/* globals require console */ var Express = require('express'); var Http = require('http'); var Fs = require('fs'); var Package = require('./package.json'); var Path = require("path"); var nThen = require("nthen"); var Util = require("./lib/common-util"); var Default = require("./lib/defaults"); var Keys = require("./lib/keys"); var config = require("./lib/load-config"); var Env = require("./lib/env").create(config); var app = Express(); var canonicalizeOrigin = function (s) { return (s || '').trim().replace(/\/+$/, ''); }; (function () { // you absolutely must provide an 'httpUnsafeOrigin' if (typeof(config.httpUnsafeOrigin) !== 'string') { throw new Error("No 'httpUnsafeOrigin' provided"); } config.httpUnsafeOrigin = canonicalizeOrigin(config.httpUnsafeOrigin); if (typeof(config.httpSafeOrigin) === 'string') { config.httpSafeOrigin = canonicalizeOrigin(config.httpSafeOrigin); } // fall back to listening on a local address // if httpAddress is not a string if (typeof(config.httpAddress) !== 'string') { config.httpAddress = '127.0.0.1'; } // listen on port 3000 if a valid port number was not provided if (typeof(config.httpPort) !== 'number' || config.httpPort > 65535) { config.httpPort = 3000; } if (typeof(config.httpSafeOrigin) !== 'string') { Env.NO_SANDBOX = true; if (typeof(config.httpSafePort) !== 'number') { config.httpSafePort = config.httpPort + 1; } if (Env.DEV_MODE) { return; } console.log(` m m mm mmmmm mm m mmmmm mm m mmm m # # # ## # "# #"m # # #"m # m" " # " #"# # # # #mmmm" # #m # # # #m # # mm # ## ##" #mm# # "m # # # # # # # # # # # # # # " # ## mm#mm # ## "mmm" # `); console.log("\nNo 'httpSafeOrigin' provided."); console.log("Your configuration probably isn't taking advantage of all of CryptPad's security features!"); console.log("This is acceptable for development, otherwise your users may be at risk.\n"); console.log("Serving sandboxed content via port %s.\nThis is probably not what you want for a production instance!\n", config.httpSafePort); } }()); var applyHeaderMap = function (res, map) { for (let header in map) { res.setHeader(header, map[header]); } }; var setHeaders = (function () { // load the default http headers unless the admin has provided their own via the config file var headers; var custom = config.httpHeaders; // if the admin provided valid http headers then use them if (custom && typeof(custom) === 'object' && !Array.isArray(custom)) { headers = Util.clone(custom); } else { // otherwise use the default headers = Default.httpHeaders(); } // next define the base Content Security Policy (CSP) headers if (typeof(config.contentSecurity) === 'string') { headers['Content-Security-Policy'] = config.contentSecurity; if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' } if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) { // backward compat for those who do not merge the new version of the config // when updating. This prevents endless spinner if someone clicks donate. // It also fixes the cross-domain iframe. headers['Content-Security-Policy'] += "frame-ancestors *;"; } } else { // use the default CSP headers constructed with your domain headers['Content-Security-Policy'] = Default.contentSecurity(config.httpUnsafeOrigin); } const padHeaders = Util.clone(headers); if (typeof(config.padContentSecurity) === 'string') { padHeaders['Content-Security-Policy'] = config.padContentSecurity; } else { padHeaders['Content-Security-Policy'] = Default.padContentSecurity(config.httpUnsafeOrigin); } if (Object.keys(headers).length) { return function (req, res) { // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere applyHeaderMap(res, { "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '', "Cross-Origin-Embedder-Policy": 'require-corp', }); if (Env.NO_SANDBOX) { // handles correct