diff --git a/app.js b/app.js index 10b7bd978..930191ce4 100644 --- a/app.js +++ b/app.js @@ -22,7 +22,7 @@ var flash = require('connect-flash') // core var config = require('./lib/config') var logger = require('./lib/logger') -var response = require('./lib/response') +var errors = require('./lib/errors') var models = require('./lib/models') var csp = require('./lib/csp') @@ -212,11 +212,11 @@ app.use(require('./lib/web/auth')) app.use(require('./lib/web/historyRouter')) app.use(require('./lib/web/userRouter')) app.use(require('./lib/web/imageRouter')) -app.use(require('./lib/web/noteRouter')) +app.use(require('./lib/web/note/router')) // response not found if no any route matxches app.get('*', function (req, res) { - response.errorNotFound(res) + errors.errorNotFound(res) }) // socket.io secure diff --git a/lib/errors.js b/lib/errors.js new file mode 100644 index 000000000..64f938597 --- /dev/null +++ b/lib/errors.js @@ -0,0 +1,38 @@ +const config = require('./config') + +module.exports = { + errorForbidden: function (res) { + const { req } = res + if (req.user) { + responseError(res, '403', 'Forbidden', 'oh no.') + } else { + req.flash('error', 'You are not allowed to access this page. Maybe try logging in?') + res.redirect(config.serverURL + '/') + } + }, + errorNotFound: function (res) { + responseError(res, '404', 'Not Found', 'oops.') + }, + errorBadRequest: function (res) { + responseError(res, '400', 'Bad Request', 'something not right.') + }, + errorTooLong: function (res) { + responseError(res, '413', 'Payload Too Large', 'Shorten your note!') + }, + errorInternalError: function (res) { + responseError(res, '500', 'Internal Error', 'wtf.') + }, + errorServiceUnavailable: function (res) { + res.status(503).send('I\'m busy right now, try again later.') + } +} + +function responseError (res, code, detail, msg) { + res.status(code).render('error.ejs', { + title: code + ' ' + detail + ' ' + msg, + code: code, + detail: detail, + msg: msg, + opengraph: [] + }) +} diff --git a/lib/history.js b/lib/history.js index 88a7ee05b..3ebf77fd8 100644 --- a/lib/history.js +++ b/lib/history.js @@ -5,8 +5,8 @@ var LZString = require('lz-string') // core var logger = require('./logger') -var response = require('./response') var models = require('./models') +const errors = require('./errors') // public var History = { @@ -121,14 +121,14 @@ function parseHistoryToObject (history) { function historyGet (req, res) { if (req.isAuthenticated()) { getHistory(req.user.id, function (err, history) { - if (err) return response.errorInternalError(res) - if (!history) return response.errorNotFound(res) + if (err) return errors.errorInternalError(res) + if (!history) return errors.errorNotFound(res) res.send({ history: parseHistoryToArray(history) }) }) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } } @@ -136,40 +136,40 @@ function historyPost (req, res) { if (req.isAuthenticated()) { var noteId = req.params.noteId if (!noteId) { - if (typeof req.body['history'] === 'undefined') return response.errorBadRequest(res) + if (typeof req.body['history'] === 'undefined') return errors.errorBadRequest(res) logger.debug(`SERVER received history from [${req.user.id}]: ${req.body.history}`) try { var history = JSON.parse(req.body.history) } catch (err) { - return response.errorBadRequest(res) + return errors.errorBadRequest(res) } if (Array.isArray(history)) { setHistory(req.user.id, history, function (err, count) { - if (err) return response.errorInternalError(res) + if (err) return errors.errorInternalError(res) res.end() }) } else { - return response.errorBadRequest(res) + return errors.errorBadRequest(res) } } else { - if (typeof req.body['pinned'] === 'undefined') return response.errorBadRequest(res) + if (typeof req.body['pinned'] === 'undefined') return errors.errorBadRequest(res) getHistory(req.user.id, function (err, history) { - if (err) return response.errorInternalError(res) - if (!history) return response.errorNotFound(res) - if (!history[noteId]) return response.errorNotFound(res) + if (err) return errors.errorInternalError(res) + if (!history) return errors.errorNotFound(res) + if (!history[noteId]) return errors.errorNotFound(res) if (req.body.pinned === 'true' || req.body.pinned === 'false') { history[noteId].pinned = (req.body.pinned === 'true') setHistory(req.user.id, history, function (err, count) { - if (err) return response.errorInternalError(res) + if (err) return errors.errorInternalError(res) res.end() }) } else { - return