cryptpad/server.js

/*
    globals require console
*/
var Express = require('express');
var Http = require('http');
var Https = require('https');
var Fs = require('fs');
var WebSocketServer = require('ws').Server;
var NetfluxSrv = require('./node_modules/chainpad-server/NetfluxWebsocketSrv');
var Package = require('./package.json');
var Path = require("path");

var config = require('./config');
var websocketPort = config.websocketPort || config.httpPort;
var useSecureWebsockets = config.useSecureWebsockets || false;

// support multiple storage back ends
var Storage = require(config.storage||'./storage/file');

var app = Express();

var httpsOpts;

var DEV_MODE = !!process.env.DEV
if (DEV_MODE) {
    console.log("DEV MODE ENABLED");
}

const clone = (x) => (JSON.parse(JSON.stringify(x)));

var setHeaders = (function () {
    if (typeof(config.httpHeaders) !== 'object') { return function () {}; }

    const headers = clone(config.httpHeaders);
    if (config.contentSecurity) {
        headers['Content-Security-Policy'] = clone(config.contentSecurity);
        if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }
        if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {
            // backward compat for those who do not merge the new version of the config
            // when updating. This prevents endless spinner if someone clicks donate.
            headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;";
        }
    }
    const padHeaders = clone(headers);
    if (config.padContentSecurity) {
        padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);
    }
    if (Object.keys(headers).length) {
        return function (req, res) {
            const h = /^\/pad\/inner\.html.*/.test(req.url) ? padHeaders : headers;
            for (let header in h) { res.setHeader(header, h[header]); }
        };
    }
    return function () {};
}());

(function () {
if (!config.logFeedback) { return; }

const logFeedback = function (url) {
    url.replace(/\?(.*?)=/, function (all, fb) {
        console.log('[FEEDBACK] %s', fb);
    });
};

app.head(/^\/common\/feedback\.html/, function (req, res, next) {
    logFeedback(req.url);
    next();
});
}());

app.use(function (req, res, next) {
    setHeaders(req, res);
    if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }
    next();
});

app.use(Express.static(__dirname + '/www'));

Fs.exists(__dirname + "/customize", function (e) {
    if (e) { return; }
    console.log("Cryptpad is customizable, see customize.dist/readme.md for details");
});

// FIXME I think this is a regression caused by a recent PR
// correct this hack without breaking the contributor's intended behaviour.

var mainPages = config.mainPages || ['index', 'privacy', 'terms', 'about', 'contact'];
var mainPagePattern = new RegExp('^\/(' + mainPages.join('|') + ').html$');
app.get(mainPagePattern, Express.static(__dirname + '/customize.dist'));

app.use("/blob", Express.static(Path.join(__dirname, (config.blobPath || './blob'))));

app.use("/customize", Express.static(__dirname + '/customize'));
app.use("/customize", Express.static(__dirname + '/customize.dist'));
app.use(/^\/[^\/]*$/, Express.static('customize'));
app.use(/^\/[^\/]*$/, Express.static('customize.dist'));

if (config.privKeyAndCertFiles) {
    var privKeyAndCerts = '';
    config.privKeyAndCertFiles.forEach(function (file) {
        privKeyAndCerts = privKeyAndCerts + Fs.readFileSync(file);
    });
    var array = privKeyAndCerts.split('\n-----BEGIN ');
    for (var i = 1; i < array.length; i++) { array[i] = '-----BEGIN ' + array[i]; }
    var privKey;
    for (var i = 0; i < array.length; i++) {
        if (array[i].indexOf('PRIVATE KEY-----\n') !== -1) {
            privKey = array[i];
            array.splice(i, 1);
            break;
        }
    }
    if (!privKey) { throw new Error("cannot find private key"); }
    httpsOpts = {
        cert: array.shift(),
        key: privKey,
        ca: array
    };
}

app.get('/api/config', function(req, res){
    var host = req.headers.host.replace(/\:[0-9]+/, '');
    res.setHeader('Content-Type', 'text/javascript');
    res.send('define(' + JSON.stringify({
        requireConf: {
            waitSeconds: 60,
            urlArgs: 'ver=' + Package.version + (DEV_MODE? '-' + (+new Date()): ''),
        },
        removeDonateButton: (config.removeDonateButton === true),
        allowSubscriptions: (config.allowSubscriptions === true),

        websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,
        websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +
            websocketPort + '/cryptpad_websocket',
    }) + ');');
});

var httpServer = httpsOpts ? Https.createServer(httpsOpts, app) : Http.createServer(app);

httpServer.listen(config.httpPort,config.httpAddress,function(){
    var host = config.httpAddress;
    var hostName = !host.indexOf(':') ? '[' + host + ']' : host;

