sync/src/web/webserver.js

var path = require("path");
var fs = require("fs");
var net = require("net");
var express = require("express");
var webroot = path.join(__dirname, "..", "www");
var sendJade = require("./jade").sendJade;
var Server = require("../server");
var $util = require("../utilities");
var Logger = require("../logger");
var Config = require("../config");
var db = require("../database");
var bodyParser = require("body-parser");
var cookieParser = require("cookie-parser");
var serveStatic = require("serve-static");
var morgan = require("morgan");
var session = require("../session");
var csrf = require("./csrf");
var XSS = require("../xss");
import * as HTTPStatus from './httpstatus';
import { CSRFError } from '../errors';

const LOG_FORMAT = ':real-address - :remote-user [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"';
morgan.token('real-address', function (req) { return req._ip; });

/**
 * Extracts an IP address from a request.  Uses X-Forwarded-For if the IP is localhost
 */
function ipForRequest(req) {
    var ip = req.ip;
    if (ip === "127.0.0.1" || ip === "::1") {
        var xforward = req.header("x-forwarded-for");
        if (typeof xforward !== "string") {
            xforward = [];
        } else {
            xforward = xforward.split(",");
        }

        for (var i = 0; i < xforward.length; i++) {
            if (net.isIP(xforward[i])) {
                return xforward[i];
            }
        }
        return ip;
    }
    return ip;
}

/**
 * Redirects a request to HTTPS if the server supports it
 */
function redirectHttps(req, res) {
    if (!req.secure && Config.get("https.enabled") && Config.get("https.redirect")) {
        var ssldomain = Config.get("https.full-address");
        if (ssldomain.indexOf(req.hostname) < 0) {
            return false;
        }

        res.redirect(ssldomain + req.path);
        return true;
    }
    return false;
}

/**
 * Redirects a request to HTTP if the server supports it
 */
function redirectHttp(req, res) {
    if (req.secure) {
        var domain = Config.get("http.full-address");
        res.redirect(domain + req.path);
        return true;
    }
    return false;
}

/**
 * Legacy socket.io configuration endpoint.  This is being migrated to
 * /socketconfig/<channel name>.json (see ./routes/socketconfig.js)
 */
function handleSocketConfig(req, res) {
    if (/\.json$/.test(req.path)) {
        res.json(Config.get("sioconfigjson"));
        return;
    }

    res.type("application/javascript");

    var sioconfig = Config.get("sioconfig");
    var iourl;
    var ip = ipForRequest(req);
    var ipv6 = false;

    if (net.isIPv6(ip)) {
        iourl = Config.get("io.ipv6-default");
        ipv6 = true;
    }

    if (!iourl) {
        iourl = Config.get("io.ipv4-default");
    }

    sioconfig += "var IO_URL='" + iourl + "';";
    sioconfig += "var IO_V6=" + ipv6 + ";";
    res.send(sioconfig);
}

function handleUserAgreement(req, res) {
    sendJade(res, "tos", {
        domain: Config.get("http.domain")
    });
}

function handleContactPage(req, res) {
    // Make a copy to prevent messing with the original
    var contacts = Config.get("contacts").map(function (c) {
        return {
            name: c.name,
            email: c.email,
            title: c.title
        };
    });

    // Rudimentary hiding of email addresses to prevent spambots
    contacts.forEach(function (c) {
        c.emkey = $util.randomSalt(16)
        var email = new Array(c.email.length);
        for (var i = 0; i < c.email.length; i++) {
          email[i] = String.fromCharCode(
            c.email.charCodeAt(i) ^ c.emkey.charCodeAt(i % c.emkey.length)
          );
        }
        c.email = escape(email.join(""));
        c.emkey = escape(c.emkey);
    });

