320 lines
13 KiB
JavaScript
320 lines
13 KiB
JavaScript
const express = require('express');
|
|
const path = require('path');
|
|
const cookieParser = require('cookie-parser');
|
|
const helmet = require('helmet');
|
|
const rateLimit = require('express-rate-limit');
|
|
const crypto = require('crypto');
|
|
const fs = require('fs');
|
|
const http = require('http');
|
|
const https = require('https');
|
|
require('dotenv').config();
|
|
|
|
// Setup logging with levels
|
|
// Levels: debug (0), info (1), warn (2), error (3), silent (4)
|
|
const LOG_LEVELS = { debug: 0, info: 1, warn: 2, error: 3, silent: 4 };
|
|
const currentLevel = LOG_LEVELS[(process.env.LOG_LEVEL || 'info').toLowerCase()] || 1;
|
|
|
|
// Log file lives in DATA_DIR so the non-root container user can write to it
|
|
const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, '../data');
|
|
if (!fs.existsSync(DATA_DIR)) fs.mkdirSync(DATA_DIR, { recursive: true });
|
|
|
|
const LOG_PATH = path.join(DATA_DIR, 'server.log');
|
|
const LOG_MAX_BYTES = 10 * 1024 * 1024; // 10 MB per file
|
|
const LOG_KEEP = 3; // keep 3 rotated files
|
|
|
|
function rotateLogIfNeeded() {
|
|
try {
|
|
const stat = fs.statSync(LOG_PATH);
|
|
if (stat.size < LOG_MAX_BYTES) return;
|
|
for (let i = LOG_KEEP - 1; i >= 1; i--) {
|
|
const src = `${LOG_PATH}.${i}`;
|
|
const dst = `${LOG_PATH}.${i + 1}`;
|
|
if (fs.existsSync(src)) fs.renameSync(src, dst);
|
|
}
|
|
fs.renameSync(LOG_PATH, `${LOG_PATH}.1`);
|
|
} catch { /* ignore rotation errors — don't crash the server */ }
|
|
}
|
|
|
|
rotateLogIfNeeded();
|
|
const logFile = fs.createWriteStream(LOG_PATH, { flags: 'a' });
|
|
const originalConsoleLog = console.log;
|
|
const originalConsoleError = console.error;
|
|
const originalConsoleWarn = console.warn;
|
|
const originalConsoleDebug = console.debug;
|
|
|
|
function shouldLog(level) {
|
|
return level >= currentLevel;
|
|
}
|
|
|
|
console.debug = function(...args) {
|
|
if (!shouldLog(LOG_LEVELS.debug)) return;
|
|
const message = args.join(' ');
|
|
originalConsoleDebug.apply(console, args);
|
|
logFile.write(`[${new Date().toISOString()}] DEBUG: ${message}\n`);
|
|
};
|
|
|
|
console.log = function(...args) {
|
|
if (!shouldLog(LOG_LEVELS.info)) return;
|
|
const message = args.join(' ');
|
|
originalConsoleLog.apply(console, args);
|
|
logFile.write(`[${new Date().toISOString()}] ${message}\n`);
|
|
};
|
|
|
|
console.warn = function(...args) {
|
|
if (!shouldLog(LOG_LEVELS.warn)) return;
|
|
const message = args.join(' ');
|
|
originalConsoleWarn.apply(console, args);
|
|
logFile.write(`[${new Date().toISOString()}] WARN: ${message}\n`);
|
|
};
|
|
|
|
console.error = function(...args) {
|
|
if (!shouldLog(LOG_LEVELS.error)) return;
|
|
const message = args.join(' ');
|
|
originalConsoleError.apply(console, args);
|
|
logFile.write(`[${new Date().toISOString()}] ERROR: ${message}\n`);
|
|
};
|
|
|
|
const sabnzbdRoutes = require('./routes/sabnzbd');
|
|
const sonarrRoutes = require('./routes/sonarr');
|
|
const radarrRoutes = require('./routes/radarr');
|
|
const embyRoutes = require('./routes/emby');
|
|
const dashboardRoutes = require('./routes/dashboard');
|
|
const historyRoutes = require('./routes/history');
|
|
const authRoutes = require('./routes/auth');
|
|
const verifyCsrf = require('./middleware/verifyCsrf');
|
|
