drop.chapril.org-firefoxsend/server/routes/index.js

124 lines
3.8 KiB
JavaScript
Raw Normal View History

2018-08-08 00:40:17 +02:00
const crypto = require('crypto');
2019-02-15 20:59:39 +01:00
const bodyParser = require('body-parser');
const helmet = require('helmet');
2019-02-12 20:50:06 +01:00
const uaparser = require('ua-parser-js');
const storage = require('../storage');
const config = require('../config');
2018-02-06 23:31:18 +01:00
const auth = require('../middleware/auth');
const language = require('../middleware/language');
const pages = require('./pages');
2018-08-08 00:40:17 +02:00
const filelist = require('./filelist');
const clientConstants = require('../clientConstants');
2018-02-06 23:31:18 +01:00
2017-08-29 20:19:21 +02:00
const IS_DEV = config.env === 'development';
2019-03-26 17:32:44 +01:00
const ID_REGEX = '([0-9a-fA-F]{10,16})';
module.exports = function(app) {
2019-02-12 20:50:06 +01:00
app.set('trust proxy', true);
app.use(helmet());
app.use(
helmet.hsts({
maxAge: 31536000,
2017-08-29 20:19:21 +02:00
force: !IS_DEV
})
);
2019-02-12 20:50:06 +01:00
app.use(function(req, res, next) {
req.ua = uaparser(req.header('user-agent'));
next();
});
2018-08-08 00:40:17 +02:00
app.use(function(req, res, next) {
req.cspNonce = crypto.randomBytes(16).toString('hex');
next();
});
2017-11-30 22:41:09 +01:00
if (!IS_DEV) {
app.use(
helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
connectSrc: [
"'self'",
2018-07-12 23:27:49 +02:00
'wss://*.dev.lcip.org',
2019-03-06 21:59:54 +01:00
'wss://*.send.nonprod.cloudops.mozgcp.net',
2018-07-12 23:27:49 +02:00
'wss://send.firefox.com',
'https://*.dev.lcip.org',
'https://accounts.firefox.com',
'https://*.accounts.firefox.com',
2019-02-12 20:50:06 +01:00
'https://sentry.prod.mozaws.net'
2017-11-30 22:41:09 +01:00
],
2018-08-08 00:40:17 +02:00
imgSrc: [
"'self'",
'https://*.dev.lcip.org',
2019-03-31 21:42:59 +02:00
'https://firefoxusercontent.com',
'https://secure.gravatar.com'
2018-08-08 00:40:17 +02:00
],
scriptSrc: [
"'self'",
function(req) {
return `'nonce-${req.cspNonce}'`;
}
],
2017-11-30 22:41:09 +01:00
formAction: ["'none'"],
frameAncestors: ["'none'"],
objectSrc: ["'none'"],
reportUri: '/__cspreport__'
}
})
);
}
app.use(function(req, res, next) {
res.set('Pragma', 'no-cache');
res.set('Cache-Control', 'no-cache');
next();
});
2019-02-15 20:59:39 +01:00
app.use(bodyParser.json());
app.use(bodyParser.text());
2018-08-08 00:40:17 +02:00
app.get('/', language, pages.index);
app.get('/config', function(req, res) {
res.json(clientConstants);
});
2019-02-25 20:44:44 +01:00
app.get('/error', language, pages.blank);
2018-10-17 01:53:33 +02:00
app.get('/oauth', language, pages.blank);
2018-02-06 23:31:18 +01:00
app.get('/legal', language, pages.legal);
2018-11-20 21:00:32 +01:00
app.get('/app.webmanifest', language, require('./webmanifest'));
2018-02-06 23:31:18 +01:00
app.get(`/download/:id${ID_REGEX}`, language, pages.download);
app.get('/unsupported/:reason', language, pages.unsupported);
2018-08-08 00:40:17 +02:00
app.get(`/api/download/:id${ID_REGEX}`, auth.hmac, require('./download'));
app.get(
`/api/download/blob/:id${ID_REGEX}`,
auth.hmac,
require('./download')
);
2018-02-06 23:31:18 +01:00
app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
2018-08-08 00:40:17 +02:00
app.get(`/api/metadata/:id${ID_REGEX}`, auth.hmac, require('./metadata'));
2019-02-27 04:58:03 +01:00
app.get('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.get);
app.post('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.post);
2018-08-08 00:40:17 +02:00
app.post('/api/upload', auth.fxa, require('./upload'));
app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));
2018-08-31 19:59:26 +02:00
app.post(
`/api/params/:id${ID_REGEX}`,
auth.owner,
auth.fxa,
require('./params')
);
2018-08-08 00:40:17 +02:00
app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
2019-02-12 20:50:06 +01:00
app.post('/api/metrics', require('./metrics'));
app.get('/__version__', function(req, res) {
2019-06-14 20:30:43 +02:00
// eslint-disable-next-line node/no-missing-require
res.sendFile(require.resolve('../../dist/version.json'));
});
app.get('/__lbheartbeat__', function(req, res) {
res.sendStatus(200);
});
2017-08-25 19:03:49 +02:00
app.get('/__heartbeat__', async (req, res) => {
try {
await storage.ping();
res.sendStatus(200);
} catch (e) {
res.sendStatus(500);
}
});
};