drop.chapril.org-firefoxsend/server/server.js

294 lines
6.3 KiB
JavaScript
Raw Normal View History

const express = require('express');
const exphbs = require('express-handlebars');
const busboy = require('connect-busboy');
const path = require('path');
const bodyParser = require('body-parser');
2017-06-20 00:51:48 +02:00
const helmet = require('helmet');
const bytes = require('bytes');
const conf = require('./config.js');
const storage = require('./storage.js');
2017-06-23 19:53:11 +02:00
const Raven = require('raven');
const crypto = require('crypto');
2017-06-24 05:01:32 +02:00
if (conf.sentry_dsn) {
2017-06-23 19:53:11 +02:00
Raven.config(conf.sentry_dsn).install();
}
2017-06-08 22:45:28 +02:00
const mozlog = require('./log.js');
2017-07-11 21:34:49 +02:00
const log = mozlog('send.server');
2017-06-24 01:53:17 +02:00
const STATIC_PATH = path.join(__dirname, '../public');
const app = express();
2017-06-23 20:14:33 +02:00
app.engine(
'handlebars',
exphbs({
defaultLayout: 'main',
partialsDir: 'views/partials/'
})
);
app.set('view engine', 'handlebars');
2017-06-01 22:14:14 +02:00
2017-06-20 00:51:48 +02:00
app.use(helmet());
2017-07-22 02:01:26 +02:00
app.use(
helmet.hsts({
maxAge: 31536000,
force: conf.env === 'production'
})
);
2017-07-12 19:56:04 +02:00
app.use(
helmet.contentSecurityPolicy({
directives: {
2017-07-18 00:49:09 +02:00
defaultSrc: ["'self'"],
2017-07-12 19:56:04 +02:00
connectSrc: [
2017-07-18 00:49:09 +02:00
"'self'",
2017-07-12 19:56:04 +02:00
'https://sentry.prod.mozaws.net',
2017-07-25 07:08:43 +02:00
'https://www.google-analytics.com'
2017-07-12 19:56:04 +02:00
],
imgSrc: [
2017-07-18 00:49:09 +02:00
"'self'",
2017-07-25 07:08:43 +02:00
'https://www.google-analytics.com'
2017-07-12 19:56:04 +02:00
],
2017-07-25 07:08:43 +02:00
scriptSrc: ["'self'"],
2017-07-18 00:49:09 +02:00
styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
formAction: ["'none'"],
frameAncestors: ["'none'"],
2017-07-25 07:08:43 +02:00
objectSrc: ["'none'"],
reportUri: '/__cspreport__'
2017-07-12 19:56:04 +02:00
}
})
);
2017-07-22 02:01:26 +02:00
app.use(
busboy({
limits: {
fileSize: conf.max_file_size
}
})
);
2017-06-01 22:14:14 +02:00
app.use(bodyParser.json());
2017-06-24 01:53:17 +02:00
app.use(express.static(STATIC_PATH));
2017-06-01 22:14:14 +02:00
app.get('/', (req, res) => {
res.render('index');
});
app.get('/unsupported', (req, res) => {
res.render('unsupported');
});
app.get('/jsconfig.js', (req, res) => {
res.set('Content-Type', 'application/javascript');
res.render('jsconfig', {
2017-06-22 23:50:57 +02:00
trackerId: conf.analytics_id,
dsn: conf.sentry_id,
2017-07-20 21:50:20 +02:00
maxFileSize: conf.max_file_size,
expireSeconds: conf.expire_seconds,
layout: false
});
});
2017-06-08 22:45:28 +02:00
app.get('/exists/:id', (req, res) => {
2017-06-09 19:44:12 +02:00
const id = req.params.id;
2017-07-11 20:18:31 +02:00
if (!validateID(id)) {
res.sendStatus(404);
return;
}
2017-06-24 02:06:08 +02:00
storage
.exists(id)
.then(() => {
res.sendStatus(200);
})
.catch(err => res.sendStatus(404));
2017-06-08 22:45:28 +02:00
});
2017-06-06 23:24:51 +02:00
app.get('/download/:id', (req, res) => {
2017-06-09 19:44:12 +02:00
const id = req.params.id;
2017-07-11 20:18:31 +02:00
if (!validateID(id)) {
res.sendStatus(404);
return;
}
storage.filename(id).then(filename => {
storage
.length(id)
.then(contentLength => {
2017-07-22 02:01:26 +02:00
storage.ttl(id).then(timeToExpiry => {
res.render('download', {
filename: decodeURIComponent(filename),
filesize: bytes(contentLength),
sizeInBytes: contentLength,
timeToExpiry: timeToExpiry
});
});
})
.catch(() => {
res.status(404).render('notfound');
});
});
2017-06-01 22:14:14 +02:00
});
2017-06-06 23:24:51 +02:00
app.get('/assets/download/:id', (req, res) => {
2017-06-09 19:44:12 +02:00
const id = req.params.id;
2017-06-06 23:24:51 +02:00
if (!validateID(id)) {
res.sendStatus(404);
2017-06-01 22:14:14 +02:00
return;
}
2017-06-29 19:30:08 +02:00
storage
.metadata(id)
2017-06-29 19:27:36 +02:00
.then(meta => {
