.join(getWebBuildFolderPath(), 'index.html')
  // Attention! Cannot use fileExists here,
  // due to limitation after building executable
  const content = await readFile(indexHtmlPath)
  req.res?.cookie('XSRF-TOKEN', req.csrfToken())
  req.res?.setHeader('Content-Type', 'text/html')
  return content
 }
--- a/api/src/routes/appStream/appStreamHtml.ts
+++ b/api/src/routes/appStream/appStreamHtml.ts
@@ -1,5 +1,4 @@
 import { AppStreamConfig } from '../../types'
 import { script } from './script'
 import { style } from './style'
 const defaultAppLogo = '/sasjs-logo.svg'
@@ -39,6 +38,7 @@ export const appStreamHtml = (appStreamConfig: AppStreamConfig) => `
          <span id="uploadMessage">Upload New App</span>
        </a>
    </div>
-    ${script}
+    <script src="/axios.min.js"></script>
    <script src="/app-streams-script.js"></script>
  </body>
 </html>`
--- a/api/src/routes/appStream/index.ts
+++ b/api/src/routes/appStream/index.ts
@@ -7,9 +7,11 @@ import { appStreamHtml } from './appStreamHtml'
 const router = express.Router()
-router.get('/', async (_, res) => {
+router.get('/', async (req, res) => {
  const content = appStreamHtml(process.appStreamConfig)
  res.cookie('XSRF-TOKEN', req.csrfToken())
  return res.send(content)
 })
--- a/api/src/routes/appStream/script.ts
+++ b/api/src/routes/appStream/script.ts
@@ -1,58 +0,0 @@
 export const script = `<script>
  const inputElement = document.getElementById('fileId')
  document
    .getElementById('uploadButton')
    .addEventListener('click', function () {
      inputElement.click()
    })
  inputElement.addEventListener(
    'change',
    function () {
      const fileList = this.files /* now you can work with the file list */
      updateFileUploadMessage('Requesting ...')
      const file = fileList[0]
      const formData = new FormData()
      formData.append('file', file)
      fetch('/SASjsApi/drive/deploy/upload', {
        method: 'POST',
        body: formData
      })
        .then(async (res) => {
          const { status, ok } = res
          if (status === 200 && ok) {
            const data = await res.json()
            return (
              data.message +
              '\\nstreamServiceName: ' +
              data.streamServiceName +
              '\\nrefreshing page once alert box closes.'
            )
          }
          throw await res.text()
        })
        .then((message) => {
          alert(message)
          location.reload()
        })
        .catch((error) => {
          alert(error)
          resetFileUpload()
          updateFileUploadMessage('Upload New App')
        })
    },
    false
  )
  function updateFileUploadMessage(message) {
    document.getElementById('uploadMessage').innerHTML = message
  }
  function resetFileUpload() {
    inputElement.value = null
  }
 </script>`
--- a/api/src/routes/setupRoutes.ts
+++ b/api/src/routes/setupRoutes.ts
@@ -4,14 +4,16 @@ import webRouter from './web'
 import apiRouter from './api'
 import appStreamRouter from './appStream'
 import { csrfProtection } from '../app'
 export const setupRoutes = (app: Express) => {
  app.use('/SASjsApi', apiRouter)
-  app.use('/AppStream', function (req, res, next) {
+  app.use('/AppStream', csrfProtection, function (req, res, next) {
    // this needs to be a function to hook on
    // whatever the current router is
    appStreamRouter(req, res, next)
  })
-  app.use('/', webRouter)
+  app.use('/', csrfProtection, webRouter)
 }
--- a/api/src/routes/web/index.ts
+++ b/api/src/routes/web/index.ts
@@ -1,11 +1,8 @@
 import express from 'express'
 import { csrfProtection } from '../../app'
 import webRouter from './web'
 const router = express.Router()
 router.use(csrfProtection)
 router.use('/', webRouter)
 export default router
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -7,7 +7,10 @@ const controller = new WebController()
 webRouter.get('/', async (req, res) => {
  try {
-    const response = await controller.home(req)
+    const response = await controller.home()
    res.cookie('XSRF-TOKEN', req.csrfToken())
    return res.send(response)
  } catch (_) {
    return res.send('Web Build is not present')
