-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapp.js
More file actions
132 lines (110 loc) · 3.95 KB
/
app.js
File metadata and controls
132 lines (110 loc) · 3.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
const express = require('express');
const http = require('http');
const socketio = require('socket.io');
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const path = require('path');
const app = express();
const server = http.createServer(app);
const io = socketio(server);
// Security headers
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "https://cdnjs.cloudflare.com"],
styleSrc: ["'self'", "'unsafe-inline'"],
connectSrc: ["'self'", "ws:", "wss:"]
}
},
crossOriginEmbedderPolicy: false
}));
// Rate limiting for HTTP requests
const limiter = rateLimit({
windowMs: 1 * 60 * 1000, // 1 minute
max: 100 // limit each IP to 100 requests per windowMs
});
app.use(limiter);
app.use(express.static('public'));
// Restrict CORS to same origin
app.use((req, res, next) => {
const allowedOrigins = [req.headers.origin];
if (allowedOrigins.includes(req.headers.origin)) {
res.header('Access-Control-Allow-Origin', req.headers.origin);
}
res.header('Access-Control-Allow-Methods', 'GET, POST');
res.header('Access-Control-Allow-Headers', 'Content-Type');
next();
});
app.get('/', (req, res) => {
res.sendFile(path.join(__dirname, 'public', 'index.html'));
});
app.get('/room/:id', (req, res) => {
// Validate room ID
const roomId = req.params.id;
if (!/^[a-zA-Z0-9_-]{1,50}$/.test(roomId)) {
return res.status(400).send('Invalid room ID');
}
res.sendFile(path.join(__dirname, 'public', 'room.html'));
})
// Socket.io rate limiting
const socketMessageLimiter = new Map();
io.on('connection', (socket) => {
// Initialize rate limiter for this socket
socketMessageLimiter.set(socket.id, {
messages: 0,
resetTime: Date.now() + 60000 // 1 minute
});
socket.on('join', (roomId) => {
// Validate room ID
if (typeof roomId !== 'string' || !/^[a-zA-Z0-9_-]{1,50}$/.test(roomId)) {
return;
}
socket.join(roomId);
const clients = io.sockets.adapter.rooms.get(roomId);
io.to(roomId).emit('clients', clients.size);
if (clients.size > 2) {
io.to(roomId).emit('full-room');
}
io.to(roomId).emit('room-id', roomId);
});
socket.on('chat message', (msg, roomId) => {
// Rate limiting check
const limiter = socketMessageLimiter.get(socket.id);
if (limiter) {
if (Date.now() > limiter.resetTime) {
limiter.messages = 0;
limiter.resetTime = Date.now() + 60000;
}
if (limiter.messages >= 30) { // 30 messages per minute
socket.emit('rate-limit', 'Too many messages. Please wait.');
return;
}
limiter.messages++;
}
// Validate message
if (typeof msg !== 'string' || msg.length > 5000) { // Max 5KB per message
return;
}
// Validate room ID
if (typeof roomId !== 'string' || !/^[a-zA-Z0-9_-]{1,50}$/.test(roomId)) {
return;
}
const clients = io.sockets.adapter.rooms.get(roomId);
if (!clients || clients.size > 2) {
io.to(socket.id).emit('full-room');
return;
}
io.to(roomId).emit('chat message', msg);
});
socket.on('disconnect', () => {
// Clean up rate limiter
socketMessageLimiter.delete(socket.id);
});
});
app.all('*', (req, res) => {
res.status(404).send('<style>body { font-family: monospace; text-align: center; margin-top: 20%; }</style><h1>404 Not Found</h1>');
});
server.listen(process.env.PORT, () => {
console.log('listening on *:3000');
});