    sendJade(res, "contact", {
        contacts: contacts
    });
}

module.exports = {
    /**
     * Initializes webserver callbacks
     */
    init: function (app, ioConfig, clusterClient, channelIndex) {
        app.use(function (req, res, next) {
            req._ip = ipForRequest(req);
            next();
        });
        app.use(bodyParser.urlencoded({
            extended: false,
            limit: '1kb' // No POST data should ever exceed this size under normal usage
        }));
        if (Config.get("http.cookie-secret") === "change-me") {
            Logger.errlog.log("YOU SHOULD CHANGE THE VALUE OF cookie-secret IN config.yaml");
        }
        app.use(cookieParser(Config.get("http.cookie-secret")));
        app.use(csrf.init(Config.get("http.root-domain-dotted")));
        app.use(morgan(LOG_FORMAT, {
            stream: require("fs").createWriteStream(path.join(__dirname, "..", "..",
            "http.log"), {
                flags: "a",
                encoding: "utf-8"
            })
        }));

        app.use(function (req, res, next) {
            if (req.path.match(/^\/(css|js|img|boop).*$/)) {
                return next();
            }

            if (!req.signedCookies || !req.signedCookies.auth) {
                return next();
            }

            session.verifySession(req.signedCookies.auth, function (err, account) {
                if (!err) {
                    req.user = res.user = account;
                }

                next();
            });
        });

        if (Config.get("http.gzip")) {
            app.use(require("compression")({ threshold: Config.get("http.gzip-threshold") }));
            Logger.syslog.log("Enabled gzip compression");
        }

        if (Config.get("http.minify")) {
            var cache = path.join(__dirname, "..", "..", "www", "cache")
            if (!fs.existsSync(cache)) {
                fs.mkdirSync(cache);
            }
            app.use(require("express-minify")({
                cache: cache
            }));
            Logger.syslog.log("Enabled express-minify for CSS and JS");
        }

        require("./routes/channel")(app, ioConfig);
        require("./routes/index")(app, channelIndex);
        app.get("/sioconfig(.json)?", handleSocketConfig);
        require("./routes/socketconfig")(app, clusterClient);
        app.get("/useragreement", handleUserAgreement);
        app.get("/contact", handleContactPage);
        require("./auth").init(app);
        require("./account").init(app);
        require("./acp").init(app);
        require("../google2vtt").attach(app);
        app.use(serveStatic(path.join(__dirname, "..", "..", "www"), {
            maxAge: Config.get("http.max-age") || Config.get("http.cache-ttl")
        }));
        app.use(function (err, req, res, next) {
            if (err) {
                if (err instanceof CSRFError) {
                    res.status(HTTPStatus.FORBIDDEN);
                    return sendJade(res, 'csrferror', { path: req.path });
                }

                let { message, status } = err;
                if (!status) {
                    status = HTTPStatus.INTERNAL_SERVER_ERROR;
                }
                if (!message) {
                    message = 'An unknown error occurred.';
                }

                if (Math.floor(status / 100) === 5) {
                    Logger.errlog.log(err.stack);
                }

                return res.status(status).send(message);
            } else {
                next();
            }
        });
    },

    ipForRequest: ipForRequest,

    redirectHttps: redirectHttps,

    redirectHttp: redirectHttp
};
Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`var path = require("path");`
Add caching to minify 2014-02-24 18:32:54 -06:00			`var fs = require("fs");`
Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`var net = require("net");`
			`var express = require("express");`
			`var webroot = path.join(__dirname, "..", "www");`
			`var sendJade = require("./jade").sendJade;`
			`var Server = require("../server");`
			`var $util = require("../utilities");`
			`var Logger = require("../logger");`
			`var Config = require("../config");`
Start working on ACP 2014-01-28 00:05:14 -06:00			`var db = require("../database");`
Update express dependency 2014-08-19 00:07:24 -05:00			`var bodyParser = require("body-parser");`
			`var cookieParser = require("cookie-parser");`
package: build with babel for ES2015 support * Rename lib/ -> src/ * Add `postinstall` npm target for compiling src files to lib * Add `build-watch` npm target for development with babel --watch * Add `lib/` to .gitignore * Add `source-map-support` module for babel-generated sourcemaps 2015-09-20 22:06:53 -07:00			`var serveStatic = require("serve-static");`
Replace own static and log functions with serve-static and morgan 2014-08-19 00:21:32 -05:00			`var morgan = require("morgan");`
Change login sessions 2015-02-15 21:56:00 -06:00			`var session = require("../session");`
Add csrf prevention 2015-02-22 18:15:22 -06:00			`var csrf = require("./csrf");`
Sanitized output of channel name in invalid channel 2015-04-12 03:29:23 +01:00			`var XSS = require("../xss");`
Web refactoring 2015-10-26 22:56:53 -07:00			`import * as HTTPStatus from './httpstatus';`
			`import { CSRFError } from '../errors';`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00
Ok this should actually fix it 2014-09-11 19:00:27 -05:00			`const LOG_FORMAT = ':real-address - :remote-user [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"';`
			`morgan.token('real-address', function (req) { return req._ip; });`

Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`/**`
			`* Extracts an IP address from a request. Uses X-Forwarded-For if the IP is localhost`
			`*/`
			`function ipForRequest(req) {`
			`var ip = req.ip;`
Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`if (ip === "127.0.0.1" \|\| ip === "::1") {`
			`var xforward = req.header("x-forwarded-for");`
Fix incorrect parsing of x-forwarded-for in webserver.ipForRequest 2014-04-17 00:03:32 -05:00			`if (typeof xforward !== "string") {`
			`xforward = [];`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`} else {`
Fix incorrect parsing of x-forwarded-for in webserver.ipForRequest 2014-04-17 00:03:32 -05:00			`xforward = xforward.split(",");`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`}`
Fix incorrect parsing of x-forwarded-for in webserver.ipForRequest 2014-04-17 00:03:32 -05:00
			`for (var i = 0; i < xforward.length; i++) {`
			`if (net.isIP(xforward[i])) {`
			`return xforward[i];`
			`}`
			`}`
			`return ip;`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`}`
			`return ip;`
			`}`

Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`/**`
			`* Redirects a request to HTTPS if the server supports it`
			`*/`
			`function redirectHttps(req, res) {`
Minor updates to SSL behavior 2015-03-29 11:34:27 -05:00			`if (!req.secure && Config.get("https.enabled") && Config.get("https.redirect")) {`
Add /reload console command, change some internal config 2014-02-26 14:28:24 -06:00			`var ssldomain = Config.get("https.full-address");`
Change login sessions 2015-02-15 21:56:00 -06:00			`if (ssldomain.indexOf(req.hostname) < 0) {`
			`return false;`
			`}`

Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`res.redirect(ssldomain + req.path);`
			`return true;`
			`}`
			`return false;`
			`}`

			`/**`
			`* Redirects a request to HTTP if the server supports it`
			`*/`
			`function redirectHttp(req, res) {`
			`if (req.secure) {`
Add /reload console command, change some internal config 2014-02-26 14:28:24 -06:00			`var domain = Config.get("http.full-address");`
Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`res.redirect(domain + req.path);`
			`return true;`
			`}`
			`return false;`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`}`

Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`/**`
Initial sioconfig migration work 2015-10-19 22:32:00 -07:00			`* Legacy socket.io configuration endpoint. This is being migrated to`
			`* /socketconfig/<channel name>.json (see ./routes/socketconfig.js)`
Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`*/`
			`function handleSocketConfig(req, res) {`
Add /sioconfig.json 2015-09-30 18:36:50 -07:00			`if (/\.json$/.test(req.path)) {`
			`res.json(Config.get("sioconfigjson"));`
			`return;`
			`}`

Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`res.type("application/javascript");`

Merge refactoring into 3.0 2014-05-20 19:30:14 -07:00			`var sioconfig = Config.get("sioconfig");`
			`var iourl;`
			`var ip = ipForRequest(req);`
Fix a few issues 2014-06-12 20:29:12 -07:00			`var ipv6 = false;`
Merge refactoring into 3.0 2014-05-20 19:30:14 -07:00
			`if (net.isIPv6(ip)) {`
			`iourl = Config.get("io.ipv6-default");`
Fix a few issues 2014-06-12 20:29:12 -07:00			`ipv6 = true;`
Merge refactoring into 3.0 2014-05-20 19:30:14 -07:00			`}`