2017-07-12 19:53:29 +02:00
storage
.length(id)
.then(contentLength => {
res.writeHead(200, {
'Content-Disposition': 'attachment; filename=' + meta.filename,
'Content-Type': 'application/octet-stream',
'Content-Length': contentLength,
'X-File-Metadata': JSON.stringify(meta)
});
const file_stream = storage.get(id);
file_stream.on('end', () => {
storage
.forceDelete(id)
.then(err => {
if (!err) {
log.info('Deleted:', id);
}
})
.catch(err => {
log.info('DeleteError:', id);
});
});
file_stream.pipe(res);
})
.catch(err => {
res.sendStatus(404);
2017-06-06 19:23:37 +02:00
});
})
.catch(err => {
res.sendStatus(404);
});
2017-06-01 22:14:14 +02:00
});
2017-06-06 23:24:51 +02:00
app.post('/delete/:id', (req, res) => {
2017-06-09 19:44:12 +02:00
const id = req.params.id;
2017-06-01 22:14:14 +02:00
2017-06-06 23:24:51 +02:00
if (!validateID(id)) {
res.sendStatus(404);
2017-06-01 22:14:14 +02:00
return;
}
2017-06-06 23:24:51 +02:00
2017-06-09 19:44:12 +02:00
const delete_token = req.body.delete_token;
2017-06-06 23:24:51 +02:00
if (!delete_token) {
2017-06-01 22:14:14 +02:00
res.sendStatus(404);
2017-07-11 20:18:31 +02:00
return;
2017-06-01 22:14:14 +02:00
}
storage
.delete(id, delete_token)
2017-06-20 21:52:01 +02:00
.then(err => {
if (!err) {
2017-06-08 22:45:28 +02:00
log.info('Deleted:', id);
res.sendStatus(200);
}
})
.catch(err => res.sendStatus(404));
2017-06-01 22:14:14 +02:00
});
app.post('/upload', (req, res, next) => {
const newId = crypto.randomBytes(5).toString('hex');
2017-07-11 21:47:40 +02:00
let meta;
2017-07-11 21:34:49 +02:00
2017-07-11 21:47:40 +02:00
try {
meta = JSON.parse(req.header('X-File-Metadata'));
2017-07-12 19:53:29 +02:00
} catch (err) {
2017-07-11 21:47:40 +02:00
res.sendStatus(400);
return;
}
2017-07-11 20:18:31 +02:00
2017-07-12 19:53:29 +02:00
if (
!meta.hasOwnProperty('aad') ||
!meta.hasOwnProperty('id') ||
2017-07-13 23:56:28 +02:00
!meta.hasOwnProperty('filename') ||
!validateIV(meta.id)
2017-07-12 19:53:29 +02:00
) {
2017-07-11 20:18:31 +02:00
res.sendStatus(404);
return;
}
meta.delete = crypto.randomBytes(10).toString('hex');
2017-06-29 19:30:08 +02:00
log.info('meta', meta);
req.pipe(req.busboy);
2017-06-20 23:33:28 +02:00
req.busboy.on('file', (fieldname, file, filename) => {
log.info('Uploading:', newId);
2017-07-22 02:01:26 +02:00
storage.set(newId, file, filename, meta).then(
() => {
const protocol = conf.env === 'production' ? 'https' : req.protocol;
const url = `${protocol}://${req.get('host')}/download/${newId}/`;
res.json({
url,
delete: meta.delete,
id: newId
});
},
err => {
if (err.message === 'limit') {
return res.sendStatus(413);
}
res.sendStatus(500);
2017-07-20 21:50:20 +02:00
}
2017-07-22 02:01:26 +02:00
);
2017-06-06 23:24:51 +02:00
});
2017-07-18 19:52:32 +02:00
req.on('close', err => {
storage
.forceDelete(newId)
.then(err => {
if (!err) {
log.info('Deleted:', newId);
}
})
.catch(err => {
log.info('DeleteError:', newId);
});
2017-07-22 02:01:26 +02:00
});
2017-06-01 22:14:14 +02:00
});
2017-06-22 21:18:07 +02:00
app.get('/__lbheartbeat__', (req, res) => {
res.sendStatus(200);
});
2017-06-23 20:14:33 +02:00
app.get('/__heartbeat__', (req, res) => {
storage.ping().then(() => res.sendStatus(200), () => res.sendStatus(500));
});
2017-06-23 20:29:45 +02:00
app.get('/__version__', (req, res) => {
2017-06-24 01:53:17 +02:00
res.sendFile(path.join(STATIC_PATH, 'version.json'));
2017-06-23 20:29:45 +02:00
});
2017-07-11 21:47:40 +02:00
const server = app.listen(conf.listen_port, () => {
2017-07-11 21:34:49 +02:00
log.info('startServer:', `Send app listening on port ${conf.listen_port}!`);
2017-06-06 23:24:51 +02:00
});
2017-06-01 22:14:14 +02:00
2017-06-09 19:44:12 +02:00
const validateID = route_id => {
2017-07-07 23:47:56 +02:00
return route_id.match(/^[0-9a-fA-F]{10}$/) !== null;
2017-07-11 20:18:31 +02:00
};
const validateIV = route_id => {
return route_id.match(/^[0-9a-fA-F]{24}$/) !== null;
2017-07-11 21:47:40 +02:00
};
module.exports = {
server: server,
storage: storage
2017-07-12 19:53:29 +02:00
};