filesafe/lolisafe.js

400 lines
13 KiB
JavaScript
Raw Normal View History

const logger = require('./logger')
// Stray errors and exceptions capturers
process.on('uncaughtException', error => {
logger.error(error, { prefix: 'Uncaught Exception: ' })
})
process.on('unhandledRejection', error => {
logger.error(error, { prefix: 'Unhandled Rejection (Promise): ' })
})
// Libraries
2022-07-25 00:35:26 +00:00
const fs = require('fs')
const helmet = require('helmet')
const HyperExpress = require('hyper-express')
2022-04-15 08:36:50 +00:00
const NodeClam = require('clamscan')
// Check required config files
const configFiles = ['config.js', 'views/_globals.njk']
2022-06-28 04:48:22 +00:00
for (const _file of configFiles) {
try {
2022-07-25 00:35:26 +00:00
fs.accessSync(_file, fs.constants.R_OK)
} catch (error) {
2022-06-28 04:48:22 +00:00
logger.error(`Config file '${_file}' cannot be found or read.`)
logger.error('Please copy the provided sample file and modify it according to your needs.')
process.exit(1)
}
}
// Config files
Updates (very important to read) Client-side CSS & JS files will now be processed with Gulp. Gulp tasks are configured in gulpfile.js file. CSS files will be optimized with postcss-preset-env, which will auto-add vendor prefixes and convert any parts necessary for browsers compatibility. Afterwards they will be minified with cssnano. JS files will be optimized with bublé, likewise for browsers compatibility. Afterwards they will be minified with terser. Unprocessed CSS & JS files will now be located at src directory, while the processed results will be located at dist directory. Due to bublé, the JS files should now be compatible up to IE 11 at the minimum. Previously the safe would not work in IE 11 due to extensive usage of template literals. Due to that as well, JS files in src directory will now extensively use arrow functions for my personal comfort (as they will be converted too). The server will use the processed files at dist directory by default. If you want to rebuild the files by your own, you can run "yarn build". Gulp is a development dependency, so make sure you have installed all development dependencies (e.i. NOT using "yarn install --production"). --- yarn lint -> gulp lint yarn build -> gulp default yarn watch -> gulp watch yarn develop -> env NODE_ENV=development yarn watch --- Fixed not being able to demote staff into normal users. /api/token/verify will no longer respond with 401 HTTP error code, unless an error occurred (which will be 500 HTTP error code). Fixed /nojs route not displaying file's original name when a duplicate is found on the server. Removed is-breeze CSS class name, in favor of Bulma's is-info. Removed custom styling from auth page, in favor of global styling. Removed all usage of style HTML attribute in favor of CSS classes. Renamed js/s/ to js/misc/. Use loading spinners on dashboard's sidebar menus. Disable all other sidebar menus when something is loading. Changed title HTML attribute of disabled control buttons in uploads & users list. Hid checkboxes and WIP controls from users list. Better error messages handling. Especially homepage will now support CF's HTTP error codes. Updated various icons. Also, added fontello config file at public/libs/fontello/config.json. This should let you edit them more easily with fontello. Use Gatsby icon for my blog's link in homepage's footer. A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
const config = require('./config')
const versions = require('./src/versions')
// lolisafe
logger.log('Starting lolisafe\u2026')
const safe = new HyperExpress.Server({
trust_proxy: Boolean(config.trustProxy)
})
2022-07-11 23:21:21 +00:00
const errors = require('./controllers/errorsController')
const paths = require('./controllers/pathsController')
2022-06-22 07:23:54 +00:00
paths.initSync()
const utils = require('./controllers/utilsController')
// Middlewares
const ExpressCompat = require('./controllers/middlewares/ExpressCompat')
const NunjucksRenderer = require('./controllers/middlewares/NunjucksRenderer')
const RateLimiter = require('./controllers/middlewares/RateLimiter')
const ServeLiveDirectory = require('./controllers/middlewares/ServeLiveDirectory')
// Handlers
const ServeStatic = require('./controllers/handlers/ServeStatic')
// Routes
const album = require('./routes/album')
const api = require('./routes/api')
const file = require('./routes/file')
const nojs = require('./routes/nojs')
const player = require('./routes/player')
// Express-compat
const expressCompatInstance = new ExpressCompat()
safe.use(expressCompatInstance.middleware)
// Rate limiters
if (Array.isArray(config.rateLimiters)) {
let whitelistedKeys
if (Array.isArray(config.rateLimitersWhitelist)) {
whitelistedKeys = new Set(config.rateLimitersWhitelist)
}
for (const rateLimit of config.rateLimiters) {
// Init RateLimiter using Request.ip as key
const rateLimiterInstance = new RateLimiter('ip', rateLimit.options, whitelistedKeys)
for (const route of rateLimit.routes) {
safe.use(route, rateLimiterInstance.middleware)
}
}
} else if (config.rateLimits) {
logger.error('Config option "rateLimits" is DEPRECATED.')