			`if (!iourl) {`
			`iourl = Config.get("io.ipv4-default");`
			`}`
Change login sessions 2015-02-15 21:56:00 -06:00
Merge refactoring into 3.0 2014-05-20 19:30:14 -07:00			`sioconfig += "var IO_URL='" + iourl + "';";`
Fix a few issues 2014-06-12 20:29:12 -07:00			`sioconfig += "var IO_V6=" + ipv6 + ";";`
Merge refactoring into 3.0 2014-05-20 19:30:14 -07:00			`res.send(sioconfig);`
Add user agreement 2014-02-13 00:12:17 -06:00			`}`

			`function handleUserAgreement(req, res) {`
			`sendJade(res, "tos", {`
			`domain: Config.get("http.domain")`
			`});`
			`}`
Work on SIO and SSL 2014-01-22 21:12:43 -06:00
Add contact page 2014-02-13 18:15:22 -06:00			`function handleContactPage(req, res) {`
			`// Make a copy to prevent messing with the original`
			`var contacts = Config.get("contacts").map(function (c) {`
			`return {`
			`name: c.name,`
			`email: c.email,`
			`title: c.title`
			`};`
			`});`

			`// Rudimentary hiding of email addresses to prevent spambots`
			`contacts.forEach(function (c) {`
			`c.emkey = $util.randomSalt(16)`
			`var email = new Array(c.email.length);`
			`for (var i = 0; i < c.email.length; i++) {`
			`email[i] = String.fromCharCode(`
			`c.email.charCodeAt(i) ^ c.emkey.charCodeAt(i % c.emkey.length)`
			`);`
			`}`
			`c.email = escape(email.join(""));`
			`c.emkey = escape(c.emkey);`
			`});`

			`sendJade(res, "contact", {`
			`contacts: contacts`
			`});`
			`}`

Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`module.exports = {`
			`/**`
			`* Initializes webserver callbacks`
			`*/`
Web refactoring 2015-10-26 22:56:53 -07:00			`init: function (app, ioConfig, clusterClient, channelIndex) {`
Fix IP address race condition for logging 2014-09-11 18:56:33 -05:00			`app.use(function (req, res, next) {`
Ok this should actually fix it 2014-09-11 19:00:27 -05:00			`req._ip = ipForRequest(req);`
Fix IP address race condition for logging 2014-09-11 18:56:33 -05:00			`next();`
			`});`
Don't log HTTP 413, just send it to the client and be done 2014-12-12 17:35:49 -06:00			`app.use(bodyParser.urlencoded({`
			`extended: false,`
			`limit: '1kb' // No POST data should ever exceed this size under normal usage`
			`}));`
Change login sessions 2015-02-15 21:56:00 -06:00			`if (Config.get("http.cookie-secret") === "change-me") {`
			`Logger.errlog.log("YOU SHOULD CHANGE THE VALUE OF cookie-secret IN config.yaml");`
			`}`
			`app.use(cookieParser(Config.get("http.cookie-secret")));`
Fix 2015-02-24 10:48:51 -06:00			`app.use(csrf.init(Config.get("http.root-domain-dotted")));`
Ok this should actually fix it 2014-09-11 19:00:27 -05:00			`app.use(morgan(LOG_FORMAT, {`
Fix caching and add gzip 2014-11-16 21:06:10 -06:00			`stream: require("fs").createWriteStream(path.join(__dirname, "..", "..",`
Replace own static and log functions with serve-static and morgan 2014-08-19 00:21:32 -05:00			`"http.log"), {`
			`flags: "a",`
			`encoding: "utf-8"`
			`})`
			`}));`
Add configuration option to use express-minify for CSS and JS 2014-02-04 11:32:52 -06:00
Change login sessions 2015-02-15 21:56:00 -06:00			`app.use(function (req, res, next) {`
			`if (req.path.match(/^\/(css\|js\|img\|boop).*$/)) {`
			`return next();`
			`}`

			`if (!req.signedCookies \|\| !req.signedCookies.auth) {`
			`return next();`
			`}`

			`session.verifySession(req.signedCookies.auth, function (err, account) {`
			`if (!err) {`
			`req.user = res.user = account;`
			`}`