const { startPoller, POLL_INTERVAL, POLLING_ENABLED } = require('./utils/poller');
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Startup environment validation
|
|
// ---------------------------------------------------------------------------
|
|
const cookieSecret = process.env.COOKIE_SECRET;
|
|
if (!cookieSecret && process.env.NODE_ENV === 'production') {
|
|
console.error('[Security] COOKIE_SECRET is not set in production — aborting.');
|
|
process.exit(1);
|
|
} else if (!cookieSecret) {
|
|
console.warn('[Security] COOKIE_SECRET not set — unsigned cookies (dev only)');
|
|
}
|
|
if (!process.env.EMBY_URL && process.env.NODE_ENV === 'production') {
|
|
console.error('[Config] EMBY_URL is required');
|
|
process.exit(1);
|
|
}
|
|
|
|
const app = express();
|
|
const PORT = process.env.PORT || 3001;
|
|
|
|
// Resolve TLS_ENABLED early — used in Helmet CSP and server startup
|
|
const TLS_ENABLED = (process.env.TLS_ENABLED || 'true').toLowerCase() !== 'false';
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Trust proxy — required when behind Nginx/Caddy/Traefik so that
|
|
// req.ip reflects the real client IP (not 127.0.0.1) and
|
|
// req.secure is true when the upstream TLS is terminated by the proxy.
|
|
// Set TRUST_PROXY=1 (or a specific IP/CIDR) via env.
|
|
// ---------------------------------------------------------------------------
|
|
if (process.env.TRUST_PROXY) {
|
|
const trustValue = /^\d+$/.test(process.env.TRUST_PROXY)
|
|
? parseInt(process.env.TRUST_PROXY, 10)
|
|
: process.env.TRUST_PROXY;
|
|
app.set('trust proxy', trustValue);
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Helmet v7 — security response headers
|
|
// CSP uses a per-request nonce injected into index.html so inline scripts
|
|
// and styles are allowed only with a valid nonce, not blanket unsafe-inline.
|
|
// ---------------------------------------------------------------------------
|
|
app.use((req, res, next) => {
|
|
// Generate a fresh nonce for every request
|
|
res.locals.cspNonce = crypto.randomBytes(16).toString('base64');
|
|
next();
|
|
});
|
|
|
|
app.use((req, res, next) => {
|
|
helmet({
|
|
contentSecurityPolicy: {
|
|
directives: {
|
|
defaultSrc: ["'self'"],
|
|
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
|
|
styleSrc: ["'self'", (req, res) => `'nonce-${res.locals.cspNonce}'`],
|
|
imgSrc: ["'self'", 'data:', 'blob:'],
|
|
fontSrc: ["'self'", 'data:'],
|
|
connectSrc: ["'self'"],
|
|
objectSrc: ["'none'"],
|
|
baseUri: ["'self'"],
|
|
frameAncestors: ["'none'"],
|
|
formAction: ["'self'"],
|
|
upgradeInsecureRequests: (process.env.TRUST_PROXY || TLS_ENABLED) ? [] : null
|
|
}
|
|
},
|
|
hsts: {
|
|
maxAge: 31536000, // 1 year
|
|
includeSubDomains: true,
|
|
preload: true
|
|
},
|
|
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
|
|
crossOriginEmbedderPolicy: false // not needed for this SPA
|
|
})(req, res, next);
|
|
});
|
|
|
|
// Permissions-Policy — disable powerful browser features not needed by the app
|
|
app.use((req, res, next) => {
|
|
res.setHeader(
|
|
'Permissions-Policy',
|
|
'camera=(), microphone=(), geolocation=(), payment=(), usb=()'
|
|
);
|
|
next();
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// General API rate limiter — applies to all /api/* routes
|
|
// More specific limiters (e.g. login) apply on top of this.
