()
| 170 | } |
| 171 | |
| 172 | async config() { |
| 173 | // Limit is needed to allow sending/receiving base64 encoded string |
| 174 | const flowise_file_size_limit = process.env.FLOWISE_FILE_SIZE_LIMIT || '50mb' |
| 175 | |
| 176 | // Preserve raw bytes before JSON parsing for webhook HMAC signature verification |
| 177 | const captureRawBody = (req: Request, _res: Response, buf: Buffer) => { |
| 178 | ;(req as any).rawBody = buf |
| 179 | } |
| 180 | this.app.use(express.json({ limit: flowise_file_size_limit, verify: captureRawBody })) |
| 181 | this.app.use(express.urlencoded({ limit: flowise_file_size_limit, extended: true, verify: captureRawBody })) |
| 182 | |
| 183 | // Enhanced trust proxy settings for load balancer |
| 184 | let trustProxy: string | boolean | number | undefined = process.env.TRUST_PROXY |
| 185 | if (typeof trustProxy === 'undefined' || trustProxy.trim() === '' || trustProxy === 'true') { |
| 186 | // Default to trust all proxies |
| 187 | trustProxy = true |
| 188 | } else if (trustProxy === 'false') { |
| 189 | // Disable trust proxy |
| 190 | trustProxy = false |
| 191 | } else if (!isNaN(Number(trustProxy))) { |
| 192 | // Number: Trust specific number of proxies |
| 193 | trustProxy = Number(trustProxy) |
| 194 | } |
| 195 | |
| 196 | this.app.set('trust proxy', trustProxy) |
| 197 | |
| 198 | // Allow access from specified domains |
| 199 | validateCorsConfig() |
| 200 | this.app.use(cors(getCorsOptions())) |
| 201 | |
| 202 | // Parse cookies |
| 203 | this.app.use(cookieParser()) |
| 204 | |
| 205 | // Allow embedding from specified domains. |
| 206 | const iframeSecurityHeaders = getIframeSecurityHeaders() |
| 207 | this.app.use((req, res, next) => { |
| 208 | for (const [headerName, headerValue] of Object.entries(iframeSecurityHeaders)) { |
| 209 | res.setHeader(headerName, headerValue) |
| 210 | } |
| 211 | next() |
| 212 | }) |
| 213 | |
| 214 | // Switch off the default 'X-Powered-By: Express' header |
| 215 | this.app.disable('x-powered-by') |
| 216 | |
| 217 | // Add the expressRequestLogger middleware to log all requests |
| 218 | this.app.use(expressRequestLogger) |
| 219 | |
| 220 | // Add the sanitizeMiddleware to guard against XSS |
| 221 | this.app.use(sanitizeMiddleware) |
| 222 | |
| 223 | const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : [] |
| 224 | const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url)) |
| 225 | const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i |
| 226 | const URL_CASE_SENSITIVE_REGEX: RegExp = /\/api\/v1\// |
| 227 | |
| 228 | await initializeJwtCookieMiddleware(this.app, this.identityManager) |
| 229 |
no test coverage detected