drop.chapril.org-firefoxsend/server/routes/index.js

const crypto = require('crypto');
const bodyParser = require('body-parser');
const helmet = require('helmet');
const uaparser = require('ua-parser-js');
const storage = require('../storage');
const config = require('../config');
const auth = require('../middleware/auth');
const language = require('../middleware/language');
const pages = require('./pages');
const filelist = require('./filelist');
const clientConstants = require('../clientConstants');

const IS_DEV = config.env === 'development';
const ID_REGEX = '([0-9a-fA-F]{10,16})';

module.exports = function(app) {
  app.set('trust proxy', true);
  app.use(helmet());
  app.use(
    helmet.hsts({
      maxAge: 31536000,
      force: !IS_DEV
    })
  );
  app.use(function(req, res, next) {
    req.ua = uaparser(req.header('user-agent'));
    next();
  });
  app.use(function(req, res, next) {
    req.cspNonce = crypto.randomBytes(16).toString('hex');
    next();
  });
  if (!IS_DEV) {
    let csp = {
      directives: {
        defaultSrc: ["'self'"],
        connectSrc: [
          "'self'",
          function(req) {
            const baseUrl = config.deriveBaseUrl(req);
            const r = baseUrl.replace(/^http(s?):\/\//, 'ws$1://');
            console.log([baseUrl, r]);
            return r;
          }
        ],
        imgSrc: ["'self'", 'data:'],
        scriptSrc: [
          "'self'",
          function(req) {
            return `'nonce-${req.cspNonce}'`;
          }
        ],
        formAction: ["'none'"],
        frameAncestors: ["'none'"],
        objectSrc: ["'none'"],
        reportUri: '/__cspreport__'
      }
    };

    app.use(helmet.contentSecurityPolicy(csp));
  }

  app.use(function(req, res, next) {
    res.set('Pragma', 'no-cache');
    res.set(
      'Cache-Control',
      'private, no-cache, no-store, must-revalidate, max-age=0'
    );
    next();
  });
  app.use(function(req, res, next) {
    try {
      // set by the load balancer
      const [country, state] = req.header('X-Client-Geo-Location').split(',');
      req.geo = {
        country,
        state
      };
    } catch (e) {
      req.geo = {};
    }
    next();
  });
  app.use(bodyParser.json());
  app.use(bodyParser.text());
  app.get('/', language, pages.index);
  app.get('/config', function(req, res) {
    res.json(clientConstants);
  });
  app.get('/error', language, pages.blank);
  app.get('/oauth', language, pages.blank);
  app.get('/login', language, pages.index);
  app.get('/app.webmanifest', language, require('./webmanifest'));
  app.get(`/download/:id${ID_REGEX}`, language, pages.download);
  app.get('/unsupported/:reason', language, pages.unsupported);
  app.get(`/api/download/:id${ID_REGEX}`, auth.hmac, require('./download'));
  app.get(
    `/api/download/blob/:id${ID_REGEX}`,
    auth.hmac,
    require('./download')
  );
  app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
  app.get(`/api/metadata/:id${ID_REGEX}`, auth.hmac, require('./metadata'));
  app.get('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.get);
  app.post('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.post);
  app.post('/api/upload', auth.fxa, require('./upload'));
  app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
  app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));
  app.post(
    `/api/params/:id${ID_REGEX}`,
    auth.owner,
    auth.fxa,
    require('./params')
  );
  app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
  app.get('/__version__', function(req, res) {
    // eslint-disable-next-line node/no-missing-require
    res.sendFile(require.resolve('../../dist/version.json'));
  });

  app.get('/__lbheartbeat__', function(req, res) {
    res.sendStatus(200);
  });