|
|
// ---------------------------------------------------------------------------
|
|
const apiLimiter = rateLimit({
|
|
windowMs: 15 * 60 * 1000, // 15 minutes
|
|
max: 300, // 300 requests per IP per window (generous for polling)
|
|
standardHeaders: true,
|
|
legacyHeaders: false,
|
|
message: { error: 'Too many requests, please try again later' }
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Body parsing & cookies
|
|
// ---------------------------------------------------------------------------
|
|
app.use(cookieParser(cookieSecret || undefined));
|
|
app.use(express.json({ limit: '64kb' })); // prevent oversized JSON payloads
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Health / readiness endpoints (no auth, no rate-limit)
|
|
// Used by Docker HEALTHCHECK and orchestrators.
|
|
// ---------------------------------------------------------------------------
|
|
app.get('/health', (req, res) => {
|
|
res.json({ status: 'ok', uptime: process.uptime() });
|
|
});
|
|
|
|
app.get('/ready', (req, res) => {
|
|
// Confirm critical config is present
|
|
const ready = !!(process.env.EMBY_URL);
|
|
if (ready) {
|
|
res.json({ status: 'ready' });
|
|
} else {
|
|
res.status(503).json({ status: 'not ready', reason: 'EMBY_URL not configured' });
|
|
}
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Static files — served before API routes
|
|
// index.html is served manually so we can inject the CSP nonce
|
|
// ---------------------------------------------------------------------------
|
|
const PUBLIC_DIR = path.join(__dirname, '../public');
|
|
const INDEX_HTML = path.join(PUBLIC_DIR, 'index.html');
|
|
|
|
// Serve all static assets (js, css, images, icons) except index.html.
|
|
// JS and CSS get no-cache so browsers revalidate on every load (ETag still
|
|
// avoids re-downloading unchanged files; only a deploy changes the ETag).
|
|
app.use(express.static(PUBLIC_DIR, {
|
|
index: false,
|
|
setHeaders(res, filePath) {
|
|
if (filePath.endsWith('.js') || filePath.endsWith('.css')) {
|
|
res.setHeader('Cache-Control', 'no-cache');
|
|
}
|
|
}
|
|
}));
|
|
|
|
// Serve index.html with CSP nonce injected into <script> tags
|
|
function serveIndex(req, res) {
|
|
fs.readFile(INDEX_HTML, 'utf8', (err, html) => {
|
|
if (err) return res.status(500).send('Internal Server Error');
|
|
const nonce = res.locals.cspNonce;
|
|
// Only inject nonce into <script> tags — style-src 'self' already permits
|
|
// same-origin <link rel=stylesheet> without a nonce, and injecting a nonce
|
|
// onto <link> breaks mobile browsers / caching proxies (stale HTML carries
|
|
// the old nonce which no longer matches the per-request CSP header).
|
|
const patched = html
|
|
.replace(/<script([^>]*)>/gi, `<script nonce="${nonce}"$1>`);
|
|
res.setHeader('Content-Type', 'text/html; charset=utf-8');
|
|
res.send(patched);
|
|
});
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// API routes (rate-limited; auth routes exempt CSRF for login/csrf endpoints)
|
|
// CSRF protection applies to all state-changing /api/* requests except
|
|
// /api/auth/login (pre-auth) and /api/auth/csrf (issues the token).
