hardlounge/src/server.js

752 lines
19 KiB
JavaScript

"use strict";
const _ = require("lodash");
const log = require("./log");
const pkg = require("../package.json");
const Client = require("./client");
const ClientManager = require("./clientManager");
const express = require("express");
const fs = require("fs");
const path = require("path");
const io = require("socket.io");
const dns = require("dns");
const Uploader = require("./plugins/uploader");
const Helper = require("./helper");
const colors = require("chalk");
const net = require("net");
const Identification = require("./identification");
const changelog = require("./plugins/changelog");
const themes = require("./plugins/packages/themes");
themes.loadLocalThemes();
const packages = require("./plugins/packages/index");
packages.loadPackages();
// The order defined the priority: the first available plugin is used
// ALways keep local auth in the end, which should always be enabled.
const authPlugins = [
require("./plugins/auth/ldap"),
require("./plugins/auth/local"),
];
// A random number that will force clients to reload the page if it differs
const serverHash = Math.floor(Date.now() * Math.random());
let manager = null;
module.exports = function() {
log.info(`The Lounge ${colors.green(Helper.getVersion())} \
(Node.js ${colors.green(process.versions.node)} on ${colors.green(process.platform)} ${process.arch})`);
log.info(`Configuration file: ${colors.green(Helper.getConfigPath())}`);
const staticOptions = {
redirect: false,
maxAge: 86400 * 1000,
};
const app = express()
.set("env", "production")
.disable("x-powered-by")
.use(allRequests)
.get("/", indexRequest)
.get("/service-worker.js", forceNoCacheRequest)
.get("/js/bundle.js.map", forceNoCacheRequest)
.get("/css/style.css.map", forceNoCacheRequest)
.use(express.static(path.join(__dirname, "..", "public"), staticOptions))
.use("/storage/", express.static(Helper.getStoragePath(), staticOptions));
if (Helper.config.fileUpload.enable) {
Uploader.router(app);
}
// This route serves *installed themes only*. Local themes are served directly
// from the `public/themes/` folder as static assets, without entering this
// handler. Remember this if you make changes to this function, serving of
// local themes will not get those changes.
app.get("/themes/:theme.css", (req, res) => {
const themeName = req.params.theme;
const theme = themes.getFilename(themeName);
if (theme === undefined) {
return res.status(404).send("Not found");
}
return res.sendFile(theme);
});
app.get("/packages/:package/:filename", (req, res) => {
const packageName = req.params.package;
const fileName = req.params.filename;
const packageFile = packages.getPackage(packageName);
if (!packageFile || !packages.getStylesheets().includes(`${packageName}/${fileName}`)) {
return res.status(404).send("Not found");
}
const packagePath = Helper.getPackageModulePath(packageName);
return res.sendFile(path.join(packagePath, fileName));
});
let server = null;
if (Helper.config.public && (Helper.config.ldap || {}).enable) {
log.warn("Server is public and set to use LDAP. Set to private mode if trying to use LDAP authentication.");
}
if (!Helper.config.https.enable) {
server = require("http");
server = server.createServer(app);
} else {
const keyPath = Helper.expandHome(Helper.config.https.key);
const certPath = Helper.expandHome(Helper.config.https.certificate);
const caPath = Helper.expandHome(Helper.config.https.ca);
if (!keyPath.length || !fs.existsSync(keyPath)) {
log.error("Path to SSL key is invalid. Stopping server...");
process.exit();
}
if (!certPath.length || !fs.existsSync(certPath)) {
log.error("Path to SSL certificate is invalid. Stopping server...");
process.exit();
}
if (caPath.length && !fs.existsSync(caPath)) {
log.error("Path to SSL ca bundle is invalid. Stopping server...");
process.exit();
}
server = require("https");
server = server.createServer({
key: fs.readFileSync(keyPath),
cert: fs.readFileSync(certPath),
ca: caPath ? fs.readFileSync(caPath) : undefined,
}, app);
}
let listenParams;
if (typeof Helper.config.host === "string" && Helper.config.host.startsWith("unix:")) {
listenParams = Helper.config.host.replace(/^unix:/, "");
} else {
listenParams = {
port: Helper.config.port,
host: Helper.config.host,
};
}
server.on("error", (err) => log.error(`${err}`));
server.listen(listenParams, () => {
