|
|
|
|
/*
|
|
|
|
|
globals require console
|
|
|
|
|
*/
|
|
|
|
|
var Express = require('express');
|
|
|
|
|
var Http = require('http');
|
|
|
|
|
var Fs = require('fs');
|
|
|
|
|
var Package = require('./package.json');
|
|
|
|
|
var Path = require("path");
|
|
|
|
|
var nThen = require("nthen");
|
|
|
|
|
var Util = require("./lib/common-util");
|
|
|
|
|
var Default = require("./lib/defaults");
|
|
|
|
|
var Keys = require("./lib/keys");
|
|
|
|
|
|
|
|
|
|
var config = require("./lib/load-config");
|
|
|
|
|
var Env = require("./lib/env").create(config);
|
|
|
|
|
|
|
|
|
|
var app = Express();
|
|
|
|
|
|
|
|
|
|
var canonicalizeOrigin = function (s) {
|
|
|
|
|
return (s || '').trim().replace(/\/+$/, '');
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
(function () {
|
|
|
|
|
// you absolutely must provide an 'httpUnsafeOrigin'
|
|
|
|
|
if (typeof(config.httpUnsafeOrigin) !== 'string') {
|
|
|
|
|
throw new Error("No 'httpUnsafeOrigin' provided");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config.httpUnsafeOrigin = canonicalizeOrigin(config.httpUnsafeOrigin);
|
|
|
|
|
if (typeof(config.httpSafeOrigin) === 'string') {
|
|
|
|
|
config.httpSafeOrigin = canonicalizeOrigin(config.httpSafeOrigin);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// fall back to listening on a local address
|
|
|
|
|
// if httpAddress is not a string
|
|
|
|
|
if (typeof(config.httpAddress) !== 'string') {
|
|
|
|
|
config.httpAddress = '127.0.0.1';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// listen on port 3000 if a valid port number was not provided
|
|
|
|
|
if (typeof(config.httpPort) !== 'number' || config.httpPort > 65535) {
|
|
|
|
|
config.httpPort = 3000;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (typeof(config.httpSafeOrigin) !== 'string') {
|
|
|
|
|
Env.NO_SANDBOX = true;
|
|
|
|
|
if (typeof(config.httpSafePort) !== 'number') {
|
|
|
|
|
config.httpSafePort = config.httpPort + 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (Env.DEV_MODE) { return; }
|
|
|
|
|
console.log(`
|
|
|
|
|
m m mm mmmmm mm m mmmmm mm m mmm m
|
|
|
|
|
# # # ## # "# #"m # # #"m # m" " #
|
|
|
|
|
" #"# # # # #mmmm" # #m # # # #m # # mm #
|
|
|
|
|
## ##" #mm# # "m # # # # # # # # #
|
|
|
|
|
# # # # # " # ## mm#mm # ## "mmm" #
|
|
|
|
|
`);
|
|
|
|
|
|
|
|
|
|
console.log("\nNo 'httpSafeOrigin' provided.");
|
|
|
|
|
console.log("Your configuration probably isn't taking advantage of all of CryptPad's security features!");
|
|
|
|
|
console.log("This is acceptable for development, otherwise your users may be at risk.\n");
|
|
|
|
|
|
|
|
|
|
console.log("Serving sandboxed content via port %s.\nThis is probably not what you want for a production instance!\n", config.httpSafePort);
|
|
|
|
|
}
|
|
|
|
|
}());
|
|
|
|
|
|
|
|
|
|
var applyHeaderMap = function (res, map) {
|
|
|
|
|
for (let header in map) { res.setHeader(header, map[header]); }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
var setHeaders = (function () {
|
|
|
|
|
// load the default http headers unless the admin has provided their own via the config file
|
|
|
|
|
var headers;
|
|
|
|
|
|
|
|
|
|
var custom = config.httpHeaders;
|
|
|
|
|
// if the admin provided valid http headers then use them
|
|
|
|
|
if (custom && typeof(custom) === 'object' && !Array.isArray(custom)) {
|
|
|
|
|
headers = Util.clone(custom);
|
|
|
|
|
} else {
|
|
|
|
|
// otherwise use the default
|
|
|
|
|
headers = Default.httpHeaders();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// next define the base Content Security Policy (CSP) headers
|
|
|
|
|
if (typeof(config.contentSecurity) === 'string') {
|
|
|
|
|
headers['Content-Security-Policy'] = config.contentSecurity;
|
|
|
|
|
if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
|
|
|
|
|
if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
|
|
|
|
|
// backward compat for those who do not merge the new version of the config
|
|
|
|
|
// when updating. This prevents endless spinner if someone clicks donate.
|
|
|
|
|
// It also fixes the cross-domain iframe.
