Merge pull request #4253 from PieterGit/201901_profile_save_workaround2

Various fixes in one PR
nightscout · Feb 3, 2019 · 125a073 · 125a073
2 parents 2260fb4 + ab54f09
commit 125a073
Show file tree

Hide file tree

Showing 11 changed files with 239 additions and 434 deletions.
diff --git a/README.md b/README.md
@@ -124,14 +124,14 @@ Minimum browser requirements for viewing the site:
 - Chrome 68
 - Edge 15
 - Firefox 61
-- Internet Explorer: not supported
+- Internet Explorer: not supported, ie8 is known not to work
 - iOS 9 
 - Safari 11
 - Opera: 54
 
 Windows installation software requirements:
 
-- [Node.js](http://nodejs.org/) Latest Node 8 LTS (Node 8.15.0 or later) or Node 10 LTS (Node 10.15.0 or later; Node 10.14.1 works for Azure). Use [Install instructions for Node](https://nodejs.org/en/download/package-manager/) or use `setup.sh`)
+- [Node.js](http://nodejs.org/) Latest Node 8 LTS (Node 8.15.0 or later) or Node 10 LTS (Node 10.15.1 or later; Node 10.14.1 works for Azure). Use [Install instructions for Node](https://nodejs.org/en/download/package-manager/) or use `setup.sh`)
 - [MongoDB](https://www.mongodb.com/download-center?jmp=nav#community) 3.x or later. MongoDB 2.4 is only supported for Raspberry Pi.
 
 As a non-root user clone this repo then install dependencies into the root of the project:

diff --git a/app.js b/app.js
@@ -14,36 +14,37 @@ function create(env, ctx) {
     var appInfo = env.name + ' ' + env.version;
     app.set('title', appInfo);
     app.enable('trust proxy'); // Allows req.secure test on heroku https connections.
-    if (!process.env.INSECURE_USE_HTTP=='true') {
+    var insecureUseHttp = env.insecureUseHttp;
+    var secureHstsHeader = env.secureHstsHeader;
+    console.info('Security settings: INSECURE_USE_HTTP=',insecureUseHttp,', SECURE_HSTS_HEADER=',secureHstsHeader);
+    if (!insecureUseHttp) {
         app.use((req, res, next) => {
         if (req.header('x-forwarded-proto') !== 'https')
             res.redirect(`https://${req.header('host')}${req.url}`);
         else
             next()
         })
-        //if (env.settings.isEnabled('secureHstsHeader')) { // by TODO: find out why env.settings.isEnabled doest not work
-        if (process.env.SECURE_HSTS_HEADER == 'true') { // Add HSTS (HTTP Strict Transport Security) header
+        if (secureHstsHeader) { // Add HSTS (HTTP Strict Transport Security) header
           const helmet = require('helmet');
-          var includeSubDomainsValue = process.env.SECURE_HSTS_HEADER_INCLUDESUBDOMAINS || false ; // _get(env, 'extendedSettings.secureHstsHeader.includesubdomains')
-            var preloadValue = process.env.SECURE_HSTS_HEADER_PRELOAD || false; // _get(env, 'extendedSettings.secureHstsHeader.preload') || false ; // default
-            app.use(helmet({
-                hsts: {
-                    maxAge: 31536000,
-                    includeSubDomains: includeSubDomainsValue,
-                    preload: preloadValue
-                }
-            }))
-            //if (env.settings.isEnabled('secureCsp')) { // Add Content-Security-Policy directive by default
-            if (process.env.SECURE_CSP == 'true') {
-              app.use(helmet.contentSecurityPolicy({ // TODO make NS work without 'unsafe-inline'
-                directives: {
-                  defaultSrc: ["'self'"],
-                  styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
-                  scriptSrc: ["'self'", "'unsafe-inline'"],
-                  fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
-                }
-              }));
+          var includeSubDomainsValue = env.secureHstsHeaderIncludeSubdomains;
+          var preloadValue = env.secureHstsHeaderPreload;
+          app.use(helmet({
+            hsts: {
+              maxAge: 31536000,
+              includeSubDomains: includeSubDomainsValue,
+              preload: preloadValue
             }
+          }))
+          if (env.secureCsp) {
+            app.use(helmet.contentSecurityPolicy({ //TODO make NS work without 'unsafe-inline'
+              directives: {
+                defaultSrc: ["'self'"],
+                styleSrc: ["'self'", 'https://fonts.googleapis.com/',"'unsafe-inline'"],
+                scriptSrc: ["'self'", "'unsafe-inline'"],
+                fontSrc: [ "'self'", 'https://fonts.gstatic.com/']
+              }
+            }));
+          }
         }
      }
 
