Add environment variables for frontend and API URL in Docker Compose

Add test suite for CORS and CSP validation in Express app
Enhance CORS and CSP configurations in Express app
2025-08-20 17:26:43 +02:00 · 2025-08-20 17:26:37 +02:00 · 2025-08-20 17:26:28 +02:00
6 changed files with 469 additions and 11 deletions
--- a/maplibre-docker/compose.yml
+++ b/maplibre-docker/compose.yml
@@ -3,6 +3,8 @@ services:
    build:
      context: ..
      dockerfile: maplibre-docker/Dockerfile
      args:
        - VITE_API_URL=${VITE_API_URL}
    ports:
      - "127.0.0.1:5173:80"
    networks:
@@ -14,6 +16,8 @@ services:
      dockerfile: maplibre-docker/Dockerfile.back
    ports:
      - "127.0.0.1:3001:3001"
    environment:
      - FRONTEND_URL=${FRONTEND_URL}
    networks:
      - dokploy-network
--- a/test-backend/app.ts
+++ b/test-backend/app.ts
@@ -5,17 +5,65 @@ import fs from "fs"
 import { fileURLToPath } from "url"
 import { dirname } from "path"
 import { MetersCollection, MeterFeature } from "shared-types/meters"
 import { randomBytes } from "crypto"
 // ES module equivalent of __dirname
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = dirname(__filename)
-const app: Express = express()
+// Config
 const PORT = process.env.PORT || 3001
 const FRONTEND_URL = process.env.FRONTEND_URL || "http://localhost:5173"
-// Middleware
+// Create app factory so tests can import without starting the server
-app.use(cors())
+function createApp(): Express {
-app.use(express.json())
+  const app: Express = express()
  // Restrict CORS to the predefined frontend URL
  app.use(
    cors({
      origin: FRONTEND_URL,
    })
  )
  app.use(express.json())
  // Require Origin header and reject mismatched origins
  app.use((req, res, next) => {
    const origin = req.headers.origin as string | undefined
    if (!origin) {
      return res.status(403).json({ error: "Missing Origin header" })
    }
    if (origin !== FRONTEND_URL) {
      return res.status(403).json({ error: "Forbidden origin" })
    }
    next()
  })
  // Per-request CSP nonce and header. Also expose nonce via X-CSP-Nonce so the frontend
  // can apply it to inline scripts/styles when needed.
  app.use((req, res, next) => {
    const nonce = randomBytes(16).toString("base64")
    const csp = [
      `default-src 'self' ${FRONTEND_URL}`,
      `connect-src 'self' ${FRONTEND_URL}`,
      `img-src 'self' data: ${FRONTEND_URL}`,
      `script-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
      `style-src 'self' 'nonce-${nonce}' ${FRONTEND_URL}`,
    ].join("; ")
    res.setHeader("Content-Security-Policy", csp)
    // Expose nonce so frontend templates can use it for inline scripts/styles
    res.setHeader("X-CSP-Nonce", nonce)
    // Vary on Origin so caches consider the Origin header when caching responses
    res.setHeader("Vary", "Origin")
    next()
  })
  return app
 }
 const app = createApp()
 // Route to serve the saudi_meters.json file
 app.get("/api/meters", (req, res) => {
@@ -71,10 +119,14 @@ app.get("/", (req, res) => {
  })
 })
-// Start the server
+// Start the server only when run directly (not when imported by tests)
-app.listen(PORT, () => {
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
-  console.log(`🚀 Server running on http://localhost:${PORT}`)
+  app.listen(PORT, () => {
-  console.log(`📊 Meters data available at http://localhost:${PORT}/api/meters`)
+    console.log(`🚀 Server running on http://localhost:${PORT}`)
-})
+    console.log(
      `📊 Meters data available at http://localhost:${PORT}/api/meters`
    )
  })
 }
 export default app
--- a/test-backend/package-lock.json
+++ b/test-backend/package-lock.json
@@ -15,6 +15,8 @@
        "@types/cors": "2.8.19",
        "@types/express": "5.0.3",
