Import Expect-CT (expect-ct) middleware

This imports the [expect-ct package][0] into this repo as part of my
effort to make Helmet a monorepo. You can find its prior history in the
old repo.

Similar to:

* e933c28 which imported
  `dns-prefetch-control`
* `13b496f801ee3c77ae9cf91f13c6838263786cc3` which imported `ienoopen`

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## Unreleased
+
+### Changed
+
+- `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
+
 ## 3.23.2 - 2020-06-23
 
 ### Changed

index.ts

@@ -1,4 +1,5 @@
 import { IncomingMessage, ServerResponse } from "http";
+import expectCt from "./middlewares/expect-ct";
 import xDnsPrefetchControl from "./middlewares/x-dns-prefetch-control";
 import xDownloadOptions from "./middlewares/x-download-options";
 import depd = require("depd");
@@ -128,7 +129,7 @@ function helmet(options: Readonly<HelmetOptions> = {}) {
 
 helmet.contentSecurityPolicy = require("helmet-csp");
 helmet.dnsPrefetchControl = xDnsPrefetchControl;
-helmet.expectCt = require("expect-ct");
+helmet.expectCt = expectCt;
 helmet.frameguard = require("frameguard");
 helmet.hidePoweredBy = require("hide-powered-by");
 helmet.hsts = require("hsts");

middlewares/expect-ct/CHANGELOG.md

@@ -0,0 +1,29 @@
+# Changelog
+
+## Unreleased
+
+### Changed
+
+- If `maxAge` is `undefined`, it will be set to `0`
+- If `maxAge` is not an integer, it will be rounded down
+
+## 0.3.0 - 2019-09-01
+
+### Changed
+
+- Dropped support for Node <8
+- You must now pass a positive integer for `maxAge` (instead of any positive number)
+- You cannot pass `undefined` for `maxAge` (though you can still omit the property)
+
+## 0.2.0 - 2019-05-04
+
+### Added
+
+- TypeScript type definitions. See [helmetjs/helmet#188](https://github.com/helmetjs/helmet/issues/188)
+- Additional package metadata (bugs, homepage, etc)
+
+### Changed
+
+- Updated documentation
+
+Changes in versions 0.1.1 and below can be found in [Helmet's changelog](https://github.com/helmetjs/helmet/blob/master/CHANGELOG.md).

middlewares/expect-ct/README.md

@@ -0,0 +1,29 @@
+# Expect-CT middleware
+
+The `Expect-CT` HTTP header tells browsers to expect Certificate Transparency. For more, see [this blog post](https://scotthelme.co.uk/a-new-security-header-expect-ct/) and the [article on MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT).
+
+Usage:
+
+```javascript
+const expectCt = require("expect-ct");
+
+// Sets Expect-CT: max-age=123
+app.use(expectCt({ maxAge: 123 }));
+
+// Sets Expect-CT: enforce, max-age=123
+app.use(
+  expectCt({
+    enforce: true,
+    maxAge: 123,
+  })
+);
+
+// Sets Expect-CT: enforce, max-age=30, report-uri="https://example.com/report"
+app.use(
+  expectCt({
+    enforce: true,
+    maxAge: 30,
+    reportUri: "https://example.com/report",
+  })
+);
+```

middlewares/expect-ct/index.ts

@@ -0,0 +1,51 @@
+import { IncomingMessage, ServerResponse } from "http";
+
+export interface ExpectCtOptions {
+  maxAge?: number;
+  enforce?: boolean;
+  reportUri?: string;
+}
+
+function parseMaxAge(value: void | number): number {
+  if (value === undefined) {
+    return 0;
+  } else if (typeof value === "number" && value >= 0) {
+    return Math.floor(value);
+  } else {
+    throw new Error(
+      `${value} is not a valid value for maxAge. Please choose a positive integer.`
+    );
+  }
+}
+
+function getHeaderValueFromOptions(options: Readonly<ExpectCtOptions>): string {
+  const directives: string[] = [];
+
+  if (options.enforce) {
+    directives.push("enforce");
+  }
+
+  directives.push(`max-age=${parseMaxAge(options.maxAge)}`);
+
+  if (options.reportUri) {
+    directives.push(`report-uri="${options.reportUri}"`);
+  }
+
+  return directives.join(", ");
+}
+
+function expectCt(options: Readonly<ExpectCtOptions> = {}) {
+  const headerValue = getHeaderValueFromOptions(options);
+
+  return function expectCtMiddleware(
+    _req: IncomingMessage,
+    res: ServerResponse,
+    next: () => void
+  ) {
+    res.setHeader("Expect-CT", headerValue);
+    next();
+  };
+}
+
+module.exports = expectCt;
+export default expectCt;