    var port = config.httpPort;
    var ps = port === 80? '': ':' + port;

    console.log('\n[%s] server available http://%s%s', new Date().toISOString(), hostName, ps);
});

var wsConfig = { server: httpServer };

var createSocketServer = function (err, rpc) {
    if(!config.useExternalWebsocket) {
        if (websocketPort !== config.httpPort) {
            console.log("setting up a new websocket server");
            wsConfig = { port: websocketPort};
        }
        var wsSrv = new WebSocketServer(wsConfig);
        Storage.create(config, function (store) {
            NetfluxSrv.run(store, wsSrv, config, rpc);
        });
    }
};

var loadRPC = function (cb) {
    config.rpc = typeof(config.rpc) === 'undefined'? './rpc.js' : config.rpc;

    if (typeof(config.rpc) === 'string') {
        // load pin store...
        var Rpc = require(config.rpc);
        Rpc.create(config, function (e, rpc) {
            if (e) { throw e; }
            cb(void 0, rpc);
        });
    } else {
        cb();
    }
};

loadRPC(createSocketServer);
even more jshint compliance 2016-02-15 23:47:53 +08:00			`/*`
			`globals require console`
			`*/`
and so it begins 2014-10-31 23:42:58 +08:00			`var Express = require('express');`
			`var Http = require('http');`
added ability to use https 2014-12-04 17:53:47 +08:00			`var Https = require('https');`
			`var Fs = require('fs');`
and so it begins 2014-10-31 23:42:58 +08:00			`var WebSocketServer = require('ws').Server;`
Replace the websocket server by the one in the chainpad-server repo 2017-03-16 22:57:13 +08:00			`var NetfluxSrv = require('./node_modules/chainpad-server/NetfluxWebsocketSrv');`
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`var Package = require('./package.json');`
serve blobs from configured location 2017-05-19 22:56:45 +08:00			`var Path = require("path");`
and so it begins 2014-10-31 23:42:58 +08:00
Move config from server.js into config.js.dist 2014-11-01 00:48:17 +08:00			`var config = require('./config');`
Add a Content Security Policy which works for CryptPad 2016-10-07 04:37:25 +08:00			`var websocketPort = config.websocketPort \|\| config.httpPort;`
use wss if useSecureWebsockets is true There are no certs / httpOtps set if proxy doing ssl offloading. Better use useSecureWebsockets from config file. 2017-01-02 18:54:50 +08:00			`var useSecureWebsockets = config.useSecureWebsockets \|\| false;`
and so it begins 2014-10-31 23:42:58 +08:00
relocate and rename Storage.js. implement a simple, non-persistent in memory datastore for those who'd rather not bother with mongodb. Continue to default to previous values. 2015-10-26 07:35:25 +08:00			`// support multiple storage back ends`
Add a Content Security Policy which works for CryptPad 2016-10-07 04:37:25 +08:00			`var Storage = require(config.storage\|\|'./storage/file');`
relocate and rename Storage.js. implement a simple, non-persistent in memory datastore for those who'd rather not bother with mongodb. Continue to default to previous values. 2015-10-26 07:35:25 +08:00
and so it begins 2014-10-31 23:42:58 +08:00			`var app = Express();`
Add a Content Security Policy which works for CryptPad 2016-10-07 04:37:25 +08:00
Don't make the codestyle any worse than it is 2016-10-07 04:44:58 +08:00			`var httpsOpts;`

implement dev mode which busts cache all the time 2017-03-07 00:25:02 +08:00			`var DEV_MODE = !!process.env.DEV`
			`if (DEV_MODE) {`
			`console.log("DEV MODE ENABLED");`
			`}`

Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`const clone = (x) => (JSON.parse(JSON.stringify(x)));`

make http headers configurable, update default conf 2016-10-18 17:48:29 +08:00			`var setHeaders = (function () {`
			`if (typeof(config.httpHeaders) !== 'object') { return function () {}; }`
Add a Content Security Policy which works for CryptPad 2016-10-07 04:37:25 +08:00
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`const headers = clone(config.httpHeaders);`
			`if (config.contentSecurity) {`
			`headers['Content-Security-Policy'] = clone(config.contentSecurity);`
Add a semicolon at the end of the CSP if none exists. 2017-06-15 20:45:01 +08:00			`if (!/;$/.test(headers['Content-Security-Policy'])) { headers['Content-Security-Policy'] += ';' }`
Add frame-ancestors to allow remote auth 2017-06-07 15:51:10 +08:00			`if (headers['Content-Security-Policy'].indexOf('frame-ancestors') === -1) {`
			`// backward compat for those who do not merge the new version of the config`
			`// when updating. This prevents endless spinner if someone clicks donate.`
			`headers['Content-Security-Policy'] += "frame-ancestors 'self' accounts.cryptpad.fr;";`
			`}`
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`}`
			`const padHeaders = clone(headers);`
			`if (config.padContentSecurity) {`
			`padHeaders['Content-Security-Policy'] = clone(config.padContentSecurity);`
			`}`
make http headers configurable, update default conf 2016-10-18 17:48:29 +08:00			`if (Object.keys(headers).length) {`
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`return function (req, res) {`
			`const h = /^\/pad\/inner\.html.*/.test(req.url) ? padHeaders : headers;`
			`for (let header in h) { res.setHeader(header, h[header]); }`
make http headers configurable, update default conf 2016-10-18 17:48:29 +08:00			`};`
			`}`
			`return function () {};`
			`}());`
Chuck a few more super-duper-security headers in there 2016-10-07 05:02:30 +08:00
support logging feedback api via config.js 2017-04-18 21:51:42 +08:00			`(function () {`
			`if (!config.logFeedback) { return; }`

