Initial working Node.js + express app

Author: KMilej

.editorconfig

@@ -0,0 +1,11 @@
+# HTTP port the backend listens on
+HTTP_PORT=8080
+
+# Approov secret: approov secret -get base64url
+APPROOV_BASE64URL_SECRET=approov_base64url_secret_here
+
+# Localhost
+SERVER_HOSTNAME=0.0.0.0
+
+# Command that starts your server inside the container
+APP_START_CMD=npm start

.env.example

@@ -16,3 +16,4 @@ node_modules/
 .env
 packages/
 !.gitkeep
+.config/

.gitignore

@@ -0,0 +1,264 @@
+'use strict';
+
+const crypto = require('crypto');
+const express = require('express');
+const cors = require('cors');
+const jwt = require('jsonwebtoken');
+const dotenv = require('dotenv');
+
+const envResult = dotenv.config({ quiet: true });
+if (envResult.error && envResult.error.code !== 'ENOENT') {
+  throw new Error(`Failed to load .env: ${envResult.error.message}`);
+}
+
+const PORT = parsePort(process.env.PORT, 8080);
+const APPROOV_HEADER = 'Approov-Token';
+const AUTH_HEADER = 'Authorization';
+const DIGEST_HEADER = 'Content-Digest';
+const APPROOV_SECRET = loadApproovSecret();
+
+let approovEnabled = true;
+let tokenBindingEnabled = true;
+
+// Approov-protected endpoints that require token checks.
+const PROTECTED_PATHS = new Set([
+  '/token-check',
+  '/token-binding',
+  '/token-double-binding',
+]);
+
+const app = express();
+app.disable('x-powered-by');
+app.use(cors());
+
+app.use(approovAuthMiddleware);
+
+app.get('/', (req, res) => {
+  res.json(infoPayload('Approov demo API is running on port 8080.'));
+});
+
+app.get('/approov-state', (req, res) => {
+  res.json(statePayload());
+});
+
+app.post('/approov/enable', (req, res) => {
+  enableApproov();
+  res.json(statePayload());
+});
+
+app.post('/approov/disable', (req, res) => {
+  disableApproov();
+  res.json(statePayload());
+});
+
+app.post('/token-binding/enable', (req, res) => {
+  tokenBindingEnabled = true;
+  res.json(statePayload());
+});
+
+app.post('/token-binding/disable', (req, res) => {
+  tokenBindingEnabled = false;
+  res.json(statePayload());
+});
+
+app.get('/unprotected', (req, res) => {
+  res.json(infoPayload("Unprotected endpoint '/unprotected'; no Approov checks performed."));
+});
+
+app.get('/token-check', (req, res) => {
+  res.json(infoPayload("Protected endpoint '/token-check'; Approov token verified."));
+});
+
+app.get('/token-binding', (req, res) => {
+  const authorization = req.get(AUTH_HEADER);
+  const payload = infoPayload("Protected endpoint '/token-binding'; Approov token binding enforced.");
+  payload.authorizationHeaderPresent = hasText(authorization);
+  res.json(payload);
+});
+
+app.get('/token-double-binding', (req, res) => {
+  const authorization = req.get(AUTH_HEADER);
+  const contentDigest = req.get(DIGEST_HEADER);
+  const payload = infoPayload("Protected endpoint '/token-double-binding'; dual token binding enforced.");
+  payload.authorizationHeaderPresent = hasText(authorization);
+  payload.contentDigestHeaderPresent = hasText(contentDigest);
+  res.json(payload);
+});
+
+const server = app.listen(PORT, () => {
+  console.log(`Approov demo API listening on port ${PORT}.`);
+});
+
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+process.on('SIGINT', () => shutdown('SIGINT'));
+
+function shutdown(signal) {
+  console.log(`Received ${signal}, shutting down.`);
+  server.close(() => process.exit(0));
+}
+
+// Middleware that enforces Approov token checks on protected endpoints.
+function approovAuthMiddleware(req, res, next) {
+  if (req.method === 'OPTIONS') {
+    return next();
+  }
+
+  if (!PROTECTED_PATHS.has(req.path)) {
+    return next();
+  }
+
+  if (!approovEnabled) {
+    return next();
+  }
+
+  try {
+    const rawToken = trimOrNull(req.get(APPROOV_HEADER));
+    const claims = verifyApproovToken(rawToken);
+
+    if (tokenBindingEnabled && needsBindingCheck(req.path)) {
+      const bindingValue = extractBindingValue(req.path, req);
+      if (!hasText(bindingValue)) {
+        throw new ApproovAuthError('Missing binding header value.');
+      }
+      verifyTokenBinding(bindingValue, claims);
+    }
+
+    return next();
+  } catch (err) {
+    logAuthFailure(err);
+    return unauthorized(res);
+  }
+}
+
+// Token validation logic: signature check, expiration, and binding (when enabled).
+function verifyApproovToken(token) {
+  if (!hasText(token)) {
+    throw new ApproovAuthError('Approov token missing.');
+  }
+
+  let claims;
+  try {
+    claims = jwt.verify(token, APPROOV_SECRET, {
+      algorithms: ['HS256'],
+      ignoreExpiration: true,
+    });
+  } catch (err) {
+    throw new ApproovAuthError('Approov token verification failed.');
+  }
+
+  const exp = Number(claims.exp);
+  if (!Number.isFinite(exp)) {
+    throw new ApproovAuthError('Approov token missing expiration.');
+  }
+  if (exp * 1000 <= Date.now()) {
+    throw new ApproovAuthError('Approov token expired.');
+  }
+
+  return claims;
+}
+
+function verifyTokenBinding(bindingValue, claims) {
+  const expected = typeof claims.pay === 'string' ? claims.pay.trim() : '';
+  if (!hasText(expected)) {
+    throw new ApproovAuthError('Approov token missing binding payload.');
+  }
+
+  const computed = hashBase64(bindingValue);
+  if (computed !== expected) {
+    throw new ApproovAuthError('Approov token binding mismatch.');
+  }
+}
+
+function extractBindingValue(path, req) {
+  if (path === '/token-binding') {
+    return trimOrNull(req.get(AUTH_HEADER));
+  }
+
+  const authorization = trimOrNull(req.get(AUTH_HEADER));
+  const digest = trimOrNull(req.get(DIGEST_HEADER));
+  if (!hasText(authorization) || !hasText(digest)) {
+    return null;
+  }
+  return authorization + digest;
+}
+
+function needsBindingCheck(path) {
+  return path === '/token-binding' || path === '/token-double-binding';
+}
+
+function enableApproov() {
+  approovEnabled = true;
+  tokenBindingEnabled = true;
+}
+
+function disableApproov() {
+  approovEnabled = false;
+  tokenBindingEnabled = false;
+}
+
+function statePayload() {
+  return {
+    approovEnabled,
+    tokenBindingEnabled,
+  };
+}
+
+function infoPayload(details) {
+  return {
+    ...statePayload(),
+    details,
+  };
+}
+
+function loadApproovSecret() {
+  const raw = process.env.APPROOV_BASE64URL_SECRET;
+  if (!hasText(raw)) {
+    throw new Error('APPROOV_BASE64URL_SECRET environment variable is not set.');
+  }
+
+  try {
+    const decoded = Buffer.from(raw.trim(), 'base64url');
+    if (decoded.length === 0) {
+      throw new Error('APPROOV_BASE64URL_SECRET decoded to an empty value.');
+    }
+    return decoded;
+  } catch (err) {
+    throw new Error('APPROOV_BASE64URL_SECRET must be base64url encoded.');
+  }
+}
+
+function hashBase64(value) {
+  return crypto.createHash('sha256').update(value, 'utf8').digest('base64');
+}
+
+function unauthorized(res) {
+  res.status(401).json({});
+}
+
+function logAuthFailure(err) {
+  if (err instanceof ApproovAuthError) {
+    console.warn(`[Approov] ${err.message}`);
+    return;
+  }
+  console.warn('[Approov] Unexpected authentication error.', err);
+}
+
+function hasText(value) {
+  return typeof value === 'string' && value.trim() !== '';
+}
+
+function trimOrNull(value) {
+  return typeof value === 'string' ? value.trim() : null;
+}
+
+function parsePort(value, fallback) {
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
+class ApproovAuthError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'ApproovAuthError';
+  }
+}

