File: /var/www/indoadvisory_new/web/webapp/server.js
const express = require('express');
const path = require('path');
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
const compression = require('compression');
const cors = require('cors');
const session = require('express-session');
const cookieParser = require('cookie-parser');
const flash = require('connect-flash');
const morgan = require('morgan');
const winston = require('winston');
const expressWinston = require('express-winston');
require('dotenv').config();
// Import routes
const authRoutes = require('./routes/auth');
const adminRoutes = require('./routes/admin');
const publicRoutes = require('./routes/public');
const clientRoutes = require('./routes/clients');
const teamRoutes = require('./routes/team');
const articleRoutes = require('./routes/articles');
// Import middleware
const { requireAuth, requireAdmin } = require('./middleware/auth');
const { csrfProtection } = require('./middleware/security');
const { i18n } = require('./middleware/i18n');
const app = express();
const PORT = process.env.PORT || 3000;
// Trust proxy for VPS deployment
app.set('trust proxy', 1);
// View engine setup
app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));
// Enterprise Security Configuration
// ================================
// Helmet for security headers
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'",
"'unsafe-eval'",
"https://cdn.tailwindcss.com",
"https://cdn.jsdelivr.net",
"https://unpkg.com"
],
styleSrc: [
"'self'",
"'unsafe-inline'",
"https://cdn.tailwindcss.com",
"https://cdn.jsdelivr.net",
"https://fonts.googleapis.com"
],
fontSrc: [
"'self'",
"https://fonts.gstatic.com",
"https://cdn.jsdelivr.net"
],
imgSrc: [
"'self'",
"data:",
"https:",
"http:"
],
connectSrc: ["'self'"]
}
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
}
}));
// Rate limiting for enterprise security
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
message: 'Too many requests from this IP, please try again later.',
standardHeaders: true,
legacyHeaders: false,
});
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // limit each IP to 5 login attempts per windowMs
message: 'Too many login attempts, please try again later.',
skipSuccessfulRequests: true,
});
app.use('/auth/login', authLimiter);
app.use(limiter);
// CORS configuration
app.use(cors({
origin: process.env.NODE_ENV === 'production'
? [process.env.DOMAIN]
: ['http://localhost:3000', 'http://127.0.0.1:3000'],
credentials: true,
optionsSuccessStatus: 200
}));
// Middleware
app.use(compression());
app.use(morgan('combined'));
app.use(express.json({ limit: '10mb' }));
app.use(express.urlencoded({ extended: true, limit: '10mb' }));
app.use(cookieParser());
// Session configuration for VPS deployment
app.use(session({
secret: process.env.SESSION_SECRET || 'your-super-secret-key-change-in-production',
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === 'production', // HTTPS only in production
httpOnly: true,
maxAge: 24 * 60 * 60 * 1000, // 24 hours
sameSite: 'strict'
},
name: 'sessionId' // Change default session name for security
}));
// Flash messages
app.use(flash());
// Static files
app.use('/static', express.static(path.join(__dirname, 'public'), {
maxAge: process.env.NODE_ENV === 'production' ? '7d' : '1h',
etag: true,
lastModified: true
}));
// Uploads (with authentication check)
app.use('/uploads', requireAuth, express.static(path.join(__dirname, 'uploads')));
// Internationalization middleware
app.use(i18n);
// CSRF Protection (after session and body parsing)
app.use(csrfProtection);
// Global variables for templates
app.use((req, res, next) => {
res.locals.user = req.session.user || null;
res.locals.isAdmin = req.session.user && req.session.user.role === 'admin';
res.locals.messages = req.flash();
res.locals.csrfToken = req.csrfToken();
res.locals.currentLang = req.session.lang || 'en';
res.locals.__ = req.__;
next();
});
// Logging middleware
if (process.env.NODE_ENV === 'production') {
app.use(expressWinston.logger({
transports: [
new winston.transports.File({
filename: path.join(__dirname, 'logs', 'access.log')
})
],
format: winston.format.combine(
winston.format.colorize(),
winston.format.json()
),
meta: true,
msg: "HTTP {{req.method}} {{req.url}}",
expressFormat: true,
colorize: false,
}));
}
// Routes
app.use('/auth', authRoutes);
app.use('/admin', requireAuth, requireAdmin, adminRoutes);
app.use('/api/clients', requireAuth, requireAdmin, clientRoutes);
app.use('/api/team', requireAuth, requireAdmin, teamRoutes);
app.use('/api/articles', requireAuth, requireAdmin, articleRoutes);
app.use('/', publicRoutes);
// Error logging middleware
if (process.env.NODE_ENV === 'production') {
app.use(expressWinston.errorLogger({
transports: [
new winston.transports.File({
filename: path.join(__dirname, 'logs', 'error.log')
})
],
format: winston.format.combine(
winston.format.colorize(),
winston.format.json()
)
}));
}
// 404 handler
app.use((req, res) => {
res.status(404).render('error', {
title: 'Page Not Found',
message: 'The page you are looking for does not exist.',
error: { status: 404 }
});
});
// Global error handler
app.use((err, req, res, next) => {
// Log error
console.error(err.stack);
// CSRF token error
if (err.code === 'EBADCSRFTOKEN') {
res.status(403).render('error', {
title: 'Security Error',
message: 'Invalid security token. Please refresh and try again.',
error: { status: 403 }
});
return;
}
// Default error
const status = err.status || 500;
const message = process.env.NODE_ENV === 'production'
? 'Something went wrong!'
: err.message;
res.status(status).render('error', {
title: 'Error',
message: message,
error: process.env.NODE_ENV === 'production' ? {} : err
});
});
// Graceful shutdown for VPS deployment
process.on('SIGINT', () => {
console.log('Received SIGINT, shutting down gracefully...');
process.exit(0);
});
process.on('SIGTERM', () => {
console.log('Received SIGTERM, shutting down gracefully...');
process.exit(0);
});
// Start server
app.listen(PORT, '0.0.0.0', () => {
console.log(`🚀 Indo Advisory server running on port ${PORT}`);
console.log(`🌍 Environment: ${process.env.NODE_ENV || 'development'}`);
console.log(`🔒 Security: Enterprise-grade protection enabled`);
console.log(`🗂️ Database: PostgreSQL ready for VPS deployment`);
});
module.exports = app;