			`const logFeedback = function (url) {`
			`url.replace(/\?(.*?)=/, function (all, fb) {`
			`console.log('[FEEDBACK] %s', fb);`
			`});`
			`};`

			`app.head(/^\/common\/feedback\.html/, function (req, res, next) {`
			`logFeedback(req.url);`
			`next();`
			`});`
			`}());`

make http headers configurable, update default conf 2016-10-18 17:48:29 +08:00			`app.use(function (req, res, next) {`
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`setHeaders(req, res);`
			`if (/[\?\&]ver=[^\/]+$/.test(req.url)) { res.setHeader("Cache-Control", "max-age=31536000"); }`
Add a Content Security Policy which works for CryptPad 2016-10-07 04:37:25 +08:00			`next();`
			`});`

and so it begins 2014-10-31 23:42:58 +08:00			`app.use(Express.static(__dirname + '/www'));`

reverting the style changes 2016-09-27 18:17:38 +08:00			`Fs.exists(__dirname + "/customize", function (e) {`
implement more seamless customization (with fallbacks) 2016-07-12 18:17:03 +08:00			`if (e) { return; }`
not quite finished 2015-01-31 01:12:20 +08:00			`console.log("Cryptpad is customizable, see customize.dist/readme.md for details");`
implement more seamless customization (with fallbacks) 2016-07-12 18:17:03 +08:00			`});`

make http headers configurable, update default conf 2016-10-18 17:48:29 +08:00			`// FIXME I think this is a regression caused by a recent PR`
			`// correct this hack without breaking the contributor's intended behaviour.`
make it easier to add pages at the document root 2016-12-29 00:11:06 +08:00
Test new home page 2017-01-17 01:28:37 +08:00			`var mainPages = config.mainPages \|\| ['index', 'privacy', 'terms', 'about', 'contact'];`
make it easier to add pages at the document root 2016-12-29 00:11:06 +08:00			`var mainPagePattern = new RegExp('^\/(' + mainPages.join('\|') + ').html$');`
			`app.get(mainPagePattern, Express.static(__dirname + '/customize.dist'));`
make http headers configurable, update default conf 2016-10-18 17:48:29 +08:00
serve blobs from configured location 2017-05-19 22:56:45 +08:00			`app.use("/blob", Express.static(Path.join(__dirname, (config.blobPath \|\| './blob'))));`
Add a new hash version for the file viewer 2017-04-25 23:19:13 +08:00
use an absolutely specific regex for the document root 2016-07-12 18:44:44 +08:00			`app.use("/customize", Express.static(__dirname + '/customize'));`
implement more seamless customization (with fallbacks) 2016-07-12 18:17:03 +08:00			`app.use("/customize", Express.static(__dirname + '/customize.dist'));`
Using express.static instead of custom handler 2016-09-27 17:53:52 +08:00			`app.use(/^\/[^\/]*$/, Express.static('customize'));`
			`app.use(/^\/[^\/]*$/, Express.static('customize.dist'));`
not quite finished 2015-01-31 01:12:20 +08:00
added ability to use https 2014-12-04 17:53:47 +08:00			`if (config.privKeyAndCertFiles) {`
			`var privKeyAndCerts = '';`
reverting the style changes 2016-09-27 18:17:38 +08:00			`config.privKeyAndCertFiles.forEach(function (file) {`
added ability to use https 2014-12-04 17:53:47 +08:00			`privKeyAndCerts = privKeyAndCerts + Fs.readFileSync(file);`
			`});`
			`var array = privKeyAndCerts.split('\n-----BEGIN ');`
address more jshint complaints 2016-02-12 18:39:37 +08:00			`for (var i = 1; i < array.length; i++) { array[i] = '-----BEGIN ' + array[i]; }`
added ability to use https 2014-12-04 17:53:47 +08:00			`var privKey;`
			`for (var i = 0; i < array.length; i++) {`
			`if (array[i].indexOf('PRIVATE KEY-----\n') !== -1) {`
			`privKey = array[i];`
			`array.splice(i, 1);`
			`break;`
			`}`
			`}`
			`if (!privKey) { throw new Error("cannot find private key"); }`
			`httpsOpts = {`
			`cert: array.shift(),`
			`key: privKey,`
			`ca: array`
address more jshint complaints 2016-02-12 18:39:37 +08:00			`};`
added ability to use https 2014-12-04 17:53:47 +08:00			`}`