configuration for local development // https://stackoverflow.com/questions/11531121/add-duplicate-http-response-headers-in-nodejs applyHeaderMap(res, { "Cross-Origin-Resource-Policy": 'cross-origin', }); } // Don't set CSP headers on /api/config because they aren't necessary and they cause problems // when duplicated by NGINX in production environments if (/^\/api\/(broadcast|config)/.test(req.url)) { /* if (Env.NO_SANDBOX) { applyHeaderMap(res, { "Cross-Origin-Resource-Policy": 'cross-origin', }); } */ return; } applyHeaderMap(res, { "Cross-Origin-Resource-Policy": 'cross-origin', }); // targeted CSP, generic policies, maybe custom headers const h = [ /^\/common\/onlyoffice\/.*\/index\.html.*/, /^\/(sheet|presentation|doc)\/inner\.html.*/, ].some((regex) => { return regex.test(req.url); }) ? padHeaders : headers; applyHeaderMap(res, h); }; } return function () {}; }()); (function () { if (!config.logFeedback) { return; } const logFeedback = function (url) { url.replace(/\?(.*?)=/, function (all, fb) { if (!config.log) { return; } config.log.feedback(fb, ''); }); }; app.head(/^\/common\/feedback\.html/, function (req, res, next) { logFeedback(req.url); next(); }); }()); app.use('/blob', function (req, res, next) { if (req.method === 'HEAD') { Express.static(Path.join(__dirname, (config.blobPath || './blob')), { setHeaders: function (res, path, stat) { res.set('Access-Control-Allow-Origin', '*'); res.set('Access-Control-Allow-Headers', 'Content-Length'); res.set('Access-Control-Expose-Headers', 'Content-Length'); } })(req, res, next); return; } next(); }); app.use(function (req, res, next) { if (req.method === 'OPTIONS' && /\/blob\//.test(req.url)) { res.setHeader('Access-Control-Allow-Origin', '*'); res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS'); res.setHeader('Access-Control-Allow-Headers', 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'); res.setHeader('Access-Control-Max-Age', 1728000); res.setHeader('Content-Type', 'application/octet-stream; charset=utf-8'); res.setHeader('Content-Length', 0); res.statusCode = 204; return void res.end(); } setHeaders(req, res); if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); } else { res.setHeader("Cache-Control", "no-cache"); } next(); }); app.use(Express.static(__dirname + '/www')); // FIXME I think this is a regression caused by a recent PR // correct this hack without breaking the contributor's intended behaviour. var mainPages = config.mainPages || Default.mainPages(); var mainPagePattern = new RegExp('^\/(' + mainPages.join('|') + ').html$'); app.get(mainPagePattern, Express.static(__dirname + '/customize')); app.get(mainPagePattern, Express.static(__dirname + '/customize.dist')); app.use("/blob", Express.static(Path.join(__dirname, (config.blobPath || './blob')), { maxAge: Env.DEV_MODE? "0d": "365d" })); app.use("/datastore", Express.static(Path.join(__dirname, (config.filePath || './datastore')), { maxAge: "0d" })); app.use("/block", Express.static(Path.join(__dirname, (config.blockPath || '/block')), { maxAge: "0d", })); app.use("/customize", Express.static(__dirname + '/customize')); app.use("/customize", Express.static(__dirname + '/customize.dist')); app.use("/customize.dist", Express.static(__dirname + '/customize.dist')); app.use(/^\/[^\/]*$/, Express.static('customize')); app.use(/^\/[^\/]*$/, Express.static('customize.dist')); // if dev mode: never cache var cacheString = function () { return (Env.FRESH_KEY? '-' + Env.FRESH_KEY: '') + (Env.DEV_MODE? '-' + (+new Date()): ''); }; var makeRouteCache = function (template, cacheName) { var cleanUp = {}; var cache = Env[cacheName] = Env[cacheName] || {}; return function (req, res) { var host = req.headers.host.replace(/\:[0-9]+/, ''); res.setHeader('Content-Type', 'text/javascript'); // don't cache