--- a/api/src/utils/parseHelmetConfig.ts
+++ b/api/src/utils/parseHelmetConfig.ts
@@ -0,0 +1,33 @@
 import path from 'path'
 import fs from 'fs'
 export const getEnvCSPDirectives = (
  HELMET_CSP_CONFIG_PATH: string | undefined
 ) => {
  let cspConfigJson = {
    'script-src': ["'self'", "'unsafe-inline'"]
  }
  if (
    typeof HELMET_CSP_CONFIG_PATH === 'string' &&
    HELMET_CSP_CONFIG_PATH.length > 0
  ) {
    const cspConfigPath = path.join(process.cwd(), HELMET_CSP_CONFIG_PATH)
    try {
      let file = fs.readFileSync(cspConfigPath).toString()
      try {
        cspConfigJson = JSON.parse(file)
      } catch (e) {
        console.error(
          'Parsing Content Security Policy JSON config failed. Make sure it is valid json'
        )
      }
    } catch (e) {
      console.error('Error reading HELMET CSP config file', e)
    }
  }
  return cspConfigJson
 }
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "server",
-  "version": "0.0.68",
+  "version": "0.0.70",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "server",
-      "version": "0.0.68",
+      "version": "0.0.70",
      "devDependencies": {
        "prettier": "^2.3.1",
        "standard-version": "^9.3.2"
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "server",
-  "version": "0.0.68",
+  "version": "0.0.70",
  "description": "NodeJS wrapper for calling the SAS binary executable",
  "repository": "https://github.com/sasjs/server",
  "scripts": {
--- a/web/package-lock.json
+++ b/web/package-lock.json
@@ -21,6 +21,7 @@
        "@types/node": "^12.20.28",
        "@types/react": "^17.0.27",
        "axios": "^0.24.0",
        "monaco-editor": "^0.33.0",
        "monaco-editor-webpack-plugin": "^7.0.1",
        "react": "^17.0.2",
        "react-dom": "^17.0.2",
@@ -8422,8 +8423,7 @@
    "node_modules/monaco-editor": {
      "version": "0.33.0",
      "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.33.0.tgz",
-      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw==",
+      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw=="
      "peer": true
    },
    "node_modules/monaco-editor-webpack-plugin": {
      "version": "7.0.1",
@@ -17505,8 +17505,7 @@
    "monaco-editor": {
      "version": "0.33.0",
      "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.33.0.tgz",
-      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw==",
+      "integrity": "sha512-VcRWPSLIUEgQJQIE0pVT8FcGBIgFoxz7jtqctE+IiCxWugD0DwgyQBcZBhdSrdMC84eumoqMZsGl2GTreOzwqw=="
      "peer": true
    },
    "monaco-editor-webpack-plugin": {
      "version": "7.0.1",
--- a/web/package.json
+++ b/web/package.json
@@ -20,6 +20,7 @@
    "@types/node": "^12.20.28",
    "@types/react": "^17.0.27",
    "axios": "^0.24.0",
    "monaco-editor": "^0.33.0",
    "monaco-editor-webpack-plugin": "^7.0.1",
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
Author	SHA1	Message	Date
Allan Bowe	25dc5dd215	chore(release): 0.0.70	2022-05-06 14:45:31 +00:00
Allan Bowe	503994dbd2	Merge pull request #161 from sasjs/csp-disable Added additional options for HELMET	2022-05-06 17:44:18 +03:00
Saad Jutt	0dceb5c3c3	chore: web package-lock built with LTS	2022-05-06 19:41:02 +05:00
Mihajlo Medjedovic	1af04fa3b3	Merge branch 'csp-disable' of github.com:sasjs/server into csp-disable	2022-05-06 13:40:48 +00:00
Mihajlo Medjedovic	efa81fec77	chore: package-lock	2022-05-06 13:40:40 +00:00
Allan Bowe	10caf1918a	chore: updating README	2022-05-06 12:13:45 +00:00
Mihajlo Medjedovic	4ed20a3b75	chore: readme update	2022-05-06 11:49:32 +00:00
Mihajlo Medjedovic	98b2c5fa25	chore: readme update	2022-05-06 11:46:40 +00:00
Mihajlo Medjedovic	3ad327b85f	chore: helmet config cleanup	2022-05-06 11:40:12 +00:00
Mihajlo Medjedovic	dd3acce393	feat: CSP_DISABLE env option	2022-05-05 18:25:33 +00:00
Allan Bowe	8065727b9b	chore(release): 0.0.69	2022-05-02 15:24:56 +00:00
Allan Bowe	e1223ec3f8	Merge pull request #158 from sasjs/update-csp-policy fix(upload): appStream uses CSRF + Session authentication	2022-05-02 18:22:35 +03:00
Saad Jutt	1f89279264	fix(upload): appStream uses CSRF + Session authentication	2022-05-02 18:01:28 +05:00