if (typeof listenParams === "string") {
log.info("Available on socket " + colors.green(listenParams));
} else {
const protocol = Helper.config.https.enable ? "https" : "http";
const address = server.address();
log.info(
"Available at " +
colors.green(`${protocol}://${address.address}:${address.port}/`) +
` in ${colors.bold(Helper.config.public ? "public" : "private")} mode`
);
}
const sockets = io(server, {
wsEngine: "ws",
serveClient: false,
transports: Helper.config.transports,
});
sockets.on("connect", (socket) => {
if (Helper.config.public) {
performAuthentication.call(socket, {});
} else {
socket.emit("auth", {
serverHash: serverHash,
success: true,
});
socket.on("auth", performAuthentication);
}
});
manager = new ClientManager();
new Identification((identHandler) => {
manager.init(identHandler, sockets);
});
// Handle ctrl+c and kill gracefully
let suicideTimeout = null;
const exitGracefully = function() {
if (suicideTimeout !== null) {
return;
}
log.info("Exiting...");
// Close all client and IRC connections
manager.clients.forEach((client) => client.quit());
if (Helper.config.prefetchStorage) {
log.info("Clearing prefetch storage folder, this might take a while...");
require("./plugins/storage").emptyDir();
}
// Forcefully exit after 3 seconds
suicideTimeout = setTimeout(() => process.exit(1), 3000);
// Close http server
server.close(() => {
clearTimeout(suicideTimeout);
process.exit(0);
});
};
process.on("SIGINT", exitGracefully);
process.on("SIGTERM", exitGracefully);
// Clear storage folder after server starts successfully
if (Helper.config.prefetchStorage) {
require("./plugins/storage").emptyDir();
}
});
return server;
};
function getClientLanguage(socket) {
const acceptLanguage = socket.handshake.headers["accept-language"];
if (typeof acceptLanguage === "string" && /^[\x00-\x7F]{1,50}$/.test(acceptLanguage)) {
// only allow ASCII strings between 1-50 characters in length
return acceptLanguage;
}
return null;
}
function getClientIp(socket) {
let ip = socket.handshake.address || "127.0.0.1";
if (Helper.config.reverseProxy) {
const forwarded = (socket.request.headers["x-forwarded-for"] || "").split(/\s*,\s*/).filter(Boolean);
if (forwarded.length && net.isIP(forwarded[0])) {
ip = forwarded[0];
}
}
return ip.replace(/^::ffff:/, "");
}
function allRequests(req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff");
return next();
}
function forceNoCacheRequest(req, res, next) {
// Intermittent proxies must not cache the following requests,
// browsers must fetch the latest version of these files (service worker, source maps)
res.setHeader("Cache-Control", "no-cache, no-transform");
return next();
}
function indexRequest(req, res) {
const policies = [
"default-src 'none'", // default to nothing
"form-action 'self'", // 'self' to fix saving passwords in Firefox, even though login is handled in javascript
"connect-src 'self' ws: wss:", // allow self for polling; websockets
"style-src 'self' https: 'unsafe-inline'", // allow inline due to use in irc hex colors
"script-src 'self'", // javascript
"worker-src 'self'", // service worker
"child-src 'self'", // deprecated fall back for workers, Firefox <58, see #1902
"manifest-src 'self'", // manifest.json
"font-src 'self' https:", // allow loading fonts from secure sites (e.g. google fonts)
"media-src 'self' https:", // self for notification sound; allow https media (audio previews)
];
// If prefetch is enabled, but storage is not, we have to allow mixed content
// - https://user-images.githubusercontent.com is where we currently push our changelog screenshots
// - data: is required for the HTML5 video player
if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
policies.push("img-src 'self' data: https://user-images.githubusercontent.com");
policies.unshift("block-all-mixed-content");
} else {
policies.push("img-src http: https: data:");
}
res.setHeader("Content-Type", "text/html");
res.setHeader("Content-Security-Policy", policies.join("; "));
res.setHeader("Referrer-Policy", "no-referrer");
return fs.readFile(path.join(__dirname, "..", "client", "index.html.tpl"), "utf-8", (err, file) => {
if (err) {
throw err;
}
const config = getServerConfiguration();
config.cacheBust = Helper.getVersionCacheBust();
res.send(_.template(file)(config));
});
}
function initializeClient(socket, client, token, lastMessage) {
socket.emit("authorized");