anything if you're in dev mode if (Env.DEV_MODE) { return void res.send(template(host)); } // generate a lookup key for the cache var cacheKey = host + ':' + cacheString(); // FIXME mutable // we must be able to clear the cache when updating any mutable key // if there's nothing cached for that key... if (!cache[cacheKey]) { // generate the response and cache it in memory cache[cacheKey] = template(host); // and create a function to conditionally evict cache entries // which have not been accessed in the last 20 seconds cleanUp[cacheKey] = Util.throttle(function () { delete cleanUp[cacheKey]; delete cache[cacheKey]; }, 20000); } // successive calls to this function cleanUp[cacheKey](); return void res.send(cache[cacheKey]); }; }; var serveConfig = makeRouteCache(function (host) { return [ 'define(function(){', 'var obj = ' + JSON.stringify({ requireConf: { waitSeconds: 600, urlArgs: 'ver=' + Package.version + cacheString(), }, removeDonateButton: (config.removeDonateButton === true), allowSubscriptions: (config.allowSubscriptions === true), websocketPath: config.externalWebsocketURL, httpUnsafeOrigin: config.httpUnsafeOrigin, adminEmail: Env.adminEmail, adminKeys: Env.admins, inactiveTime: Env.inactiveTime, supportMailbox: Env.supportMailbox, defaultStorageLimit: Env.defaultStorageLimit, maxUploadSize: Env.maxUploadSize, premiumUploadSize: Env.premiumUploadSize, restrictRegistration: Env.restrictRegistration, }, null, '\t'), 'obj.httpSafeOrigin = ' + (function () { if (config.httpSafeOrigin) { return '"' + config.httpSafeOrigin + '"'; } if (config.httpSafePort) { return "(function () { return window.location.origin.replace(/\:[0-9]+$/, ':" + config.httpSafePort + "'); }())"; } return 'window.location.origin'; }()), 'return obj', '});' ].join(';\n') }, 'configCache'); var serveBroadcast = makeRouteCache(function (host) { var maintenance = Env.maintenance; if (maintenance && maintenance.end && maintenance.end < (+new Date())) { maintenance = undefined; } return [ 'define(function(){', 'return ' + JSON.stringify({ lastBroadcastHash: Env.lastBroadcastHash, surveyURL: Env.surveyURL, maintenance: maintenance }, null, '\t'), '});' ].join(';\n') }, 'broadcastCache'); app.get('/api/config', serveConfig); app.get('/api/broadcast', serveBroadcast); var four04_path = Path.resolve(__dirname + '/customize.dist/404.html'); var custom_four04_path = Path.resolve(__dirname + '/customize/404.html'); var send404 = function (res, path) { if (!path && path !== four04_path) { path = four04_path; } Fs.exists(path, function (exists) { res.setHeader('Content-Type', 'text/html; charset=utf-8'); if (exists) { return Fs.createReadStream(path).pipe(res); } send404(res); }); }; app.use(function (req, res, next) { res.status(404); send404(res, custom_four04_path); }); var httpServer = Env.httpServer = Http.createServer(app); nThen(function (w) { Fs.exists(__dirname + "/customize", w(function (e) { if (e) { return; } console.log("Cryptpad is customizable, see customize.dist/readme.md for details"); })); }).nThen(function (w) { httpServer.listen(config.httpPort,config.httpAddress,function(){ var host = config.httpAddress; var hostName = !host.indexOf(':') ? '[' + host + ']' : host; var port = config.httpPort; var ps = port === 80? '': ':' + port; console.log('[%s] server available http://%s%s', new Date().toISOString(), hostName, ps); }); if (config.httpSafePort) { Http.createServer(app).listen(config.httpSafePort, config.httpAddress, w()); } }).nThen(function () { var wsConfig = { server: httpServer }; // Initialize logging then start the API server require("./lib/log").create(config, function (_log) { Env.Log = _log; config.log = _log; if (Env.OFFLINE_MODE) { return; } if (config.externalWebsocketURL) { return; } require("./lib/api").create(Env); }); });