Meridian-Technology · Phoenix9994 · Oct 22, 2024 · Oct 25, 2024 · Oct 25, 2024 · Nov 1, 2024
@@ -28,17 +28,36 @@ const io = new Server(server, {
     }
 });
 
+//cors configuration
 if (process.env.NODE_ENV === 'production') {
     app.use(enforce.HTTPS({ trustProtoHeader: true }));
     const corsOptions = {
         origin: [
             'https://www.study-compass.com', 
             'https://studycompass.com',
-            `http://${process.env.EDUREKA_IP}:${process.env.EDUREKA_PORT}`
+            // `http://${process.env.EDUREKA_IP}:${process.env.EDUREKA_PORT}`
         ],
         optionsSuccessStatus: 200 // for legacy browser support
     };
-    app.use(cors(corsOptions));
+
+    //apply CORS policy to all routes EXCEPT /api routes
+    app.use((req, res, next) => {
+        if (req.path.startsWith('/api')) {
+            return next();
+        }
+        return cors(corsOptions)(req, res, next);
+    });
+} else {
+    //in development, use a more permissive CORS policy for non-API routes
+    app.use((req, res, next) => {
+        if (req.path.startsWith('/api')) {
+            return next();
+        }
+        return cors({
+            origin: true, //allow all origins in development
+            credentials: true
+        })(req, res, next);
+    });
 }
 
 // Other middleware
@@ -68,6 +87,8 @@ app.use(async (req, res, next) => {
         res.status(500).send('Database connection error');
     }
 });
+// berkeley.study-compass.com
+
 
 const upload = multer({
     storage: multer.memoryStorage(),
@@ -87,22 +108,22 @@ const ratingRoutes = require('./routes/ratingRoutes.js');
 const searchRoutes = require('./routes/searchRoutes.js');
 const eventRoutes = require('./routes/eventRoutes.js');
 const oieRoutes = require('./routes/oie-routes.js');
+const apiRoutes = require('./routes/apiRoutes.js'); //Added Pk ERROR
 const orgRoutes = require('./routes/orgRoutes.js');
 const workflowRoutes = require('./routes/workflowRoutes.js');
 
+// Mount routes
 app.use(authRoutes);
 app.use(dataRoutes);
 app.use(friendRoutes);
 app.use(userRoutes);
 app.use(analyticsRoutes);
-app.use(eventRoutes);
-
 app.use(classroomChangeRoutes);
 app.use(ratingRoutes);
 app.use(searchRoutes);
-
 app.use(eventRoutes);
 app.use(oieRoutes);
+app.use('/api', apiRoutes); // API routes with their own CORS configuration
 app.use(orgRoutes);
 app.use(workflowRoutes);
 

@@ -0,0 +1,31 @@
+const cors = require('cors');
+
+/**
+ * CORS middleware specifically for API routes
+ * This allows cross-origin requests to API endpoints while maintaining security through API keys
+ */
+const apiCors = cors({
+  origin: '*',
+    methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
+
+  allowedHeaders: [
+    'Content-Type', 
+    'Authorization', 
+    'X-Requested-With', 
+    'Accept', 
+    'Origin', 
+    'x-api-key'
+  ],
+
+  //set credentials to false since we're using '*' for origin
+  credentials: false,
+
+  //set how long the results of a preflight request can be cached
+  maxAge: 86400, // 24 hours
+
+  //enable preflight requests
+  preflightContinue: false,
+  optionsSuccessStatus: 204
+});
+
+module.exports = apiCors; 
@@ -0,0 +1,42 @@
+const mongoose = require('mongoose');
+const getModels = require('../services/getModelService.js');
+
+const apiKeyMiddleware = async (req, res, next) => {
+    try {
+        const apiKey = req.headers['x-api-key'];
+
+        if (!apiKey) {
+            return res.status(401).json({ error: 'API key is required' });
+        }
+
+        const { Api } = getModels(req, 'Api');
+        const apiKeyData = await Api.findOne({ api_key: apiKey });
+
+        if (!apiKeyData) {
+            return res.status(401).json({ error: 'Invalid API key' });
+        }
+
+        //check if API key is expired
+        if (apiKeyData.expiresAt && new Date() > apiKeyData.expiresAt) {
+            return res.status(401).json({ error: 'API key has expired' });
+        }
+
+        //check IP whitelist if configured
+        if (apiKeyData.allowedIPs && apiKeyData.allowedIPs.length > 0) {
+            const clientIP = req.ip;
+            if (!apiKeyData.allowedIPs.includes(clientIP)) {
+                return res.status(403).json({ error: 'IP not whitelisted' });
+            }
+        }
+
+        //attach API key data to request for use in other middleware
+        req.apiKeyData = apiKeyData;
+        next();
+    } catch (error) {
+        console.error('API Key Middleware Error:', error);
+        res.status(500).json({ error: 'Internal server error' });
+    }
+};
+
+module.exports = { apiKeyMiddleware };
+
@@ -0,0 +1,69 @@
+    //Rate Limiter
+
+const rateLimit = require('express-rate-limit');
+
+const coolDown = 15 * 60 * 1000; // 15 minutes
+
+const limiter = (options = {}) => {
+    const {
+        maxRequests = 200,
+        windowMs = coolDown, // 15 minutes
+        message = 'Too many requests, please try again later.',
+        keyGenerator = (req) => {
+            //use API key if available, otherwise fall back to IP
+            return req.apiKeyData ? req.apiKeyData.api_key : req.ip;
+        },
+        skip = (req) => false,
+        handler = (req, res) => {
+            res.status(429).json({
+                error: message,
+                requestId: req.requestId,
+                retryAfter: Math.ceil(windowMs / 1000)
+            });
+        },
+        //debug option to help troubleshoot rate limiting
+        debug = process.env.NODE_ENV === 'development'
+    } = options;
+
+    return rateLimit({
+        windowMs,
+        max: maxRequests,
+        message,
+        standardHeaders: true,
+        legacyHeaders: false,
+        keyGenerator,
+        skip,
+        handler,
+        //custom headers
+        headers: true,
+        skipFailedRequests: false,
+        skipSuccessfulRequests: false,
+        statusCode: 429,
+        skip: (req) => {
+            //skip rate limiting for certain paths or conditions
+            //examples below
+            // if (req.path.startsWith('/health')) return true;
+            // if (req.path.startsWith('/metrics')) return true;
+            return false;
+        },
+        debug
+    });
+};
+
+module.exports = {
+    limiter,
+    //strict rate limiter for sensitive endpoints
+    strictLimiter: (maxRequests = 50) => limiter({
+        maxRequests,
+        windowMs: coolDown, // 15 minutes
+        message: 'Rate limit exceeded. Please try again in a minute.'
+    }),
+    //burst rate limiter for high-traffic endpoints
+    burstLimiter: (maxRequests = 1000) => limiter({
+        maxRequests,
+        windowMs: coolDown, // 15 minutes
+        message: 'Too many requests in a short time. Please try again in a minute.'
+    }),
+    //default rate limiter
+    defaultLimiter: limiter
+};
@@ -11,11 +11,13 @@
     "date-fns": "^4.1.0",
     "dotenv": "^16.3.2",
     "express": "^4.18.2",
+    "express-rate-limit": "^7.5.0",
     "express-sslify": "^1.2.0",
     "google-auth-library": "^9.4.2",
     "googleapis": "^131.0.0",
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.0.3",
+    "morgan": "^1.10.0",
     "multer": "^1.4.5-lts.1",
     "node-cron": "^3.0.3",
     "nodemon": "^3.1.7",