2018-08-08 00:40:17 +02:00
|
|
|
const crypto = require('crypto');
|
2019-02-15 20:59:39 +01:00
|
|
|
const bodyParser = require('body-parser');
|
2017-08-24 23:54:02 +02:00
|
|
|
const helmet = require('helmet');
|
2019-02-12 20:50:06 +01:00
|
|
|
const uaparser = require('ua-parser-js');
|
2017-08-24 23:54:02 +02:00
|
|
|
const storage = require('../storage');
|
|
|
|
const config = require('../config');
|
2018-02-06 23:31:18 +01:00
|
|
|
const auth = require('../middleware/auth');
|
|
|
|
const language = require('../middleware/language');
|
2017-08-24 23:54:02 +02:00
|
|
|
const pages = require('./pages');
|
2018-08-08 00:40:17 +02:00
|
|
|
const filelist = require('./filelist');
|
2019-02-26 19:39:50 +01:00
|
|
|
const clientConstants = require('../clientConstants');
|
2018-02-06 23:31:18 +01:00
|
|
|
|
2017-08-29 20:19:21 +02:00
|
|
|
const IS_DEV = config.env === 'development';
|
2019-03-26 17:32:44 +01:00
|
|
|
const ID_REGEX = '([0-9a-fA-F]{10,16})';
|
2017-08-24 23:54:02 +02:00
|
|
|
|
|
|
|
module.exports = function(app) {
|
2019-02-12 20:50:06 +01:00
|
|
|
app.set('trust proxy', true);
|
2017-08-24 23:54:02 +02:00
|
|
|
app.use(helmet());
|
|
|
|
app.use(
|
|
|
|
helmet.hsts({
|
|
|
|
maxAge: 31536000,
|
2017-08-29 20:19:21 +02:00
|
|
|
force: !IS_DEV
|
2017-08-24 23:54:02 +02:00
|
|
|
})
|
|
|
|
);
|
2019-02-12 20:50:06 +01:00
|
|
|
app.use(function(req, res, next) {
|
|
|
|
req.ua = uaparser(req.header('user-agent'));
|
|
|
|
next();
|
|
|
|
});
|
2018-08-08 00:40:17 +02:00
|
|
|
app.use(function(req, res, next) {
|
|
|
|
req.cspNonce = crypto.randomBytes(16).toString('hex');
|
|
|
|
next();
|
|
|
|
});
|
2017-11-30 22:41:09 +01:00
|
|
|
if (!IS_DEV) {
|
2020-06-11 15:57:48 +02:00
|
|
|
let csp = {
|
2020-07-13 19:21:28 +02:00
|
|
|
directives: {
|
|
|
|
defaultSrc: ["'self'"],
|
|
|
|
connectSrc: [
|
|
|
|
"'self'",
|
|
|
|
config.base_url.replace(/^https:\/\//, 'wss://')
|
|
|
|
],
|
|
|
|
imgSrc: ["'self'"],
|
|
|
|
scriptSrc: [
|
|
|
|
"'self'",
|
|
|
|
function(req) {
|
|
|
|
return `'nonce-${req.cspNonce}'`;
|
|
|
|
}
|
|
|
|
],
|
|
|
|
formAction: ["'none'"],
|
|
|
|
frameAncestors: ["'none'"],
|
|
|
|
objectSrc: ["'none'"],
|
|
|
|
reportUri: '/__cspreport__'
|
2020-06-11 15:57:48 +02:00
|
|
|
}
|
2020-07-13 19:21:28 +02:00
|
|
|
};
|
|
|
|
if (config.fxa_client_id) {
|
|
|
|
csp.directives.connectSrc.push('https://accounts.firefox.com');
|
|
|
|
csp.directives.connectSrc.push('https://*.accounts.firefox.com');
|
|
|
|
csp.directives.imgSrc.push('https://firefoxusercontent.com');
|
|
|
|
csp.directives.imgSrc.push('https://secure.gravatar.com');
|
2020-06-11 15:57:48 +02:00
|
|
|
}
|
2020-07-13 19:21:28 +02:00
|
|
|
if (config.sentry_id) {
|
|
|
|
csp.directives.connectSrc.push(config.sentry_host);
|
2020-06-11 15:57:48 +02:00
|
|
|
}
|
2020-07-13 19:21:28 +02:00
|
|
|
if (
|
|
|
|
config.base_url.test(/^https:\/\/.*\.dev\.lcip\.org$/) ||
|
|
|
|
config.base_url.test(
|
|
|
|
/^https:\/\/.*\.send\.nonprod\.cloudops\.mozgcp\.net$/
|
|
|
|
)
|
|
|
|
) {
|
|
|
|
csp.directives.connectSrc.push('https://*.dev.lcip.org');
|
|
|
|
csp.directives.imgSrc.push('https://*.dev.lcip.org');
|
2020-06-11 15:57:48 +02:00
|
|
|
}
|
2020-07-13 19:21:28 +02:00
|
|
|
if (config.fxa_csp_oauth_url != '') {
|
|
|
|
csp.directives.connectSrc.push(config.fxa_csp_oauth_url);
|
|
|
|
}
|
|
|
|
if (config.fxa_csp_content_url != '') {
|
|
|
|
csp.directives.connectSrc.push(config.fxa_csp_content_url);
|
|
|
|
}
|
|
|
|
if (config.fxa_csp_profile_url != '') {
|
|
|
|
csp.directives.connectSrc.push(config.fxa_csp_profile_url);