|
|
|
|
|
headers['Content-Security-Policy'] += "frame-ancestors *;";
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// use the default CSP headers constructed with your domain
|
|
|
|
|
headers['Content-Security-Policy'] = Default.contentSecurity(config.httpUnsafeOrigin);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const padHeaders = Util.clone(headers);
|
|
|
|
|
if (typeof(config.padContentSecurity) === 'string') {
|
|
|
|
|
padHeaders['Content-Security-Policy'] = config.padContentSecurity;
|
|
|
|
|
} else {
|
|
|
|
|
padHeaders['Content-Security-Policy'] = Default.padContentSecurity(config.httpUnsafeOrigin);
|
|
|
|
|
}
|
|
|
|
|
if (Object.keys(headers).length) {
|
|
|
|
|
return function (req, res) {
|
|
|
|
|
// apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
|
|
|
|
|
applyHeaderMap(res, {
|
|
|
|
|
"Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
|
|
|
|
|
"Cross-Origin-Embedder-Policy": 'require-corp',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (Env.NO_SANDBOX) {
|
|
|
|
|
applyHeaderMap(res, {
|
|
|
|
|
"Cross-Origin-Resource-Policy": 'cross-origin',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Don't set CSP headers on /api/config because they aren't necessary and they cause problems
|
|
|
|
|
// when duplicated by NGINX in production environments
|
|
|
|
|
if (/^\/api\/(broadcast|config)/.test(req.url)) {
|
|
|
|
|
if (!Env.NO_SANDBOX) {
|
|
|
|
|
applyHeaderMap(res, {
|
|
|
|
|
"Cross-Origin-Resource-Policy": 'cross-origin',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
applyHeaderMap(res, {
|
|
|
|
|
"Cross-Origin-Resource-Policy": 'cross-origin',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// targeted CSP, generic policies, maybe custom headers
|
|
|
|
|
const h = [
|
|
|
|
|
/^\/common\/onlyoffice\/.*\/index\.html.*/,
|
|
|
|
|
/^\/(sheet|presentation|doc)\/inner\.html.*/,
|
|
|
|
|
].some((regex) => {
|
|
|
|
|
return regex.test(req.url);
|
|
|
|
|
}) ? padHeaders : headers;
|
|
|
|
|
applyHeaderMap(res, h);
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
return function () {};
|
|
|
|
|
}());
|
|
|
|
|
|
|
|
|
|
(function () {
|
|
|
|
|
if (!config.logFeedback) { return; }
|
|
|
|
|
|
|
|
|
|
const logFeedback = function (url) {
|
|
|
|
|
url.replace(/\?(.*?)=/, function (all, fb) {
|
|
|
|
|
if (!config.log) { return; }
|
|
|
|
|
config.log.feedback(fb, '');
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
app.head(/^\/common\/feedback\.html/, function (req, res, next) {
|
|
|
|
|
logFeedback(req.url);
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
}());
|
|
|
|
|
|
|
|
|
|
app.use('/blob', function (req, res, next) {
|
|
|
|
|
if (req.method === 'HEAD') {
|
|
|
|
|
Express.static(Path.join(__dirname, (config.blobPath || './blob')), {
|
|
|
|
|
setHeaders: function (res, path, stat) {
|
|
|
|
|
res.set('Access-Control-Allow-Origin', '*');
|
|
|
|
|
res.set('Access-Control-Allow-Headers', 'Content-Length');
|
|
|
|
|
res.set('Access-Control-Expose-Headers', 'Content-Length');
|
|
|
|
|
}
|
|
|
|
|
})(req, res, next);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
app.use(function (req, res, next) {
|
|
|
|
|
if (req.method === 'OPTIONS' && /\/blob\//.test(req.url)) {
|
|
|
|
|
res.setHeader('Access-Control-Allow-Origin', '*');
|
|
|
|
|
res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
|
|
|
|
|
res.setHeader('Access-Control-Allow-Headers', 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range');
|
|
|
|
|
res.setHeader('Access-Control-Max-Age', 1728000);
|
|
|
|
|
res.setHeader('Content-Type', 'application/octet-stream; charset=utf-8');
|
|
|
|
|
res.setHeader('Content-Length', 0);
|
|
|
|
|
res.statusCode = 204;
|
|
|
|
|
return void res.end();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
setHeaders(req, res);
|
|
|
|
|
if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
|
|
|
|
|
else { res.setHeader("Cache-Control", "no-cache"); }
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
app.use(Express.static(__dirname + '/www'));
|
|
|
|
|
|
|
|
|
|
// FIXME I think this is a regression caused by a recent PR
|
|
|
|
|
// correct this hack without breaking the contributor's intended behaviour.