response.errorBadRequest(res) + return errors.errorBadRequest(res) } }) } } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } } @@ -178,22 +178,22 @@ function historyDelete (req, res) { var noteId = req.params.noteId if (!noteId) { setHistory(req.user.id, [], function (err, count) { - if (err) return response.errorInternalError(res) + if (err) return errors.errorInternalError(res) res.end() }) } else { getHistory(req.user.id, function (err, history) { - if (err) return response.errorInternalError(res) - if (!history) return response.errorNotFound(res) + if (err) return errors.errorInternalError(res) + if (!history) return errors.errorNotFound(res) delete history[noteId] setHistory(req.user.id, history, function (err, count) { - if (err) return response.errorInternalError(res) + if (err) return errors.errorInternalError(res) res.end() }) }) } } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } } diff --git a/lib/response.js b/lib/response.js index 74d71d523..2e944e32e 100644 --- a/lib/response.js +++ b/lib/response.js @@ -3,66 +3,21 @@ // external modules var fs = require('fs') var path = require('path') -var markdownpdf = require('markdown-pdf') -var shortId = require('shortid') -var querystring = require('querystring') var request = require('request') -var moment = require('moment') - // core var config = require('./config') var logger = require('./logger') var models = require('./models') -var utils = require('./utils') +const noteUtil = require('./web/note/util') +const errors = require('./errors') // public var response = { - errorForbidden: function (res) { - const { req } = res - if (req.user) { - responseError(res, '403', 'Forbidden', 'oh no.') - } else { - req.flash('error', 'You are not allowed to access this page. Maybe try logging in?') - res.redirect(config.serverURL + '/') - } - }, - errorNotFound: function (res) { - responseError(res, '404', 'Not Found', 'oops.') - }, - errorBadRequest: function (res) { - responseError(res, '400', 'Bad Request', 'something not right.') - }, - errorTooLong: function (res) { - responseError(res, '413', 'Payload Too Large', 'Shorten your note!') - }, - errorInternalError: function (res) { - responseError(res, '500', 'Internal Error', 'wtf.') - }, - errorServiceUnavailable: function (res) { - res.status(503).send("I'm busy right now, try again later.") - }, - showNote: showNote, - showPublishNote: showPublishNote, - showPublishSlide: showPublishSlide, showIndex: showIndex, - noteActions: noteActions, - postNote: postNote, - publishNoteActions: publishNoteActions, - publishSlideActions: publishSlideActions, githubActions: githubActions, gitlabActions: gitlabActions } -function responseError (res, code, detail, msg) { - res.status(code).render('error.ejs', { - title: code + ' ' + detail + ' ' + msg, - code: code, - detail: detail, - msg: msg, - opengraph: [] - }) -} - function showIndex (req, res, next) { var authStatus = req.isAuthenticated() var deleteToken = '' @@ -93,377 +48,9 @@ function showIndex (req, res, next) { } } -function responseCodiMD (res, note) { - var body = note.content - var extracted = models.Note.extractMeta(body) - var meta = models.Note.parseMeta(extracted.meta) - var title = models.Note.decodeTitle(note.title) - title = models.Note.generateWebTitle(meta.title || title) - var opengraph = models.Note.parseOpengraph(meta, title) - res.set({ - 'Cache-Control': 'private', // only cache by client - 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling - }) - res.render('codimd.ejs', { - title: title, - opengraph: opengraph - }) -} - -function postNote (req, res, next) { - var body = '' - if (req.body && req.body.length > config.documentMaxLength) { - return response.errorTooLong(res) - } else if (req.body) { - body = req.body - } - body = body.replace(/[\r]/g, '') - return newNote(req, res, body) -} - -function newNote (req, res, body) { - var owner = null - var noteId = req.params.noteId ? req.params.noteId : null - if (req.isAuthenticated()) { - owner = req.user.id - } else if (!config.allowAnonymous) { - return response.errorForbidden(res) - } - if (config.allowFreeURL && noteId && !config.forbiddenNoteIDs.includes(noteId)) { - req.alias = noteId - } else if (noteId) { - return req.method === 'POST' ? response.errorForbidden(res) : response.errorNotFound(res) - } - models.Note.create({ - ownerId: owner, - alias: req.alias ? req.alias : null, - content: body - }).then(function (note) { - return res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id))) - }).catch(function (err) { - logger.error(err) - return response.errorInternalError(res) - }) -} - -function checkViewPermission (req, note) { - if (note.permission === 'private') { - if (!req.isAuthenticated() || note.ownerId !