@@ -193,7 +194,6 @@ function create(env, ctx) {
         console.log('Production environment detected, enabling Minify');
 
         var minify = require('express-minify');
-        var myUglifyJS = require('uglify-js');
         var myCssmin = require('cssmin');
 
         app.use(minify({
@@ -204,7 +204,6 @@ function create(env, ctx) {
             stylus_match: /stylus/,
             coffee_match: /coffeescript/,
             json_match: /json/,
-            uglifyJS: myUglifyJS,
             cssmin: myCssmin,
             cache: __dirname + '/tmp',
             onerror: undefined,

diff --git a/env.js b/env.js
@@ -55,6 +55,13 @@ function setSSL() {
       env.ca = fs.readFileSync(env.SSL_CA);
     }
   }
+
+  env.insecureUseHttp = readENVTruthy("INSECURE_USE_HTTP", false);
+  env.secureHstsHeader = readENVTruthy("SECURE_HSTS_HEADER", true);
+  env.secureHstsHeaderIncludeSubdomains = readENVTruthy("SECURE_HSTS_HEADER_INCLUDESUBDOMAINS", false);
+  env.secureHstsHeaderPreload= readENVTruthy("SECURE_HSTS_HEADER_PRELOAD", false);
+  env.secureCsp = readENVTruthy("SECURE_CSP", false);
+
 }
 
 // A little ugly, but we don't want to read the secret into a var
@@ -144,7 +151,8 @@ function readENV(varName, defaultValue) {
 function readENVTruthy(varName, defaultValue) {
   var value = readENV(varName, defaultValue);
   if (typeof value === 'string' && (value.toLowerCase() === 'on' || value.toLowerCase() === 'true')) { value = true; }
-  if (typeof value === 'string' && (value.toLowerCase() === 'off' || value.toLowerCase() === 'false')) { value = false; }
+  else if (typeof value === 'string' && (value.toLowerCase() === 'off' || value.toLowerCase() === 'false')) { value = false; }
+  else { value=defaultValue }
   return value;
 }
 
@@ -178,6 +186,6 @@ function findExtendedSettings (envs) {
     }
   });
   return extended;
-}
+  }
 
 module.exports = config;
diff --git a/lib/server/bootevent.js b/lib/server/bootevent.js
@@ -22,7 +22,7 @@ function boot (env, language) {
   function checkNode (ctx, next) {
     var semver = require('semver');
     var nodeVersion = process.version;
-    if ( semver.satisfies(nodeVersion, '^8.15.0') || semver.satisfies(nodeVersion, '^10.15.0')) {
+    if ( semver.satisfies(nodeVersion, '^8.15.0') || semver.satisfies(nodeVersion, '^10.15.1')) {
       console.debug('Node version ' + nodeVersion + ' is supported');
       next();
     }

diff --git a/lib/settings.js b/lib/settings.js
@@ -44,6 +44,8 @@ function init ( ) {
     },
     insecureUseHttp: false,
     secureHstsHeader: true,
+    secureHstsHeaderIncludeSubdomains: false,
+    secureHstsHeaderPreload: false,
     secureCsp: false
   };