logger.error('Please consult the provided sample file for the new option "rateLimiters".')
}
// Helmet security headers
if (config.helmet instanceof Object) {
// If an empty object, simply do not use Helmet
if (Object.keys(config.helmet).length) {
safe.use(helmet(config.helmet))
}
} else {
// Fallback to old behavior when the whole helmet option was not configurable from the config file
const defaults = {
contentSecurityPolicy: false,
crossOriginEmbedderPolicy: false,
crossOriginOpenerPolicy: false,
crossOriginResourcePolicy: false,
hsts: false,
originAgentCluster: false
}
if (config.hsts instanceof Object && Object.keys(config.hsts).length) {
defaults.hsts = config.hsts
}
safe.use(helmet(defaults))
}
// Access-Control-Allow-Origin
if (config.accessControlAllowOrigin) {
if (config.accessControlAllowOrigin === true) {
config.accessControlAllowOrigin = '*'
}
safe.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', config.accessControlAllowOrigin)
if (config.accessControlAllowOrigin !== '*') {
res.vary('Origin')
}
next()
})
}
// NunjucksRenderer middleware
const nunjucksRendererInstance = new NunjucksRenderer('views', {
2022-07-25 00:39:35 +00:00
watch: utils.devmode
})
safe.use(nunjucksRendererInstance.middleware)
// Array of routes to apply CDN Cache-Control onto,
// and additionally call Cloudflare API to have their CDN caches purged when lolisafe starts
const cdnRoutes = [...config.pages]
// Defaults to no-op
let setHeadersForStaticAssets = () => {}
Updates (very important to read) Client-side CSS & JS files will now be processed with Gulp. Gulp tasks are configured in gulpfile.js file. CSS files will be optimized with postcss-preset-env, which will auto-add vendor prefixes and convert any parts necessary for browsers compatibility. Afterwards they will be minified with cssnano. JS files will be optimized with bublé, likewise for browsers compatibility. Afterwards they will be minified with terser. Unprocessed CSS & JS files will now be located at src directory, while the processed results will be located at dist directory. Due to bublé, the JS files should now be compatible up to IE 11 at the minimum. Previously the safe would not work in IE 11 due to extensive usage of template literals. Due to that as well, JS files in src directory will now extensively use arrow functions for my personal comfort (as they will be converted too). The server will use the processed files at dist directory by default. If you want to rebuild the files by your own, you can run "yarn build". Gulp is a development dependency, so make sure you have installed all development dependencies (e.i. NOT using "yarn install --production"). --- yarn lint -> gulp lint yarn build -> gulp default yarn watch -> gulp watch yarn develop -> env NODE_ENV=development yarn watch --- Fixed not being able to demote staff into normal users. /api/token/verify will no longer respond with 401 HTTP error code, unless an error occurred (which will be 500 HTTP error code). Fixed /nojs route not displaying file's original name when a duplicate is found on the server. Removed is-breeze CSS class name, in favor of Bulma's is-info. Removed custom styling from auth page, in favor of global styling. Removed all usage of style HTML attribute in favor of CSS classes. Renamed js/s/ to js/misc/. Use loading spinners on dashboard's sidebar menus. Disable all other sidebar menus when something is loading. Changed title HTML attribute of disabled control buttons in uploads & users list. Hid checkboxes and WIP controls from users list. Better error messages handling. Especially homepage will now support CF's HTTP error codes. Updated various icons. Also, added fontello config file at public/libs/fontello/config.json. This should let you edit them more easily with fontello. Use Gatsby icon for my blog's link in homepage's footer. A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
// Cache control
2019-01-05 21:09:47 +00:00
if (config.cacheControl) {
const cacheControls = {
// max-age: 6 months
2020-10-12 15:02:29 +00:00
static: 'public, max-age=15778800, immutable',
// s-max-age: 6 months (only cache in CDN)
2020-10-12 15:02:29 +00:00
cdn: 's-max-age=15778800, proxy-revalidate',
// validate cache's validity before using them (soft cache)
validate: 'no-cache',
// do not use cache at all
disable: 'no-store'
}
// By default soft cache everything
safe.use((req, res, next) => {
res.header('Cache-Control', cacheControls.validate)
return next()