ApproovApplication.js

@@ -1,47 +1,16 @@
-ARG TAG=17.7.1-slim
+# syntax=docker/dockerfile:1
+# Builds the quickstart backend container image and configures scripts/install-prerequisites.sh and scripts/build.sh
+# as the entrypoint used both locally and when deployed via Docker.
+FROM node:22-slim
 
-FROM node:${TAG}
+ENV APP_HOME=/workspace \
+    RUN_MODE=container
 
-ARG CONTAINER_USER="node"
-ARG LANGUAGE_CODE="en"
-ARG COUNTRY_CODE="GB"
-ARG ENCODING="UTF-8"
+WORKDIR /app
 
-ARG LOCALE_STRING="${LANGUAGE_CODE}_${COUNTRY_CODE}"
-ARG LOCALIZATION="${LOCALE_STRING}.${ENCODING}"
+COPY . .
 
-ARG OH_MY_ZSH_THEME="bira"
+RUN npm install
 
-RUN apt update && apt -y upgrade && \
-    apt -y install \
-        locales \
-        git \
-        curl \
-        inotify-tools \
-        zsh && \
-
-        echo "${LOCALIZATION} ${ENCODING}" > /etc/locale.gen && \
-        locale-gen "${LOCALIZATION}" && \
-
-        # useradd -m -u 1000 -s /usr/bin/zsh "${CONTAINER_USER}" && \
-
-        bash -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)" && \
-
-        cp -v /root/.zshrc /home/"${CONTAINER_USER}"/.zshrc && \
-        cp -rv /root/.oh-my-zsh /home/"${CONTAINER_USER}"/.oh-my-zsh && \
-        sed -i "s/\/root/\/home\/${CONTAINER_USER}/g" /home/"${CONTAINER_USER}"/.zshrc && \
-        sed -i s/ZSH_THEME=\"robbyrussell\"/ZSH_THEME=\"${OH_MY_ZSH_THEME}\"/g /home/${CONTAINER_USER}/.zshrc && \
-        mkdir /home/"${CONTAINER_USER}"/workspace && \
-        chown -R "${CONTAINER_USER}":"${CONTAINER_USER}" /home/"${CONTAINER_USER}"
-
-USER ${CONTAINER_USER}
-
-ENV USER ${CONTAINER_USER}
-ENV LANG "${LOCALIZATION}"
-ENV LANGUAGE "${LOCALE_STRING}:${LANGUAGE_CODE}"
-ENV PATH=/home/${CONTAINER_USER}/.local/bin:${PATH}
-ENV LC_ALL "${LOCALIZATION}"
-
-WORKDIR /home/${CONTAINER_USER}/workspace
-
-CMD ["zsh"]
+# Provide APP_START_CMD via --env-file.
+CMD ["bash", "scripts/build.sh"]