reverting the style changes 2016-09-27 18:17:38 +08:00			`app.get('/api/config', function(req, res){`
support different ports for websocket and http 2014-11-03 18:13:41 +08:00			`var host = req.headers.host.replace(/\:[0-9]+/, '');`
			`res.setHeader('Content-Type', 'text/javascript');`
			`res.send('define(' + JSON.stringify({`
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`requireConf: {`
			`waitSeconds: 60,`
implement dev mode which busts cache all the time 2017-03-07 00:25:02 +08:00			`urlArgs: 'ver=' + Package.version + (DEV_MODE? '-' + (+new Date()): ''),`
Implement stronger content-security-policy except in /pad/ which does not allow it. Implement a "loader" which allows for applying a version number to everything. Added a cache control for anything which has a version. 2017-03-02 00:23:34 +08:00			`},`
update default configuration file with new attributes and comments 2017-05-30 21:35:51 +08:00			`removeDonateButton: (config.removeDonateButton === true),`
			`allowSubscriptions: (config.allowSubscriptions === true),`

New config option to use an external websocket server 2017-01-27 23:45:41 +08:00			`websocketPath: config.useExternalWebsocket ? undefined : config.websocketPath,`
use wss if useSecureWebsockets is true There are no certs / httpOtps set if proxy doing ssl offloading. Better use useSecureWebsockets from config file. 2017-01-02 18:54:50 +08:00			`websocketURL:'ws' + ((useSecureWebsockets) ? 's' : '') + '://' + host + ':' +`
Add a Content Security Policy which works for CryptPad 2016-10-07 04:37:25 +08:00			`websocketPort + '/cryptpad_websocket',`
support different ports for websocket and http 2014-11-03 18:13:41 +08:00			`}) + ');');`
			`});`

added ability to use https 2014-12-04 17:53:47 +08:00			`var httpServer = httpsOpts ? Https.createServer(httpsOpts, app) : Http.createServer(app);`

reverting the style changes 2016-09-27 18:17:38 +08:00			`httpServer.listen(config.httpPort,config.httpAddress,function(){`
format probable server URL when printing to the console at launch 2017-06-14 16:27:29 +08:00			`var host = config.httpAddress;`
			`var hostName = !host.indexOf(':') ? '[' + host + ']' : host;`

			`var port = config.httpPort;`
			`var ps = port === 80? '': ':' + port;`

			`console.log('\n[%s] server available http://%s%s', new Date().toISOString(), hostName, ps);`
relocate and rename Storage.js. implement a simple, non-persistent in memory datastore for those who'd rather not bother with mongodb. Continue to default to previous values. 2015-10-26 07:35:25 +08:00			`});`
and so it begins 2014-10-31 23:42:58 +08:00
Improve the server so that both protocol (WebSocket and WebRTC) can use the same port 2016-03-16 23:34:27 +08:00			`var wsConfig = { server: httpServer };`
New config option to use an external websocket server 2017-01-27 23:45:41 +08:00
implement serverside RPC infrastructure 2017-03-11 01:03:15 +08:00			`var createSocketServer = function (err, rpc) {`
			`if(!config.useExternalWebsocket) {`
			`if (websocketPort !== config.httpPort) {`
			`console.log("setting up a new websocket server");`
			`wsConfig = { port: websocketPort};`
			`}`
			`var wsSrv = new WebSocketServer(wsConfig);`
			`Storage.create(config, function (store) {`
			`NetfluxSrv.run(store, wsSrv, config, rpc);`
			`});`
New config option to use an external websocket server 2017-01-27 23:45:41 +08:00			`}`
implement serverside RPC infrastructure 2017-03-11 01:03:15 +08:00			`};`

			`var loadRPC = function (cb) {`
			`config.rpc = typeof(config.rpc) === 'undefined'? './rpc.js' : config.rpc;`

			`if (typeof(config.rpc) === 'string') {`
			`// load pin store...`
			`var Rpc = require(config.rpc);`
			`Rpc.create(config, function (e, rpc) {`
			`if (e) { throw e; }`
			`cb(void 0, rpc);`
			`});`
			`} else {`
			`cb();`
			`}`
			`};`

			`loadRPC(createSocketServer);`