2019-01-05 21:09:47 +00:00
})
switch (config.cacheControl) {
case 1:
case true:
// If using CDN, cache most front-end pages in CDN
// Include /api/check since it will only reply with persistent JSON payload
// that will not change, unless config file is edited and lolisafe is then restarted
cdnRoutes.push('api/check')
safe.use((req, res, next) => {
if (req.method === 'GET' || req.method === 'HEAD') {
const page = req.path === '/' ? 'home' : req.path.substring(1)
if (cdnRoutes.includes(page)) {
res.header('Cache-Control', cacheControls.cdn)
}
}
return next()
})
break
}
// Function for static assets.
// This requires the assets to use version in their query string,
// as they will be cached by clients for a very long time.
setHeadersForStaticAssets = (req, res) => {
res.header('Cache-Control', cacheControls.static)
Updates (very important to read) Client-side CSS & JS files will now be processed with Gulp. Gulp tasks are configured in gulpfile.js file. CSS files will be optimized with postcss-preset-env, which will auto-add vendor prefixes and convert any parts necessary for browsers compatibility. Afterwards they will be minified with cssnano. JS files will be optimized with bublé, likewise for browsers compatibility. Afterwards they will be minified with terser. Unprocessed CSS & JS files will now be located at src directory, while the processed results will be located at dist directory. Due to bublé, the JS files should now be compatible up to IE 11 at the minimum. Previously the safe would not work in IE 11 due to extensive usage of template literals. Due to that as well, JS files in src directory will now extensively use arrow functions for my personal comfort (as they will be converted too). The server will use the processed files at dist directory by default. If you want to rebuild the files by your own, you can run "yarn build". Gulp is a development dependency, so make sure you have installed all development dependencies (e.i. NOT using "yarn install --production"). --- yarn lint -> gulp lint yarn build -> gulp default yarn watch -> gulp watch yarn develop -> env NODE_ENV=development yarn watch --- Fixed not being able to demote staff into normal users. /api/token/verify will no longer respond with 401 HTTP error code, unless an error occurred (which will be 500 HTTP error code). Fixed /nojs route not displaying file's original name when a duplicate is found on the server. Removed is-breeze CSS class name, in favor of Bulma's is-info. Removed custom styling from auth page, in favor of global styling. Removed all usage of style HTML attribute in favor of CSS classes. Renamed js/s/ to js/misc/. Use loading spinners on dashboard's sidebar menus. Disable all other sidebar menus when something is loading. Changed title HTML attribute of disabled control buttons in uploads & users list. Hid checkboxes and WIP controls from users list. Better error messages handling. Especially homepage will now support CF's HTTP error codes. Updated various icons. Also, added fontello config file at public/libs/fontello/config.json. This should let you edit them more easily with fontello. Use Gatsby icon for my blog's link in homepage's footer. A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
}
// Consider album ZIPs static as well, since they use version in their query string
safe.use('/api/album/zip', (req, res, next) => {
const versionString = parseInt(req.query_parameters.v)
if (versionString > 0) {
res.header('Cache-Control', cacheControls.static)
} else {
res.header('Cache-Control', cacheControls.disable)
}
return next()
})
}
Updates (very important to read) Client-side CSS & JS files will now be processed with Gulp. Gulp tasks are configured in gulpfile.js file. CSS files will be optimized with postcss-preset-env, which will auto-add vendor prefixes and convert any parts necessary for browsers compatibility. Afterwards they will be minified with cssnano. JS files will be optimized with bublé, likewise for browsers compatibility. Afterwards they will be minified with terser. Unprocessed CSS & JS files will now be located at src directory, while the processed results will be located at dist directory. Due to bublé, the JS files should now be compatible up to IE 11 at the minimum. Previously the safe would not work in IE 11 due to extensive usage of template literals. Due to that as well, JS files in src directory will now extensively use arrow functions for my personal comfort (as they will be converted