|
|
|
|
}
|
|
|
|
if (config.fxa_csp_profileimage_url != '') {
|
|
|
|
csp.directives.imgSrc.push(config.fxa_csp_profileimage_url);
|
2020-06-11 15:57:48 +02:00
|
|
|
}
|
|
|
|
|
2020-07-13 19:21:28 +02:00
|
|
|
app.use(helmet.contentSecurityPolicy(csp));
|
2017-11-30 22:41:09 +01:00
|
|
|
}
|
2020-06-11 15:57:48 +02:00
|
|
|
|
2017-11-06 22:36:36 +01:00
|
|
|
app.use(function(req, res, next) {
|
|
|
|
res.set('Pragma', 'no-cache');
|
2019-09-05 22:32:59 +02:00
|
|
|
res.set(
|
|
|
|
'Cache-Control',
|
|
|
|
'private, no-cache, no-store, must-revalidate, max-age=0'
|
|
|
|
);
|
2017-11-06 22:36:36 +01:00
|
|
|
next();
|
|
|
|
});
|
2019-02-15 20:59:39 +01:00
|
|
|
app.use(bodyParser.json());
|
|
|
|
app.use(bodyParser.text());
|
2018-08-08 00:40:17 +02:00
|
|
|
app.get('/', language, pages.index);
|
2019-02-26 19:39:50 +01:00
|
|
|
app.get('/config', function(req, res) {
|
|
|
|
res.json(clientConstants);
|
|
|
|
});
|
2019-02-25 20:44:44 +01:00
|
|
|
app.get('/error', language, pages.blank);
|
2018-10-17 01:53:33 +02:00
|
|
|
app.get('/oauth', language, pages.blank);
|
2018-02-06 23:31:18 +01:00
|
|
|
app.get('/legal', language, pages.legal);
|
2019-07-23 18:27:34 +02:00
|
|
|
app.get('/login', language, pages.index);
|
2020-07-13 19:21:28 +02:00
|
|
|
app.get('/report', language, pages.blank);
|
2018-11-20 21:00:32 +01:00
|
|
|
app.get('/app.webmanifest', language, require('./webmanifest'));
|
2018-02-06 23:31:18 +01:00
|
|
|
app.get(`/download/:id${ID_REGEX}`, language, pages.download);
|
|
|
|
app.get('/unsupported/:reason', language, pages.unsupported);
|
2018-08-08 00:40:17 +02:00
|
|
|
app.get(`/api/download/:id${ID_REGEX}`, auth.hmac, require('./download'));
|
|
|
|
app.get(
|
|
|
|
`/api/download/blob/:id${ID_REGEX}`,
|
|
|
|
auth.hmac,
|
|
|
|
require('./download')
|
|
|
|
);
|
2018-02-06 23:31:18 +01:00
|
|
|
app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
|
2018-08-08 00:40:17 +02:00
|
|
|
app.get(`/api/metadata/:id${ID_REGEX}`, auth.hmac, require('./metadata'));
|
2019-02-27 04:58:03 +01:00
|
|
|
app.get('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.get);
|
|
|
|
app.post('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.post);
|
2020-07-24 19:06:27 +02:00
|
|
|
// app.post('/api/upload', auth.fxa, require('./upload'));
|
2018-08-08 00:40:17 +02:00
|
|
|
app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
|
|
|
|
app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));
|
2018-08-31 19:59:26 +02:00
|
|
|
app.post(
|
|
|
|
`/api/params/:id${ID_REGEX}`,
|
|
|
|
auth.owner,
|
|
|
|
auth.fxa,
|
|
|
|
require('./params')
|
|
|
|
);
|
2018-08-08 00:40:17 +02:00
|
|
|
app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
|
2020-07-13 19:21:28 +02:00
|
|
|
app.post(`/api/report/:id${ID_REGEX}`, require('./report'));
|
2019-02-12 20:50:06 +01:00
|
|
|
app.post('/api/metrics', require('./metrics'));
|
2017-08-24 23:54:02 +02:00
|
|
|
app.get('/__version__', function(req, res) {
|
2019-06-14 20:30:43 +02:00
|
|
|
// eslint-disable-next-line node/no-missing-require
|
2017-08-24 23:54:02 +02:00
|
|
|
res.sendFile(require.resolve('../../dist/version.json'));
|
|
|
|
});
|
|
|
|
|
|
|
|
app.get('/__lbheartbeat__', function(req, res) {
|
|
|
|
res.sendStatus(200);
|
|
|
|
});
|
|
|
|
|
2017-08-25 19:03:49 +02:00
|
|
|
app.get('/__heartbeat__', async (req, res) => {
|
2017-08-24 23:54:02 +02:00
|
|
|
try {
|
|
|
|
await storage.ping();
|
|
|
|
res.sendStatus(200);
|
|
|
|
} catch (e) {
|
|
|
|
res.sendStatus(500);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
};
|