|
|
|
|
|
|
|
|
|
|
var mainPages = config.mainPages || Default.mainPages();
|
|
|
|
|
var mainPagePattern = new RegExp('^\/(' + mainPages.join('|') + ').html$');
|
|
|
|
|
app.get(mainPagePattern, Express.static(__dirname + '/customize'));
|
|
|
|
|
app.get(mainPagePattern, Express.static(__dirname + '/customize.dist'));
|
|
|
|
|
|
|
|
|
|
app.use("/blob", Express.static(Path.join(__dirname, (config.blobPath || './blob')), {
|
|
|
|
|
maxAge: Env.DEV_MODE? "0d": "365d"
|
|
|
|
|
}));
|
|
|
|
|
app.use("/datastore", Express.static(Path.join(__dirname, (config.filePath || './datastore')), {
|
|
|
|
|
maxAge: "0d"
|
|
|
|
|
}));
|
|
|
|
|
app.use("/block", Express.static(Path.join(__dirname, (config.blockPath || '/block')), {
|
|
|
|
|
maxAge: "0d",
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
app.use("/customize", Express.static(__dirname + '/customize'));
|
|
|
|
|
app.use("/customize", Express.static(__dirname + '/customize.dist'));
|
|
|
|
|
app.use("/customize.dist", Express.static(__dirname + '/customize.dist'));
|
|
|
|
|
app.use(/^\/[^\/]*$/, Express.static('customize'));
|
|
|
|
|
app.use(/^\/[^\/]*$/, Express.static('customize.dist'));
|
|
|
|
|
|
|
|
|
|
// if dev mode: never cache
|
|
|
|
|
var cacheString = function () {
|
|
|
|
|
return (Env.FRESH_KEY? '-' + Env.FRESH_KEY: '') + (Env.DEV_MODE? '-' + (+new Date()): '');
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
var makeRouteCache = function (template, cacheName) {
|
|
|
|
|
var cleanUp = {};
|
|
|
|
|
var cache = Env[cacheName] = Env[cacheName] || {};
|
|
|
|
|
|
|
|
|
|
return function (req, res) {
|
|
|
|
|
var host = req.headers.host.replace(/\:[0-9]+/, '');
|
|
|
|
|
res.setHeader('Content-Type', 'text/javascript');
|
|
|
|
|
// don't cache anything if you're in dev mode
|
|
|
|
|
if (Env.DEV_MODE) {
|
|
|
|
|
return void res.send(template(host));
|
|
|
|
|
}
|
|
|
|
|
// generate a lookup key for the cache
|
|
|
|
|
var cacheKey = host + ':' + cacheString();
|
|
|
|
|
|
|
|
|
|
// FIXME mutable
|
|
|
|
|
// we must be able to clear the cache when updating any mutable key
|
|
|
|
|
// if there's nothing cached for that key...
|
|
|
|
|
if (!cache[cacheKey]) {
|
|
|
|
|
// generate the response and cache it in memory
|
|
|
|
|
cache[cacheKey] = template(host);
|
|
|
|
|
// and create a function to conditionally evict cache entries
|
|
|
|
|
// which have not been accessed in the last 20 seconds
|
|
|
|
|
cleanUp[cacheKey] = Util.throttle(function () {
|
|
|
|
|
delete cleanUp[cacheKey];
|
|
|
|
|
delete cache[cacheKey];
|
|
|
|
|
}, 20000);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// successive calls to this function
|
|
|
|
|
cleanUp[cacheKey]();
|
|
|
|
|
return void res.send(cache[cacheKey]);
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
var serveConfig = makeRouteCache(function (host) {
|
|
|
|
|
return [
|
|
|
|
|
'define(function(){',
|
|
|
|
|
'var obj = ' + JSON.stringify({
|
|
|
|
|
requireConf: {
|
|
|
|
|
waitSeconds: 600,
|
|
|
|
|
urlArgs: 'ver=' + Package.version + cacheString(),
|
|
|
|
|
},
|
|
|
|
|
removeDonateButton: (config.removeDonateButton === true),
|
|
|
|
|
allowSubscriptions: (config.allowSubscriptions === true),
|
|
|
|
|
websocketPath: config.externalWebsocketURL,
|
|
|
|
|
httpUnsafeOrigin: config.httpUnsafeOrigin,
|
|
|
|
|
adminEmail: Env.adminEmail,
|
|
|
|
|
adminKeys: Env.admins,
|
|
|
|
|
inactiveTime: Env.inactiveTime,
|
|
|
|
|
supportMailbox: Env.supportMailbox,
|
|
|
|
|