        "@types/node": "24.3.0",
        "@types/node-fetch": "2.6.3",
        "node-fetch": "3.3.2",
        "tsx": "4.20.4",
        "typescript": "5.9.2"
      }
@@ -541,6 +543,17 @@
        "undici-types": "~7.10.0"
      }
    },
    "node_modules/@types/node-fetch": {
      "version": "2.6.3",
      "resolved": "https://registry.npmjs.org/@types/node-fetch/-/node-fetch-2.6.3.tgz",
      "integrity": "sha512-ETTL1mOEdq/sxUtgtOhKjyB2Irra4cjxksvcMUR5Zr4n+PxVhsCD9WS46oPbHL3et9Zde7CNRr+WUNlcHvsX+w==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "@types/node": "*",
        "form-data": "^3.0.0"
      }
    },
    "node_modules/@types/qs": {
      "version": "6.14.0",
      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.14.0.tgz",
@@ -591,6 +604,13 @@
        "node": ">= 0.6"
      }
    },
    "node_modules/asynckit": {
      "version": "0.4.0",
      "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
      "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/body-parser": {
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.0.tgz",
@@ -649,6 +669,19 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
    "node_modules/combined-stream": {
      "version": "1.0.8",
      "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz",
      "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "delayed-stream": "~1.0.0"
      },
      "engines": {
        "node": ">= 0.8"
      }
    },
    "node_modules/content-disposition": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.0.tgz",
@@ -701,6 +734,16 @@
        "node": ">= 0.10"
      }
    },
    "node_modules/data-uri-to-buffer": {
      "version": "4.0.1",
      "resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.1.tgz",
      "integrity": "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">= 12"
      }
    },
    "node_modules/debug": {
      "version": "4.4.1",
      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.1.tgz",
@@ -718,6 +761,16 @@
        }
      }
    },
    "node_modules/delayed-stream": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
      "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">=0.4.0"
      }
    },
    "node_modules/depd": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
@@ -786,6 +839,22 @@
        "node": ">= 0.4"
      }
    },
    "node_modules/es-set-tostringtag": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
      "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "es-errors": "^1.3.0",
        "get-intrinsic": "^1.2.6",
        "has-tostringtag": "^1.0.2",
        "hasown": "^2.0.2"
      },
      "engines": {
        "node": ">= 0.4"
      }
    },
    "node_modules/esbuild": {
      "version": "0.25.9",
      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.9.tgz",
@@ -885,6 +954,30 @@
        "url": "https://opencollective.com/express"
      }
    },
    "node_modules/fetch-blob": {
      "version": "3.2.0",
      "resolved": "https://registry.npmjs.org/fetch-blob/-/fetch-blob-3.2.0.tgz",
      "integrity": "sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ==",
      "dev": true,
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/jimmywarting"
        },
        {
          "type": "paypal",
          "url": "https://paypal.me/jimmywarting"
        }
      ],
      "license": "MIT",
      "dependencies": {
        "node-domexception": "^1.0.0",
        "web-streams-polyfill": "^3.0.3"
      },
      "engines": {
        "node": "^12.20 || >= 14.13"
      }
    },
    "node_modules/finalhandler": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.0.tgz",
@@ -902,6 +995,59 @@
        "node": ">= 0.8"
      }
    },
    "node_modules/form-data": {
      "version": "3.0.4",
      "resolved": "https://registry.npmjs.org/form-data/-/form-data-3.0.4.tgz",