  app.get('/__heartbeat__', async (req, res) => {
    try {
      await storage.ping();
      res.sendStatus(200);
    } catch (e) {
      res.sendStatus(500);
    }
  });
};
Implemented FxA 2018-08-08 00:40:17 +02:00			`const crypto = require('crypto');`
use text/plain on /api/metrics 2019-02-15 20:59:39 +01:00			`const bodyParser = require('body-parser');`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`const helmet = require('helmet');`
implemented amplitude metrics (#1141) 2019-02-12 20:50:06 +01:00			`const uaparser = require('ua-parser-js');`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`const storage = require('../storage');`
			`const config = require('../config');`
refactored server 2018-02-06 23:31:18 +01:00			`const auth = require('../middleware/auth');`
			`const language = require('../middleware/language');`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`const pages = require('./pages');`
Implemented FxA 2018-08-08 00:40:17 +02:00			`const filelist = require('./filelist');`
added /config endpoint, use fewer globals (#1172) * added /config endpoint, use fewer globals * fixed integration tests 2019-02-26 19:39:50 +01:00			`const clientConstants = require('../clientConstants');`
refactored server 2018-02-06 23:31:18 +01:00
disable CSP when env = development 2017-08-29 20:19:21 +02:00			`const IS_DEV = config.env === 'development';`
increase file id to 8 bytes 2019-03-26 17:32:44 +01:00			`const ID_REGEX = '([0-9a-fA-F]{10,16})';`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00
			`module.exports = function(app) {`
implemented amplitude metrics (#1141) 2019-02-12 20:50:06 +01:00			`app.set('trust proxy', true);`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`app.use(helmet());`
			`app.use(`
			`helmet.hsts({`
			`maxAge: 31536000,`
disable CSP when env = development 2017-08-29 20:19:21 +02:00			`force: !IS_DEV`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`})`
			`);`
implemented amplitude metrics (#1141) 2019-02-12 20:50:06 +01:00			`app.use(function(req, res, next) {`
			`req.ua = uaparser(req.header('user-agent'));`
			`next();`
			`});`
Implemented FxA 2018-08-08 00:40:17 +02:00			`app.use(function(req, res, next) {`
			`req.cspNonce = crypto.randomBytes(16).toString('hex');`
			`next();`
			`});`
Added multiple download option 2017-11-30 22:41:09 +01:00			`if (!IS_DEV) {`
add configs to handle content-security-policy correctly for custom fxa urls 2020-06-11 15:57:48 +02:00			`let csp = {`
replaced fxa-geodb with load balancer header Co-authored-by: timvisee <tim@visee.me> 2020-07-28 18:31:09 +02:00			`directives: {`
			`defaultSrc: ["'self'"],`
			`connectSrc: [`
			`"'self'",`
Add detect_base_url config This diff adds the detect_base_url config, controlled by the DETECT_BASE_URL env variable. When set to true, the BASE_URL setting is ignored, and the base_url is derived from the request protocol and host header. Test Plan: Started up a local instance in my homelab, running docker node:15 image with a nginx reverse proxy. Configured nginx to use the same backend with multiple hostnames on https. Opened in browser and confirmed og:url meta tag uses correct url. 2021-05-06 06:15:02 +02:00			`function(req) {`
			`const baseUrl = config.deriveBaseUrl(req);`
			`const r = baseUrl.replace(/^http(s?):\/\//, 'ws$1://');`
			`console.log([baseUrl, r]);`
			`return r;`
			`}`
replaced fxa-geodb with load balancer header Co-authored-by: timvisee <tim@visee.me> 2020-07-28 18:31:09 +02:00			`],`
Add detect_base_url config This diff adds the detect_base_url config, controlled by the DETECT_BASE_URL env variable. When set to true, the BASE_URL setting is ignored, and the base_url is derived from the request protocol and host header. Test Plan: Started up a local instance in my homelab, running docker node:15 image with a nginx reverse proxy. Configured nginx to use the same backend with multiple hostnames on https. Opened in browser and confirmed og:url meta tag uses correct url. 2021-05-06 06:15:02 +02:00			`imgSrc: ["'self'", 'data:'],`
replaced fxa-geodb with load balancer header Co-authored-by: timvisee <tim@visee.me> 2020-07-28 18:31:09 +02:00			`scriptSrc: [`
			`"'self'",`
			`function(req) {`
			return `'nonce-${req.cspNonce}'`;
			`}`
			`],`
			`formAction: ["'none'"],`
			`frameAncestors: ["'none'"],`
			`objectSrc: ["'none'"],`