client.clientAttach(socket.id, token);
if (Helper.config.fileUpload.enable) {
new Uploader(socket);
}
socket.on("disconnect", function() {
process.nextTick(() => client.clientDetach(socket.id));
});
socket.on("input", (data) => {
if (typeof data === "object") {
client.input(data);
}
});
socket.on("more", (data) => {
if (typeof data === "object") {
const history = client.more(data);
if (history !== null) {
socket.emit("more", history);
}
}
});
socket.on("network:new", (data) => {
if (typeof data === "object") {
// prevent people from overriding webirc settings
data.ip = null;
data.hostname = null;
data.uuid = null;
data.commands = null;
data.ignoreList = null;
client.connect(data);
}
});
socket.on("network:get", (data) => {
if (typeof data !== "string") {
return;
}
const network = _.find(client.networks, {uuid: data});
if (!network) {
return;
}
socket.emit("network:info", getClientConfiguration(network.export()));
});
socket.on("network:edit", (data) => {
if (typeof data !== "object") {
return;
}
const network = _.find(client.networks, {uuid: data.uuid});
if (!network) {
return;
}
network.edit(client, data);
});
if (!Helper.config.public && !Helper.config.ldap.enable) {
socket.on("change-password", (data) => {
if (typeof data === "object") {
const old = data.old_password;
const p1 = data.new_password;
const p2 = data.verify_password;
if (typeof p1 === "undefined" || p1 === "") {
socket.emit("change-password", {
error: "Please enter a new password",
});
return;
}
if (p1 !== p2) {
socket.emit("change-password", {
error: "Both new password fields must match",
});
return;
}
Helper.password
.compare(old || "", client.config.password)
.then((matching) => {
if (!matching) {
socket.emit("change-password", {
error: "The current password field does not match your account password",
});
return;
}
const hash = Helper.password.hash(p1);
client.setPassword(hash, (success) => {
const obj = {};
if (success) {
obj.success = "Successfully updated your password";
} else {
obj.error = "Failed to update your password";
}
socket.emit("change-password", obj);
});
}).catch((error) => {
log.error(`Error while checking users password. Error: ${error}`);
});
}
});
}
socket.on("open", (data) => {
client.open(socket.id, data);
});
socket.on("sort", (data) => {
if (typeof data === "object") {
client.sort(data);
}
});
socket.on("names", (data) => {
if (typeof data === "object") {
client.names(data);
}
});
socket.on("changelog", () => {
changelog.fetch((data) => {
socket.emit("changelog", data);
});
});
socket.on("msg:preview:toggle", (data) => {
if (typeof data !== "object") {
return;
}
const networkAndChan = client.find(data.target);
if (!networkAndChan) {
return;
}
const message = networkAndChan.chan.findMessage(data.msgId);
if (!message) {
return;
}
const preview = message.findPreview(data.link);
if (preview) {
preview.shown = data.shown;
}
});
if (!Helper.config.public) {
socket.on("push:register", (subscription) => {
if (!client.config.sessions.hasOwnProperty(token)) {
return;
}
const registration = client.registerPushSubscription(client.config.sessions[token], subscription);
if (registration) {
client.manager.webPush.pushSingle(client, registration, {
type: "notification",
timestamp: Date.now(),
title: "The Lounge",
body: "🚀 Push notifications have been enabled",
});
}
});
socket.on("push:unregister", () => client.unregisterPushSubscription(token));
}
const sendSessionList = () => {
const sessions = _.map(client.config.sessions, (session, sessionToken) => ({
current: sessionToken === token,
active: _.find(client.attachedClients, (u) => u.token === sessionToken) !== undefined,
lastUse: session.lastUse,
ip: session.ip,
agent: session.agent,
token: sessionToken, // TODO: Ideally don't expose actual tokens to the client
}));
socket.emit("sessions:list", sessions);
};
socket.on("sessions:get", sendSessionList);
if (!Helper.config.public) {
socket.on("setting:set", (newSetting) => {
if (!newSetting || typeof newSetting !== "object") {
return;
}
if (typeof newSetting.value === "object" || typeof newSetting.name !== "string" || newSetting.name[0] === "_") {
return;
}
// We do not need to do write operations and emit events if nothing changed.
if (client.config.clientSettings[newSetting.name] !== newSetting.value) {
client.config.clientSettings[newSetting.name] = newSetting.value;
// Pass the setting to all clients.