too). The server will use the processed files at dist directory by default. If you want to rebuild the files by your own, you can run "yarn build". Gulp is a development dependency, so make sure you have installed all development dependencies (e.i. NOT using "yarn install --production"). --- yarn lint -> gulp lint yarn build -> gulp default yarn watch -> gulp watch yarn develop -> env NODE_ENV=development yarn watch --- Fixed not being able to demote staff into normal users. /api/token/verify will no longer respond with 401 HTTP error code, unless an error occurred (which will be 500 HTTP error code). Fixed /nojs route not displaying file's original name when a duplicate is found on the server. Removed is-breeze CSS class name, in favor of Bulma's is-info. Removed custom styling from auth page, in favor of global styling. Removed all usage of style HTML attribute in favor of CSS classes. Renamed js/s/ to js/misc/. Use loading spinners on dashboard's sidebar menus. Disable all other sidebar menus when something is loading. Changed title HTML attribute of disabled control buttons in uploads & users list. Hid checkboxes and WIP controls from users list. Better error messages handling. Especially homepage will now support CF's HTTP error codes. Updated various icons. Also, added fontello config file at public/libs/fontello/config.json. This should let you edit them more easily with fontello. Use Gatsby icon for my blog's link in homepage's footer. A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
2022-07-21 18:09:34 +00:00
// Init LiveDirectory middlewares for static assets
// Static assets in /public directory
const serveLiveDirectoryPublicInstance = new ServeLiveDirectory({ path: paths.public }, {
setHeaders: setHeadersForStaticAssets
})
safe.use(serveLiveDirectoryPublicInstance.middleware)
2022-07-21 18:09:34 +00:00
// Static assets in /dist directory
const serveLiveDirectoryDistInstance = new ServeLiveDirectory({ path: paths.dist }, {
setHeaders: setHeadersForStaticAssets
})
safe.use(serveLiveDirectoryDistInstance.middleware)
Updates (very important to read) Client-side CSS & JS files will now be processed with Gulp. Gulp tasks are configured in gulpfile.js file. CSS files will be optimized with postcss-preset-env, which will auto-add vendor prefixes and convert any parts necessary for browsers compatibility. Afterwards they will be minified with cssnano. JS files will be optimized with bublé, likewise for browsers compatibility. Afterwards they will be minified with terser. Unprocessed CSS & JS files will now be located at src directory, while the processed results will be located at dist directory. Due to bublé, the JS files should now be compatible up to IE 11 at the minimum. Previously the safe would not work in IE 11 due to extensive usage of template literals. Due to that as well, JS files in src directory will now extensively use arrow functions for my personal comfort (as they will be converted too). The server will use the processed files at dist directory by default. If you want to rebuild the files by your own, you can run "yarn build". Gulp is a development dependency, so make sure you have installed all development dependencies (e.i. NOT using "yarn install --production"). --- yarn lint -> gulp lint yarn build -> gulp default yarn watch -> gulp watch yarn develop -> env NODE_ENV=development yarn watch --- Fixed not being able to demote staff into normal users. /api/token/verify will no longer respond with 401 HTTP error code, unless an error occurred (which will be 500 HTTP error code). Fixed /nojs route not displaying file's original name when a duplicate is found on the server. Removed is-breeze CSS class name, in favor of Bulma's is-info. Removed custom styling from auth page, in favor of global styling. Removed all usage of style HTML attribute in favor of CSS classes. Renamed js/s/ to js/misc/. Use loading spinners on dashboard's sidebar menus. Disable all other sidebar menus when something is loading. Changed title HTML attribute of disabled control buttons in uploads & users list. Hid checkboxes and WIP controls from users list. Better error messages handling. Especially homepage will now support CF's HTTP error codes. Updated various icons. Also, added fontello config file at public/libs/fontello/config.json. This should let you edit them more easily with fontello. Use Gatsby icon for my blog's link in homepage's footer. A bunch of other improvements here & there.