			`reportUri: '/__cspreport__'`
add configs to handle content-security-policy correctly for custom fxa urls 2020-06-11 15:57:48 +02:00			`}`
replaced fxa-geodb with load balancer header Co-authored-by: timvisee <tim@visee.me> 2020-07-28 18:31:09 +02:00			`};`
add configs to handle content-security-policy correctly for custom fxa urls 2020-06-11 15:57:48 +02:00
replaced fxa-geodb with load balancer header Co-authored-by: timvisee <tim@visee.me> 2020-07-28 18:31:09 +02:00			`app.use(helmet.contentSecurityPolicy(csp));`
Added multiple download option 2017-11-30 22:41:09 +01:00			`}`
add configs to handle content-security-policy correctly for custom fxa urls 2020-06-11 15:57:48 +02:00
unsupport MS Edge (for now, sorry) and some http header nits 2017-11-06 22:36:36 +01:00			`app.use(function(req, res, next) {`
			`res.set('Pragma', 'no-cache');`
no-cache harder 2019-09-05 22:32:59 +02:00			`res.set(`
			`'Cache-Control',`
			`'private, no-cache, no-store, must-revalidate, max-age=0'`
			`);`
unsupport MS Edge (for now, sorry) and some http header nits 2017-11-06 22:36:36 +01:00			`next();`
			`});`
replaced fxa-geodb with load balancer header Co-authored-by: timvisee <tim@visee.me> 2020-07-28 18:31:09 +02:00			`app.use(function(req, res, next) {`
			`try {`
			`// set by the load balancer`
			`const [country, state] = req.header('X-Client-Geo-Location').split(',');`
			`req.geo = {`
			`country,`
			`state`
			`};`
			`} catch (e) {`
			`req.geo = {};`
			`}`
			`next();`
			`});`
use text/plain on /api/metrics 2019-02-15 20:59:39 +01:00			`app.use(bodyParser.json());`
			`app.use(bodyParser.text());`
Implemented FxA 2018-08-08 00:40:17 +02:00			`app.get('/', language, pages.index);`
added /config endpoint, use fewer globals (#1172) * added /config endpoint, use fewer globals * fixed integration tests 2019-02-26 19:39:50 +01:00			`app.get('/config', function(req, res) {`
			`res.json(clientConstants);`
			`});`
enabled accounts on Edge 2019-02-25 20:44:44 +01:00			`app.get('/error', language, pages.blank);`
wip 2018-10-17 01:53:33 +02:00			`app.get('/oauth', language, pages.blank);`
stubbed /login page for redirect base login flow 2019-07-23 18:27:34 +02:00			`app.get('/login', language, pages.index);`
added a webmanifest (#1023) 2018-11-20 21:00:32 +01:00			`app.get('/app.webmanifest', language, require('./webmanifest'));`
refactored server 2018-02-06 23:31:18 +01:00			app.get(`/download/:id${ID_REGEX}`, language, pages.download);
			`app.get('/unsupported/:reason', language, pages.unsupported);`
Implemented FxA 2018-08-08 00:40:17 +02:00			app.get(`/api/download/:id${ID_REGEX}`, auth.hmac, require('./download'));
			`app.get(`
			`/api/download/blob/:id${ID_REGEX}`,
			`auth.hmac,`
			`require('./download')`
			`);`
refactored server 2018-02-06 23:31:18 +01:00			app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
Implemented FxA 2018-08-08 00:40:17 +02:00			app.get(`/api/metadata/:id${ID_REGEX}`, auth.hmac, require('./metadata'));
added '-' to /api/filelist validation 2019-02-27 04:58:03 +01:00			`app.get('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.get);`
			`app.post('/api/filelist/:id([\\w-]{16})', auth.fxa, filelist.post);`
Implemented FxA 2018-08-08 00:40:17 +02:00			`app.post('/api/upload', auth.fxa, require('./upload'));`
			app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
			app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));
added fxa auth to /params 2018-08-31 19:59:26 +02:00			`app.post(`
			`/api/params/:id${ID_REGEX}`,
			`auth.owner,`
			`auth.fxa,`
			`require('./params')`
			`);`
Implemented FxA 2018-08-08 00:40:17 +02:00			app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`app.get('/__version__', function(req, res) {`
updated tailwindcss to 1.0 2019-06-14 20:30:43 +02:00			`// eslint-disable-next-line node/no-missing-require`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`res.sendFile(require.resolve('../../dist/version.json'));`
			`});`

			`app.get('/__lbheartbeat__', function(req, res) {`
			`res.sendStatus(200);`
			`});`

fixed __heartbeat__ route 2017-08-25 19:03:49 +02:00			`app.get('/__heartbeat__', async (req, res) => {`
a few changes to make A/B testing easier 2017-08-24 23:54:02 +02:00			`try {`
			`await storage.ping();`
			`res.sendStatus(200);`
			`} catch (e) {`
			`res.sendStatus(500);`
			`}`
			`});`
			`};`