      "integrity": "sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "asynckit": "^0.4.0",
        "combined-stream": "^1.0.8",
        "es-set-tostringtag": "^2.1.0",
        "hasown": "^2.0.2",
        "mime-types": "^2.1.35"
      },
      "engines": {
        "node": ">= 6"
      }
    },
    "node_modules/form-data/node_modules/mime-db": {
      "version": "1.52.0",
      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">= 0.6"
      }
    },
    "node_modules/form-data/node_modules/mime-types": {
      "version": "2.1.35",
      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "mime-db": "1.52.0"
      },
      "engines": {
        "node": ">= 0.6"
      }
    },
    "node_modules/formdata-polyfill": {
      "version": "4.0.10",
      "resolved": "https://registry.npmjs.org/formdata-polyfill/-/formdata-polyfill-4.0.10.tgz",
      "integrity": "sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "fetch-blob": "^3.1.2"
      },
      "engines": {
        "node": ">=12.20.0"
      }
    },
    "node_modules/forwarded": {
      "version": "0.2.0",
      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
@@ -1018,6 +1164,22 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
    "node_modules/has-tostringtag": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
      "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "has-symbols": "^1.0.3"
      },
      "engines": {
        "node": ">= 0.4"
      },
      "funding": {
        "url": "https://github.com/sponsors/ljharb"
      }
    },
    "node_modules/hasown": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
@@ -1154,6 +1316,46 @@
        "node": ">= 0.6"
      }
    },
    "node_modules/node-domexception": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz",
      "integrity": "sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==",
      "deprecated": "Use your platform's native DOMException instead",
      "dev": true,
      "funding": [
        {
          "type": "github",
          "url": "https://github.com/sponsors/jimmywarting"
        },
        {
          "type": "github",
          "url": "https://paypal.me/jimmywarting"
        }
      ],
      "license": "MIT",
      "engines": {
        "node": ">=10.5.0"
      }
    },
    "node_modules/node-fetch": {
      "version": "3.3.2",
      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.3.2.tgz",
      "integrity": "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
        "data-uri-to-buffer": "^4.0.0",
        "fetch-blob": "^3.1.4",
        "formdata-polyfill": "^4.0.10"
      },
      "engines": {
        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
      },
      "funding": {
        "type": "opencollective",
        "url": "https://opencollective.com/node-fetch"
      }
    },
    "node_modules/object-assign": {
      "version": "4.1.1",
      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
@@ -1524,6 +1726,16 @@
        "node": ">= 0.8"
      }
    },
    "node_modules/web-streams-polyfill": {
      "version": "3.3.3",
      "resolved": "https://registry.npmjs.org/web-streams-polyfill/-/web-streams-polyfill-3.3.3.tgz",
      "integrity": "sha512-d2JWLCivmZYTSIoge9MsgFCZrt571BikcWGYkjC1khllbTeDlGqZ2D8vD8E/lJa8WGWbb7Plm8/XJYV7IJHZZw==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">= 8"
      }
    },
    "node_modules/wrappy": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
--- a/test-backend/package.json
+++ b/test-backend/package.json
@@ -8,7 +8,8 @@
    "start": "node dist/test-backend/app.js",
    "dev": "tsx app.ts",
    "build": "tsc",
-    "generate": "node generate_meters.js"
+    "generate": "node generate_meters.js",
    "test": "tsx test/run-tests.ts"