2019-09-15 06:20:11 +00:00
// Routes
safe.use(album)
safe.use(file)
safe.use(nojs)
safe.use(player)
safe.use('/api', api)
2017-01-14 06:01:23 +00:00
;(async () => {
try {
// Init database
await require('./controllers/utils/initDatabase')(utils.db)
2022-06-22 07:23:54 +00:00
// Purge any leftover in chunks directory, do not wait
paths.purgeChunks()
if (!Array.isArray(config.pages) || !config.pages.length) {
logger.error('Config file does not have any frontend pages enabled')
process.exit(1)
}
2018-12-20 12:25:41 +00:00
// Re-map version strings if cache control is enabled (safe.fiery.me)
utils.versionStrings = {}
if (config.cacheControl) {
for (const type in versions) {
utils.versionStrings[type] = `?_=${versions[type]}`
}
if (versions['1']) {
utils.clientVersion = versions['1']
}
}
const serveLiveDirectoryCustomPagesInstance = new ServeLiveDirectory({
path: paths.customPages,
keep: ['.html']
})
// Cookie Policy
if (config.cookiePolicy) {
config.pages.push('cookiepolicy')
}
// Front-end pages middleware
// HTML files in customPages directory can also override any built-in pages,
// if they have matching names with the routes (e.g. home.html can override the homepage)
// Aside from that, due to using LiveDirectory,
// custom pages can be added/removed on the fly while lolisafe is running
safe.use((req, res, next) => {
if (req.method === 'GET' || req.method === 'HEAD') {
const page = req.path === '/' ? 'home' : req.path.substring(1)
const customPage = serveLiveDirectoryCustomPagesInstance.instance.get(`${page}.html`)
if (customPage) {
return serveLiveDirectoryCustomPagesInstance.handler(req, res, customPage)
} else if (config.pages.includes(page)) {
// These rendered pages are persistently cached during production
return res.render(page, {
config, utils, versions: utils.versionStrings
2022-07-25 00:39:35 +00:00
}, !utils.devmode)
}
}
return next()
})
// Init ServerStatic last if serving uploaded files with node
if (config.serveFilesWithNode) {
const serveStaticInstance = new ServeStatic(paths.uploads, {
contentDispositionOptions: config.contentDispositionOptions,
ignorePatterns: [
'/chunks/'
],
overrideContentTypes: config.overrideContentTypes,
setContentDisposition: config.setContentDisposition
})
safe.get('/*', serveStaticInstance.handler)
safe.head('/*', serveStaticInstance.handler)
utils.contentDispositionStore = serveStaticInstance.contentDispositionStore
}
2022-07-11 23:21:21 +00:00
// Web server error handlers (must always be set after all routes/middlewares)
safe.set_not_found_handler(errors.handleNotFound)
safe.set_error_handler(errors.handleError)
// Git hash
if (config.showGitHash) {
utils.gitHash = await new Promise((resolve, reject) => {
require('child_process').exec('git rev-parse HEAD', (error, stdout) => {
if (error) return reject(error)
resolve(stdout.replace(/\n$/, ''))
})
})
logger.log(`Git commit: ${utils.gitHash}`)
}
// ClamAV scanner
if (config.uploads.scan && config.uploads.scan.enabled) {
if (!config.uploads.scan.clamOptions) {
logger.error('Missing object config.uploads.scan.clamOptions (check config.sample.js)')
process.exit(1)
}
utils.scan.instance = await new NodeClam().init(config.uploads.scan.clamOptions)
utils.scan.version = await utils.scan.instance.getVersion().then(s => s.trim())
logger.log(`Connection established with ${utils.scan.version}`)
}
// Binds Express to port
await safe.listen(utils.conf.port)
2022-06-22 06:27:38 +00:00
logger.log(`lolisafe started on port ${utils.conf.port}`)
// Cache control (safe.fiery.me)
// Purge Cloudflare cache
if (config.cacheControl && config.cacheControl !== 2) {
if (config.cloudflare.purgeCache) {
logger.log('Cache control enabled, purging Cloudflare\'s cache...')