|
|
// ---------------------------------------------------------------------------
|
|
app.use('/api', apiLimiter);
|
|
app.use('/api/auth', authRoutes);
|
|
|
|
// All routes below this point require CSRF validation on mutating methods
|
|
app.use('/api', verifyCsrf);
|
|
app.use('/api/sabnzbd', sabnzbdRoutes);
|
|
app.use('/api/sonarr', sonarrRoutes);
|
|
app.use('/api/radarr', radarrRoutes);
|
|
app.use('/api/emby', embyRoutes);
|
|
app.use('/api/dashboard', dashboardRoutes);
|
|
app.use('/api/history', historyRoutes);
|
|
|
|
// SPA catch-all — serve index.html for any unmatched path
|
|
app.get('*', serveIndex);
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Global error handler — never leak stack traces to clients
|
|
// ---------------------------------------------------------------------------
|
|
// eslint-disable-next-line no-unused-vars
|
|
app.use((err, req, res, next) => {
|
|
console.error('[Server] Unhandled error:', err.message);
|
|
res.status(500).json({ error: 'Internal server error' });
|
|
});
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// TLS / HTTPS support
|
|
// Set TLS_CERT and TLS_KEY to paths of your certificate and private key.
|
|
// If unset, defaults to the bundled snakeoil self-signed certificate
|
|
// (localhost/127.0.0.1 only — suitable for local testing).
|
|
// Set TLS_ENABLED=false to force plain HTTP even if cert files exist.
|
|
// ---------------------------------------------------------------------------
|
|
const CERTS_DIR = path.join(__dirname, '../certs');
|
|
const TLS_CERT_PATH = process.env.TLS_CERT || path.join(CERTS_DIR, 'snakeoil.crt');
|
|
const TLS_KEY_PATH = process.env.TLS_KEY || path.join(CERTS_DIR, 'snakeoil.key');
|
|
|
|
function loadTlsCredentials() {
|
|
if (!TLS_ENABLED) return null;
|
|
try {
|
|
return {
|
|
cert: fs.readFileSync(TLS_CERT_PATH),
|
|
key: fs.readFileSync(TLS_KEY_PATH)
|
|
};
|
|
} catch (err) {
|
|
console.warn(`[TLS] Could not load certificate files — falling back to HTTP. (${err.message})`);
|
|
return null;
|
|
}
|
|
}
|
|
|
|
const tlsCredentials = loadTlsCredentials();
|
|
const server = tlsCredentials
|
|
? https.createServer(tlsCredentials, app)
|
|
: http.createServer(app);
|
|
|
|
const protocol = tlsCredentials ? 'https' : 'http';
|
|
const isSnakeoil = TLS_ENABLED &&
|
|
(!process.env.TLS_CERT || process.env.TLS_CERT === TLS_CERT_PATH);
|
|
|
|
server.listen(PORT, () => {
|
|
console.log(`=================================`);
|
|
console.log(` sofarr - Your Downloads Dashboard`);
|
|
console.log(` Server running on ${protocol}://localhost:${PORT}`);
|
|
if (tlsCredentials && isSnakeoil) {
|
|
console.warn(` [TLS] Using bundled snakeoil certificate (self-signed).`);
|
|
console.warn(` [TLS] Set TLS_CERT and TLS_KEY for a trusted certificate.`);
|
|
console.warn(` [TLS] Set TLS_ENABLED=false to disable TLS entirely.`);
|
|
} else if (tlsCredentials) {
|
|
console.log(` [TLS] Certificate: ${TLS_CERT_PATH}`);
|
|
} else {
|
|
console.warn(` [TLS] Running in plain HTTP mode — not suitable for production.`);
|
|
}
|
|
console.log(` Log level: ${process.env.LOG_LEVEL || 'info'}`);
|
|
console.log(` Polling: ${POLLING_ENABLED ? POLL_INTERVAL + 'ms' : 'disabled (on-demand)'}`);
|
|
console.log(` Trust proxy: ${process.env.TRUST_PROXY || 'disabled'}`);
|
|
console.log(`=================================`);
|
|
startPoller();
|
|
});
|