  },
  "dependencies": {
    "cors": "2.8.5",
@@ -19,6 +20,8 @@
    "@types/express": "5.0.3",
    "@types/node": "24.3.0",
    "tsx": "4.20.4",
-    "typescript": "5.9.2"
+    "typescript": "5.9.2",
    "node-fetch": "3.3.2",
    "@types/node-fetch": "2.6.3"
  }
 }
--- a/test-backend/pnpm-lock.yaml
+++ b/test-backend/pnpm-lock.yaml
@@ -24,6 +24,12 @@ importers:
      '@types/node':
        specifier: 24.3.0
        version: 24.3.0
      '@types/node-fetch':
        specifier: 2.6.3
        version: 2.6.3
      node-fetch:
        specifier: 3.3.2
        version: 3.3.2
      tsx:
        specifier: 4.20.4
        version: 4.20.4
@@ -210,6 +216,9 @@ packages:
  '@types/mime@1.3.5':
    resolution: {integrity: sha512-/pyBZWSLD2n0dcHE3hq8s8ZvcETHtEuF+3E7XVt0Ig2nvsVQXdghHVcEkIWjy9A0wKfTn97a/PSDYohKIlnP/w==}
  '@types/node-fetch@2.6.3':
    resolution: {integrity: sha512-ETTL1mOEdq/sxUtgtOhKjyB2Irra4cjxksvcMUR5Zr4n+PxVhsCD9WS46oPbHL3et9Zde7CNRr+WUNlcHvsX+w==}
  '@types/node@24.3.0':
    resolution: {integrity: sha512-aPTXCrfwnDLj4VvXrm+UUCQjNEvJgNA8s5F1cvwQU+3KNltTOkBm1j30uNLyqqPNe7gE3KFzImYoZEfLhp4Yow==}
@@ -229,6 +238,9 @@ packages:
    resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==}
    engines: {node: '>= 0.6'}
  asynckit@0.4.0:
    resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
  body-parser@2.2.0:
    resolution: {integrity: sha512-02qvAaxv8tp7fBa/mw1ga98OGm+eCbqzJOKoRt70sLmfEEi+jyBYVTDGfCL/k06/4EMk/z01gCe7HoCH/f2LTg==}
    engines: {node: '>=18'}
@@ -245,6 +257,10 @@ packages:
    resolution: {integrity: sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==}
    engines: {node: '>= 0.4'}
  combined-stream@1.0.8:
    resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
    engines: {node: '>= 0.8'}
  content-disposition@1.0.0:
    resolution: {integrity: sha512-Au9nRL8VNUut/XSzbQA38+M78dzP4D+eqg3gfJHMIHHYa3bg067xj1KxMUWj+VULbiZMowKngFFbKczUrNJ1mg==}
    engines: {node: '>= 0.6'}
@@ -265,6 +281,10 @@ packages:
    resolution: {integrity: sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==}
    engines: {node: '>= 0.10'}
  data-uri-to-buffer@4.0.1:
    resolution: {integrity: sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==}
    engines: {node: '>= 12'}
  debug@4.4.1:
    resolution: {integrity: sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ==}
    engines: {node: '>=6.0'}
@@ -274,6 +294,10 @@ packages:
      supports-color:
        optional: true
  delayed-stream@1.0.0:
    resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==}
    engines: {node: '>=0.4.0'}
  depd@2.0.0:
    resolution: {integrity: sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==}
    engines: {node: '>= 0.8'}
@@ -301,6 +325,10 @@ packages:
    resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
    engines: {node: '>= 0.4'}
  es-set-tostringtag@2.1.0:
    resolution: {integrity: sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==}
    engines: {node: '>= 0.4'}
  esbuild@0.25.9:
    resolution: {integrity: sha512-CRbODhYyQx3qp7ZEwzxOk4JBqmD/seJrzPa/cGjY1VtIn5E09Oi9/dB4JwctnfZ8Q8iT7rioVv5k/FNT/uf54g==}
    engines: {node: '>=18'}
@@ -317,10 +345,22 @@ packages:
    resolution: {integrity: sha512-DT9ck5YIRU+8GYzzU5kT3eHGA5iL+1Zd0EutOmTE9Dtk+Tvuzd23VBU+ec7HPNSTxXYO55gPV/hq4pSBJDjFpA==}
    engines: {node: '>= 18'}
  fetch-blob@3.2.0:
    resolution: {integrity: sha512-7yAQpD2UMJzLi1Dqv7qFYnPbaPx7ZfFK6PiIxQ4PfkGPyNyl2Ugx+a/umUonmKqjhM4DnfbMvdX6otXq83soQQ==}
    engines: {node: ^12.20 || >= 14.13}
  finalhandler@2.1.0:
    resolution: {integrity: sha512-/t88Ty3d5JWQbWYgaOGCCYfXRwV1+be02WqYYlL6h0lEiUAMPM8o8qKGO01YIkOHzka2up08wvgYD0mDiI+q3Q==}
    engines: {node: '>= 0.8'}
  form-data@3.0.4:
    resolution: {integrity: sha512-f0cRzm6dkyVYV3nPoooP8XlccPQukegwhAnpoLcXy+X+A8KfpGOoXwDr9FLZd3wzgLaBGQBE3lY93Zm/i1JvIQ==}
    engines: {node: '>= 6'}
  formdata-polyfill@4.0.10:
    resolution: {integrity: sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==}
    engines: {node: '>=12.20.0'}
  forwarded@0.2.0:
    resolution: {integrity: sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==}
    engines: {node: '>= 0.6'}
@@ -356,6 +396,10 @@ packages:
    resolution: {integrity: sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==}
    engines: {node: '>= 0.4'}
  has-tostringtag@1.0.2:
    resolution: {integrity: sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==}
    engines: {node: '>= 0.4'}
  hasown@2.0.2:
    resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
    engines: {node: '>= 0.4'}
@@ -390,10 +434,18 @@ packages:
    resolution: {integrity: sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==}
    engines: {node: '>=18'}
  mime-db@1.52.0:
    resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==}
    engines: {node: '>= 0.6'}
  mime-db@1.54.0:
    resolution: {integrity: sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==}
    engines: {node: '>= 0.6'}
  mime-types@2.1.35:
    resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==}
    engines: {node: '>= 0.6'}
  mime-types@3.0.1:
    resolution: {integrity: sha512-xRc4oEhT6eaBpU1XF7AjpOFD+xQmXNB5OVKwp4tqCuBpHLS/ZbBDrc07mYTDqVMg6PfxUjjNp85O6Cd2Z/5HWA==}
    engines: {node: '>= 0.6'}
@@ -405,6 +457,15 @@ packages:
    resolution: {integrity: sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==}
    engines: {node: '>= 0.6'}
  node-domexception@1.0.0:
    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
    engines: {node: '>=10.5.0'}
    deprecated: Use your platform's native DOMException instead
  node-fetch@3.3.2:
    resolution: {integrity: sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==}
    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
  object-assign@4.1.1:
    resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==}
    engines: {node: '>=0.10.0'}
@@ -517,6 +578,10 @@ packages:
    resolution: {integrity: sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==}
    engines: {node: '>= 0.8'}
  web-streams-polyfill@3.3.3:
    resolution: {integrity: sha512-d2JWLCivmZYTSIoge9MsgFCZrt571BikcWGYkjC1khllbTeDlGqZ2D8vD8E/lJa8WGWbb7Plm8/XJYV7IJHZZw==}
    engines: {node: '>= 8'}
  wrappy@1.0.2:
    resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
@@ -630,6 +695,11 @@ snapshots:
  '@types/mime@1.3.5': {}
  '@types/node-fetch@2.6.3':
    dependencies:
      '@types/node': 24.3.0
      form-data: 3.0.4
  '@types/node@24.3.0':
    dependencies:
      undici-types: 7.10.0
@@ -654,6 +724,8 @@ snapshots:
      mime-types: 3.0.1
      negotiator: 1.0.0
  asynckit@0.4.0: {}
  body-parser@2.2.0:
    dependencies:
      bytes: 3.1.2
@@ -680,6 +752,10 @@ snapshots:
      call-bind-apply-helpers: 1.0.2
      get-intrinsic: 1.3.0
  combined-stream@1.0.8:
    dependencies:
      delayed-stream: 1.0.0
  content-disposition@1.0.0:
    dependencies:
      safe-buffer: 5.2.1
@@ -695,10 +771,14 @@ snapshots:
      object-assign: 4.1.1
      vary: 1.1.2
  data-uri-to-buffer@4.0.1: {}
  debug@4.4.1:
    dependencies:
      ms: 2.1.3
  delayed-stream@1.0.0: {}
  depd@2.0.0: {}
  dunder-proto@1.0.1:
@@ -719,6 +799,13 @@ snapshots:
    dependencies:
      es-errors: 1.3.0
  es-set-tostringtag@2.1.0:
    dependencies:
      es-errors: 1.3.0
      get-intrinsic: 1.3.0
      has-tostringtag: 1.0.2
      hasown: 2.0.2
  esbuild@0.25.9:
    optionalDependencies:
      '@esbuild/aix-ppc64': 0.25.9
@@ -784,6 +871,11 @@ snapshots:
    transitivePeerDependencies:
      - supports-color
  fetch-blob@3.2.0:
    dependencies:
      node-domexception: 1.0.0
      web-streams-polyfill: 3.3.3
  finalhandler@2.1.0:
    dependencies:
      debug: 4.4.1
@@ -795,6 +887,18 @@ snapshots:
    transitivePeerDependencies:
      - supports-color
  form-data@3.0.4:
    dependencies:
      asynckit: 0.4.0
      combined-stream: 1.0.8
      es-set-tostringtag: 2.1.0
      hasown: 2.0.2
      mime-types: 2.1.35
  formdata-polyfill@4.0.10:
    dependencies:
      fetch-blob: 3.2.0
  forwarded@0.2.0: {}
  fresh@2.0.0: {}
@@ -830,6 +934,10 @@ snapshots:
  has-symbols@1.1.0: {}
  has-tostringtag@1.0.2:
    dependencies:
      has-symbols: 1.1.0
  hasown@2.0.2:
    dependencies:
      function-bind: 1.1.2
@@ -858,8 +966,14 @@ snapshots:
  merge-descriptors@2.0.0: {}
  mime-db@1.52.0: {}
  mime-db@1.54.0: {}
  mime-types@2.1.35:
    dependencies:
      mime-db: 1.52.0
  mime-types@3.0.1:
    dependencies:
      mime-db: 1.54.0
@@ -868,6 +982,14 @@ snapshots:
  negotiator@1.0.0: {}
  node-domexception@1.0.0: {}
  node-fetch@3.3.2:
    dependencies:
      data-uri-to-buffer: 4.0.1
      fetch-blob: 3.2.0
      formdata-polyfill: 4.0.10
  object-assign@4.1.1: {}
  object-inspect@1.13.4: {}
@@ -998,4 +1120,6 @@ snapshots:
  vary@1.1.2: {}
  web-streams-polyfill@3.3.3: {}
  wrappy@1.0.2: {}
--- a/test-backend/test/run-tests.ts
+++ b/test-backend/test/run-tests.ts
@@ -0,0 +1,63 @@
 import http from "http"
 import fetch from "node-fetch"
 import app from "../app"
 async function listenOnRandomPort() {
  return new Promise<{ server: http.Server; port: number }>(
    (resolve, reject) => {
      const server = http.createServer(app)
      server.listen(0, () => {
        // @ts-ignore
        const addr = server.address()
        if (!addr || typeof addr === "string")
          return reject(new Error("Failed to get server address"))
        resolve({ server, port: addr.port })
      })
    }
  )
 }
 async function run() {
  const FRONTEND = process.env.FRONTEND_URL || "http://localhost:5173"
  const { server, port } = await listenOnRandomPort()
  const base = `http://localhost:${port}`
  try {
    // 1) Allowed origin
    const allowed = await fetch(base + "/api/meters", {
      headers: { Origin: FRONTEND },
    })
    console.log("Allowed origin status:", allowed.status)
    const csp = allowed.headers.get("content-security-policy")
    const nonce = allowed.headers.get("x-csp-nonce")
    console.log("CSP header present:", !!csp)
    console.log("X-CSP-Nonce present:", !!nonce)
    if (allowed.status !== 200) throw new Error("Allowed origin request failed")
    if (!csp) throw new Error("CSP header missing")
    if (!nonce) throw new Error("X-CSP-Nonce missing")
    // 2) Disallowed origin
    const disallowed = await fetch(base + "/api/meters", {
      headers: { Origin: "https://evil.com" },
    })
    console.log("Disallowed origin status:", disallowed.status)
    if (disallowed.status !== 403)
      throw new Error("Disallowed origin not rejected")
    // 3) Missing origin -> should be rejected now
    const missing = await fetch(base + "/api/meters")
    console.log("Missing origin status:", missing.status)
    if (missing.status !== 403)
      throw new Error("Request without Origin header should be rejected")
    console.log("\nAll tests passed")
  } catch (err) {
    console.error("Test failure:", err)
    process.exitCode = 1
  } finally {
    server.close()
  }
 }
 run()
Author	SHA1	Message	Date
Julio Cesar	1ed644f1c0	Add environment variables for frontend and API URL in Docker Compose	2025-08-20 17:26:43 +02:00
Julio Cesar	67f26a42f1	Add test suite for CORS and CSP validation in Express app	2025-08-20 17:26:37 +02:00
Julio Cesar	225c1b4cb8	Enhance CORS and CSP configurations in Express app	2025-08-20 17:26:28 +02:00