defaultStorageLimit: Env.defaultStorageLimit,
|
|
|
|
|
maxUploadSize: Env.maxUploadSize,
|
|
|
|
|
premiumUploadSize: Env.premiumUploadSize,
|
|
|
|
|
restrictRegistration: Env.restrictRegistration, // XXX restricted-registration
|
|
|
|
|
}, null, '\t'),
|
|
|
|
|
'obj.httpSafeOrigin = ' + (function () {
|
|
|
|
|
if (config.httpSafeOrigin) { return '"' + config.httpSafeOrigin + '"'; }
|
|
|
|
|
if (config.httpSafePort) {
|
|
|
|
|
return "(function () { return window.location.origin.replace(/\:[0-9]+$/, ':" +
|
|
|
|
|
config.httpSafePort + "'); }())";
|
|
|
|
|
}
|
|
|
|
|
return 'window.location.origin';
|
|
|
|
|
}()),
|
|
|
|
|
'return obj',
|
|
|
|
|
'});'
|
|
|
|
|
].join(';\n')
|
|
|
|
|
}, 'configCache');
|
|
|
|
|
|
|
|
|
|
var serveBroadcast = makeRouteCache(function (host) {
|
|
|
|
|
var maintenance = Env.maintenance;
|
|
|
|
|
if (maintenance && maintenance.end && maintenance.end < (+new Date())) {
|
|
|
|
|
maintenance = undefined;
|
|
|
|
|
}
|
|
|
|
|
return [
|
|
|
|
|
'define(function(){',
|
|
|
|
|
'return ' + JSON.stringify({
|
|
|
|
|
lastBroadcastHash: Env.lastBroadcastHash,
|
|
|
|
|
surveyURL: Env.surveyURL,
|
|
|
|
|
maintenance: maintenance
|
|
|
|
|
}, null, '\t'),
|
|
|
|
|
'});'
|
|
|
|
|
].join(';\n')
|
|
|
|
|
}, 'broadcastCache');
|
|
|
|
|
|
|
|
|
|
app.get('/api/config', serveConfig);
|
|
|
|
|
app.get('/api/broadcast', serveBroadcast);
|
|
|
|
|
|
|
|
|
|
var four04_path = Path.resolve(__dirname + '/customize.dist/404.html');
|
|
|
|
|
var custom_four04_path = Path.resolve(__dirname + '/customize/404.html');
|
|
|
|
|
|
|
|
|
|
var send404 = function (res, path) {
|
|
|
|
|
if (!path && path !== four04_path) { path = four04_path; }
|
|
|
|
|
Fs.exists(path, function (exists) {
|
|
|
|
|
res.setHeader('Content-Type', 'text/html; charset=utf-8');
|
|
|
|
|
if (exists) { return Fs.createReadStream(path).pipe(res); }
|
|
|
|
|
send404(res);
|
|
|
|
|
});
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
app.use(function (req, res, next) {
|
|
|
|
|
res.status(404);
|
|
|
|
|
send404(res, custom_four04_path);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var httpServer = Env.httpServer = Http.createServer(app);
|
|
|
|
|
|
|
|
|
|
nThen(function (w) {
|
|
|
|
|
Fs.exists(__dirname + "/customize", w(function (e) {
|
|
|
|
|
if (e) { return; }
|
|
|
|
|
console.log("Cryptpad is customizable, see customize.dist/readme.md for details");
|
|
|
|
|
}));
|
|
|
|
|
}).nThen(function (w) {
|
|
|
|
|
httpServer.listen(config.httpPort,config.httpAddress,function(){
|
|
|
|
|
var host = config.httpAddress;
|
|
|
|
|
var hostName = !host.indexOf(':') ? '[' + host + ']' : host;
|
|
|
|
|
|
|
|
|
|
var port = config.httpPort;
|
|
|
|
|
var ps = port === 80? '': ':' + port;
|
|
|
|
|
|
|
|
|
|
console.log('[%s] server available http://%s%s', new Date().toISOString(), hostName, ps);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (config.httpSafePort) {
|
|
|
|
|
Http.createServer(app).listen(config.httpSafePort, config.httpAddress, w());
|
|
|
|
|
}
|
|
|
|
|
}).nThen(function () {
|
|
|
|
|
var wsConfig = { server: httpServer };
|
|
|
|
|
|
|
|
|
|
// Initialize logging then start the API server
|
|
|
|
|
require("./lib/log").create(config, function (_log) {
|
|
|
|
|
Env.Log = _log;
|
|
|
|
|
config.log = _log;
|
|
|
|
|
|
|
|
|
|
if (Env.OFFLINE_MODE) { return; }
|
|
|
|
|
if (config.externalWebsocketURL) { return; }
|
|
|
|
|
|
|
|
|
|
require("./lib/api").create(Env);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
|