client.emit("setting:new", {
name: newSetting.name,
value: newSetting.value,
});
client.manager.updateUser(client.name, {
clientSettings: client.config.clientSettings,
});
if (newSetting.name === "highlights") {
client.compileCustomHighlights();
}
}
});
socket.on("setting:get", () => {
if (!client.config.hasOwnProperty("clientSettings")) {
socket.emit("setting:all", {});
return;
}
const clientSettings = client.config.clientSettings;
socket.emit("setting:all", clientSettings);
});
}
socket.on("sign-out", (tokenToSignOut) => {
// If no token provided, sign same client out
if (!tokenToSignOut) {
tokenToSignOut = token;
}
if (!client.config.sessions.hasOwnProperty(tokenToSignOut)) {
return;
}
delete client.config.sessions[tokenToSignOut];
client.manager.updateUser(client.name, {
sessions: client.config.sessions,
});
_.map(client.attachedClients, (attachedClient, socketId) => {
if (attachedClient.token !== tokenToSignOut) {
return;
}
const socketToRemove = manager.sockets.of("/").connected[socketId];
socketToRemove.emit("sign-out");
socketToRemove.disconnect();
});
// Do not send updated session list if user simply logs out
if (tokenToSignOut !== token) {
sendSessionList();
}
});
socket.join(client.id);
const sendInitEvent = (tokenToSend) => {
socket.emit("init", {
applicationServerKey: manager.webPush.vapidKeys.publicKey,
pushSubscription: client.config.sessions[token],
active: client.lastActiveChannel,
networks: client.networks.map((network) => network.getFilteredClone(client.lastActiveChannel, lastMessage)),
token: tokenToSend,
});
};
if (!Helper.config.public && token === null) {
client.generateToken((newToken) => {
client.attachedClients[socket.id].token = token = client.calculateTokenHash(newToken);
client.updateSession(token, getClientIp(socket), socket.request);
sendInitEvent(newToken);
});
} else {
sendInitEvent(null);
}
}
function getClientConfiguration(network) {
const config = _.pick(Helper.config, [
"public",
"lockNetwork",
"displayNetwork",
"useHexIp",
"prefetch",
]);
config.fileUpload = Helper.config.fileUpload.enable;
config.ldapEnabled = Helper.config.ldap.enable;
if (config.displayNetwork) {
config.defaults = _.clone(network || Helper.config.defaults);
} else {
// Only send defaults that are visible on the client
config.defaults = _.pick(network || Helper.config.defaults, [
"name",
"nick",
"username",
"password",
"realname",
"join",
]);
}
if (!network) {
config.version = pkg.version;
config.gitCommit = Helper.getGitCommit();
config.themes = themes.getAll();
config.defaultTheme = Helper.config.theme;
config.defaults.nick = Helper.getDefaultNick();
}
if (Uploader) {
config.fileUploadMaxFileSize = Uploader.getMaxFileSize();
}
return config;
}
function getServerConfiguration() {
const config = _.clone(Helper.config);
config.stylesheets = packages.getStylesheets();
return config;
}
function performAuthentication(data) {
if (typeof data !== "object") {
return;
}
const socket = this;
let client;
let token = null;
const finalInit = () => initializeClient(socket, client, token, data.lastMessage || -1);
const initClient = () => {
socket.emit("configuration", getClientConfiguration());
client.ip = getClientIp(socket);
client.language = getClientLanguage(socket);
// If webirc is enabled perform reverse dns lookup
if (Helper.config.webirc === null) {
return finalInit();
}
reverseDnsLookup(client.ip, (hostname) => {
client.hostname = hostname;
finalInit();
});
};
if (Helper.config.public) {
client = new Client(manager);
manager.clients.push(client);
socket.on("disconnect", function() {
manager.clients = _.without(manager.clients, client);
client.quit();
});
initClient();
return;
}
const authCallback = (success) => {
// Authorization failed
if (!success) {
if (!client) {
log.warn(`Authentication for non existing user attempted from ${colors.bold(getClientIp(socket))}`);
} else {
log.warn(`Authentication failed for user ${colors.bold(data.user)} from ${colors.bold(getClientIp(socket))}`);
}
socket.emit("auth", {success: false});
return;
}
// If authorization succeeded but there is no loaded user,
// load it and find the user again (this happens with LDAP)
if (!client) {
client = manager.loadUser(data.user);
}
initClient();
};
client = manager.findClient(data.user);
// We have found an existing user and client has provided a token
if (client && data.token) {
const providedToken = client.calculateTokenHash(data.token);
if (client.config.sessions.hasOwnProperty(providedToken)) {
token = providedToken;
client.updateSession(providedToken, getClientIp(socket), socket.request);
return authCallback(true);
}
}
// Perform password checking
let auth = () => {
log.error("None of the auth plugins is enabled");
};
for (let i = 0; i < authPlugins.length; ++i) {
if (authPlugins[i].isEnabled()) {
auth = authPlugins[i].auth;
break;
}
}
auth(manager, client, data.user, data.password, authCallback);
}
function reverseDnsLookup(ip, callback) {
dns.reverse(ip, (err, hostnames) => {
if (!err && hostnames.length) {
return callback(hostnames[0]);
}
callback(ip);
});
}