			`next();`
			`});`
			`});`

Fix caching and add gzip 2014-11-16 21:06:10 -06:00			`if (Config.get("http.gzip")) {`
			`app.use(require("compression")({ threshold: Config.get("http.gzip-threshold") }));`
			`Logger.syslog.log("Enabled gzip compression");`
			`}`

Add configuration option to use express-minify for CSS and JS 2014-02-04 11:32:52 -06:00			`if (Config.get("http.minify")) {`
Add caching to minify 2014-02-24 18:32:54 -06:00			`var cache = path.join(__dirname, "..", "..", "www", "cache")`
			`if (!fs.existsSync(cache)) {`
			`fs.mkdirSync(cache);`
			`}`
			`app.use(require("express-minify")({`
			`cache: cache`
			`}));`
Add configuration option to use express-minify for CSS and JS 2014-02-04 11:32:52 -06:00			`Logger.syslog.log("Enabled express-minify for CSS and JS");`
			`}`
Replace own static and log functions with serve-static and morgan 2014-08-19 00:21:32 -05:00
Web refactoring 2015-10-26 22:56:53 -07:00			`require("./routes/channel")(app, ioConfig);`
			`require("./routes/index")(app, channelIndex);`
Add /sioconfig.json 2015-09-30 18:36:50 -07:00			`app.get("/sioconfig(.json)?", handleSocketConfig);`
Web refactoring 2015-10-26 22:56:53 -07:00			`require("./routes/socketconfig")(app, clusterClient);`
Add user agreement 2014-02-13 00:12:17 -06:00			`app.get("/useragreement", handleUserAgreement);`
Add contact page 2014-02-13 18:15:22 -06:00			`app.get("/contact", handleContactPage);`
Work on ACP 2014-01-28 20:04:25 -06:00			`require("./auth").init(app);`
			`require("./account").init(app);`
			`require("./acp").init(app);`
Work on fetching/converting google drive subtitles 2015-07-22 21:23:50 -07:00			`require("../google2vtt").attach(app);`
package: build with babel for ES2015 support * Rename lib/ -> src/ * Add `postinstall` npm target for compiling src files to lib * Add `build-watch` npm target for development with babel --watch * Add `lib/` to .gitignore * Add `source-map-support` module for babel-generated sourcemaps 2015-09-20 22:06:53 -07:00			`app.use(serveStatic(path.join(__dirname, "..", "..", "www"), {`
Fix caching and add gzip 2014-11-16 21:06:10 -06:00			`maxAge: Config.get("http.max-age") \|\| Config.get("http.cache-ttl")`
			`}));`
Hopefully prevent more webserver crashes 2014-02-28 09:04:41 -06:00			`app.use(function (err, req, res, next) {`
			`if (err) {`
Web refactoring 2015-10-26 22:56:53 -07:00			`if (err instanceof CSRFError) {`
			`res.status(HTTPStatus.FORBIDDEN);`
			`return sendJade(res, 'csrferror', { path: req.path });`
			`}`

			`let { message, status } = err;`
			`if (!status) {`
			`status = HTTPStatus.INTERNAL_SERVER_ERROR;`
			`}`
			`if (!message) {`
			`message = 'An unknown error occurred.';`
Prevent invalid URI escapes from logging errors 2014-08-07 19:25:34 -07:00			`}`
Web refactoring 2015-10-26 22:56:53 -07:00
			`if (Math.floor(status / 100) === 5) {`
			`Logger.errlog.log(err.stack);`
			`}`

			`return res.status(status).send(message);`
Hopefully prevent more webserver crashes 2014-02-28 09:04:41 -06:00			`} else {`
			`next();`
			`}`
			`});`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`},`

Work on SIO and SSL 2014-01-22 21:12:43 -06:00			`ipForRequest: ipForRequest,`

			`redirectHttps: redirectHttps,`

Change login sessions 2015-02-15 21:56:00 -06:00			`redirectHttp: redirectHttp`
Start merging cytube3 account management 2013-12-12 14:48:23 -06:00			`};`