middlewares/expect-ct/package-files.json

@@ -0,0 +1 @@
+["index.js", "index.d.ts"]

middlewares/expect-ct/package-overrides.json

@@ -0,0 +1,9 @@
+{
+  "name": "expect-ct",
+  "author": "Evan Hahn <[email protected]> (https://evanhahn.com)",
+  "contributors": [],
+  "description": "Middleware to set the Expect-CT header",
+  "version": "0.3.0",
+  "keywords": ["express", "security", "expect-ct"],
+  "homepage": "https://helmetjs.github.io/docs/expect-ct/"
+}

package.json

@@ -43,7 +43,6 @@
   "dependencies": {
     "depd": "2.0.0",
     "dont-sniff-mimetype": "1.1.0",
-    "expect-ct": "0.2.0",
     "feature-policy": "0.3.0",
     "frameguard": "3.1.0",
     "helmet-crossdomain": "0.4.0",

test/expect-ct.test.ts

@@ -0,0 +1,71 @@
+import { check } from "./helpers";
+import expectCt from "../middlewares/expect-ct";
+
+describe("Expect-CT middleware", () => {
+  it("sets the max-age to 0 when passed no max-age", async () => {
+    await check(expectCt(), {
+      "expect-ct": "max-age=0",
+    });
+    await check(expectCt({}), {
+      "expect-ct": "max-age=0",
+    });
+    await check(expectCt({ maxAge: undefined }), {
+      "expect-ct": "max-age=0",
+    });
+  });
+
+  it("sets the max-age to a provided integer", async () => {
+    await check(expectCt({ maxAge: 123 }), {
+      "expect-ct": "max-age=123",
+    });
+    await check(expectCt({ maxAge: 0 }), {
+      "expect-ct": "max-age=0",
+    });
+  });
+
+  it("rounds non-integers down", async () => {
+    await check(expectCt({ maxAge: 123.4 }), {
+      "expect-ct": "max-age=123",
+    });
+    await check(expectCt({ maxAge: 123.5 }), {
+      "expect-ct": "max-age=123",
+    });
+  });
+
+  it("rejects negative max-ages", async () => {
+    expect(() => expectCt({ maxAge: -123 })).toThrow();
+    expect(() => expectCt({ maxAge: -0.1 })).toThrow();
+  });
+
+  it("can enable enforcement", async () => {
+    await check(expectCt({ enforce: true }), {
+      "expect-ct": "enforce, max-age=0",
+    });
+  });
+
+  it("can explicitly disable enforcement", async () => {
+    await check(expectCt({ enforce: false }), {
+      "expect-ct": "max-age=0",
+    });
+  });
+
+  it("can set a report-uri", async () => {
+    await check(expectCt({ reportUri: "https://example.com/report" }), {
+      "expect-ct": 'max-age=0, report-uri="https://example.com/report"',
+    });
+  });
+
+  it("can set enforcement, max-age, and a report-uri", async () => {
+    await check(
+      expectCt({
+        enforce: true,
+        maxAge: 123,
+        reportUri: "https://example.com/report",
+      }),
+      {
+        "expect-ct":
+          'enforce, max-age=123, report-uri="https://example.com/report"',
+      }
+    );
+  });
+});

test/index.test.ts

@@ -3,6 +3,7 @@ import helmet = require("..");
 import { IncomingMessage, ServerResponse } from "http";
 import connect = require("connect");
 import request = require("supertest");
+import expectCt from "../middlewares/expect-ct";
 import xDnsPrefetchControl from "../middlewares/x-dns-prefetch-control";
 import xDowloadOptions from "../middlewares/x-download-options";
 
@@ -17,9 +18,8 @@ describe("helmet", function () {
       expect(helmet.noSniff).toBe(pkg);
     });
 
-    it('aliases "expect-ct"', function () {
-      const pkg = require("expect-ct");
-      expect(helmet.expectCt).toBe(pkg);
+    it("aliases the Expect-CT middleware to helmet.expectCt", function () {
+      expect(helmet.expectCt.name).toBe(expectCt.name);
     });
 
     // This test will be removed in helmet@4.