const results = await utils.purgeCloudflareCache(cdnRoutes)
let errored = false
let succeeded = 0
for (const result of results) {
if (result.errors.length) {
if (!errored) errored = true
result.errors.forEach(error => logger.log(`[CF]: ${error}`))
continue
}
succeeded += result.files.length
}
if (!errored) {
logger.log(`Successfully purged ${succeeded} cache`)
}
} else {
logger.log('Cache control enabled without Cloudflare\'s cache purging')
}
}
// Initiate internal periodical check ups of temporary uploads if required
if (utils.retentions && utils.retentions.enabled && config.uploads.temporaryUploadsInterval > 0) {
let temporaryUploadsInProgress = false
const temporaryUploadCheck = async () => {
if (temporaryUploadsInProgress) return
temporaryUploadsInProgress = true
try {
2022-07-25 00:39:35 +00:00
const result = await utils.bulkDeleteExpired(false, utils.devmode)
if (result.expired.length || result.failed.length) {
2022-07-25 00:39:35 +00:00
if (utils.devmode) {
2022-06-28 04:48:22 +00:00
let logMessage = `Expired uploads (${result.expired.length}): ${result.expired.map(_file => _file.name).join(', ')}`
if (result.failed.length) {
2022-06-28 04:48:22 +00:00
logMessage += `\nErrored (${result.failed.length}): ${result.failed.map(_file => _file.name).join(', ')}`
}
logger.debug(logMessage)
} else {
let logMessage = `Expired uploads: ${result.expired.length} deleted`
if (result.failed.length) {
logMessage += `, ${result.failed.length} errored`
}
logger.log(logMessage)
}
}
} catch (error) {
// Simply print-out errors, then continue
logger.error(error)
}
temporaryUploadsInProgress = false
}
temporaryUploadCheck()
setInterval(temporaryUploadCheck, config.uploads.temporaryUploadsInterval)
}
2019-01-01 05:34:16 +00:00
// NODE_ENV=development yarn start
2022-07-25 00:39:35 +00:00
if (utils.devmode) {
const { inspect } = require('util')
// Add readline interface to allow evaluating arbitrary JavaScript from console
require('readline').createInterface({
input: process.stdin
}).on('line', line => {
try {
if (line === 'rs') return
if (line === '.exit') return process.exit(0)
// eslint-disable-next-line no-eval
const evaled = eval(line)
process.stdout.write(`${typeof evaled === 'string' ? evaled : inspect(evaled)}\n`)
} catch (error) {
process.stderr.write(`${error.stack}\n`)
}
}).on('SIGINT', () => {
process.exit(0)
})
logger.log(utils.stripIndents(`!!! DEVELOPMENT MODE !!!
[=] Nunjucks will auto rebuild (not live reload)
[=] HTTP rate limits disabled
[=] Readline interface enabled (eval arbitrary JS input)`))
2018-10-09 19:52:41 +00:00
}
} catch (error) {
logger.error(error)
process.exit(1)
}
})()