9893ead689
- Add helmet middleware for secure HTTP response headers - Add express-rate-limit with three limiters: - authLimiter: per-IP, 20 req/15min on /api/auth/* - gameLimiter: per-user, 150 req/15min (not yet wired) - lobbyLimiter: per-user, 20 req/15min (not yet wired) - Set trust proxy for correct client IP behind Caddy - Add tests for all three limiters and helmet headers
30 lines
822 B
TypeScript
30 lines
822 B
TypeScript
import express from "express";
|
|
import type { Express } from "express";
|
|
import { toNodeHandler } from "better-auth/node";
|
|
import cors from "cors";
|
|
import helmet from "helmet";
|
|
import { auth } from "./lib/auth.js";
|
|
import { apiRouter } from "./routes/apiRouter.js";
|
|
import { errorHandler } from "./middleware/errorHandler.js";
|
|
import { authLimiter } from "./middleware/rateLimiters.js";
|
|
|
|
export function createApp() {
|
|
const app: Express = express();
|
|
|
|
app.set("trust proxy", 1);
|
|
app.use(helmet());
|
|
|
|
app.use(
|
|
cors({
|
|
origin: process.env["CORS_ORIGIN"] || "http://localhost:5173",
|
|
credentials: true,
|
|
}),
|
|
);
|
|
app.use("/api/auth", authLimiter);
|
|
app.all("/api/auth/*splat", toNodeHandler(auth));
|
|
app.use(express.json());
|
|
app.use("/api/v1", apiRouter);
|
|
app.use(errorHandler);
|
|
|
|
return app;
|
|
}
|