== req.user.id) { return false } else { return true } - } else if (note.permission === 'limited' || note.permission === 'protected') { - if (!req.isAuthenticated()) { return false } else { return true } - } else { - return true - } -} - -function findNote (req, res, callback, include) { - var id = req.params.noteId || req.params.shortid - models.Note.parseNoteId(id, function (err, _id) { - if (err) { - logger.error(err) - return response.errorInternalError(res) - } - models.Note.findOne({ - where: { - id: _id - }, - include: include || null - }).then(function (note) { - if (!note) { - return newNote(req, res, null) - } - if (!checkViewPermission(req, note)) { - return response.errorForbidden(res) - } else { - return callback(note) - } - }).catch(function (err) { - logger.error(err) - return response.errorInternalError(res) - }) - }) -} - -function showNote (req, res, next) { - findNote(req, res, function (note) { - // force to use note id - var noteId = req.params.noteId - var id = models.Note.encodeNoteId(note.id) - if ((note.alias && noteId !== note.alias) || (!note.alias && noteId !== id)) { return res.redirect(config.serverURL + '/' + (note.alias || id)) } - return responseCodiMD(res, note) - }) -} - -function showPublishNote (req, res, next) { - var include = [{ - model: models.User, - as: 'owner' - }, { - model: models.User, - as: 'lastchangeuser' - }] - findNote(req, res, function (note) { - // force to use short id - var shortid = req.params.shortid - if ((note.alias && shortid !== note.alias) || (!note.alias && shortid !== note.shortid)) { - return res.redirect(config.serverURL + '/s/' + (note.alias || note.shortid)) - } - note.increment('viewcount').then(function (note) { - if (!note) { - return response.errorNotFound(res) - } - var body = note.content - var extracted = models.Note.extractMeta(body) - var markdown = extracted.markdown - var meta = models.Note.parseMeta(extracted.meta) - var createtime = note.createdAt - var updatetime = note.lastchangeAt - var title = models.Note.decodeTitle(note.title) - title = models.Note.generateWebTitle(meta.title || title) - var ogdata = models.Note.parseOpengraph(meta, title) - var data = { - title: title, - description: meta.description || (markdown ? models.Note.generateDescription(markdown) : null), - viewcount: note.viewcount, - createtime: createtime, - updatetime: updatetime, - body: body, - owner: note.owner ? note.owner.id : null, - ownerprofile: note.owner ? models.User.getProfile(note.owner) : null, - lastchangeuser: note.lastchangeuser ? note.lastchangeuser.id : null, - lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, - robots: meta.robots || false, // default allow robots - GA: meta.GA, - disqus: meta.disqus, - cspNonce: res.locals.nonce, - dnt: req.headers.dnt, - opengraph: ogdata - } - return renderPublish(data, res) - }).catch(function (err) { - logger.error(err) - return response.errorInternalError(res) - }) - }, include) -} - -function renderPublish (data, res) { - res.set({ - 'Cache-Control': 'private' // only cache by client - }) - res.render('pretty.ejs', data) -} - -function actionPublish (req, res, note) { - res.redirect(config.serverURL + '/s/' + (note.alias || note.shortid)) -} - -function actionSlide (req, res, note) { - res.redirect(config.serverURL + '/p/' + (note.alias || note.shortid)) -} - -function actionDownload (req, res, note) { - var body = note.content - var title = models.Note.decodeTitle(note.title) - var filename = title - filename = encodeURIComponent(filename) - res.set({ - 'Access-Control-Allow-Origin': '*', // allow CORS as API - 'Access-Control-Allow-Headers': 'Range', - 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', - 'Content-Type': 'text/markdown; charset=UTF-8', - 'Cache-Control': 'private', - 'Content-disposition': 'attachment; filename=' + filename + '.md', - 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling - }) - res.send(body) -} - -function actionInfo (req, res, note) { - var body = note.content - var extracted = models.Note.extractMeta(body) - var markdown = extracted.markdown - var meta = models.Note.parseMeta(extracted.meta) - var createtime = note.createdAt - var updatetime = note.lastchangeAt - var title = models.Note.decodeTitle(note.title) - var data = { - title: meta.title || title, - description: meta.description || (markdown ? models.Note.generateDescription(markdown) : null), - viewcount: note.viewcount, - createtime: createtime, - updatetime: updatetime - } - res.set({ - 'Access-Control-Allow-Origin': '*', // allow CORS as API - 'Access-Control-Allow-Headers': 'Range', - 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', - 'Cache-Control': 'private', // only cache by client - 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling - }) - res.send(data) -} - -function actionPDF (req, res, note) { - var url = config.serverURL || 'http://' + req.get('host') - var body = note.content - var extracted = models.Note.extractMeta(body) - var content = extracted.markdown - var title = models.Note.decodeTitle(note.title) - - if (!fs.existsSync(config.tmpPath)) { - fs.mkdirSync(config.tmpPath) - } - var path = config.tmpPath + '/' + Date.now() + '.pdf' - content = content.replace(/\]\(\//g, '](' + url + '/') - markdownpdf().from.string(content).to(path, function () { - if (!fs.existsSync(path)) { - logger.error('PDF seems to not be generated as expected. File doesn\'t exist: ' + path) - return response.errorInternalError(res) - } - var stream = fs.createReadStream(path) - var filename = title - // Be careful of special characters - filename = encodeURIComponent(filename) - // Ideally this should strip them - res.setHeader('Content-disposition', 'attachment; filename="' + filename + '.pdf"') - res.setHeader('Cache-Control', 'private') - res.setHeader('Content-Type', 'application/pdf; charset=UTF-8') - res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling - stream.pipe(res) - fs.unlinkSync(path) - }) -} - -function actionGist (req, res, note) { - var data = { - client_id: config.github.clientID, - redirect_uri: config.serverURL + '/auth/github/callback/' + models.Note.encodeNoteId(note.id) + '/gist', - scope: 'gist', - state: shortId.generate() - } - var query = querystring.stringify(data) - res.redirect('https://github.com/login/oauth/authorize?' + query) -} - -function actionRevision (req, res, note) { - var actionId = req.params.actionId - if (actionId) { - var time = moment(parseInt(actionId)) - if (time.isValid()) { - models.Revision.getPatchedNoteRevisionByTime(note, time, function (err, content) { - if (err) { - logger.error(err) - return response.errorInternalError(res) - } - if (!content) { - return response.errorNotFound(res) - } - res.set({ - 'Access-Control-Allow-Origin': '*', // allow CORS as API - 'Access-Control-Allow-Headers': 'Range', - 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', - 'Cache-Control': 'private', // only cache by client - 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling - }) - res.send(content) - }) - } else { - return response.errorNotFound(res) - } - } else { - models.Revision.getNoteRevisions(note, function (err, data) { - if (err) { - logger.error(err) - return response.errorInternalError(res) - } - var out = { - revision: data - } - res.set({ - 'Access-Control-Allow-Origin': '*', // allow CORS as API - 'Access-Control-Allow-Headers': 'Range', - 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', - 'Cache-Control': 'private', // only cache by client - 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling - }) - res.send(out) - }) - } -} - -function noteActions (req, res, next) { - var noteId = req.params.noteId - findNote(req, res, function (note) { - var action = req.params.action - switch (action) { - case 'publish': - case 'pretty': // pretty deprecated - actionPublish(req, res, note) - break - case 'slide': - actionSlide(req, res, note) - break - case 'download': - actionDownload(req, res, note) - break - case 'info': - actionInfo(req, res, note) - break - case 'pdf': - if (config.allowPDFExport) { - actionPDF(req, res, note) - } else { - logger.error('PDF export failed: Disabled by config. Set "allowPDFExport: true" to enable. Check the documentation for details') - response.errorForbidden(res) - } - break - case 'gist': - actionGist(req, res, note) - break - case 'revision': - actionRevision(req, res, note) - break - default: - return res.redirect(config.serverURL + '/' + noteId) - } - }) -} - -function publishNoteActions (req, res, next) { - findNote(req, res, function (note) { - var action = req.params.action - switch (action) { - case 'download': - actionDownload(req, res, note) - break - case 'edit': - res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)) + '?both') - break - default: - res.redirect(config.serverURL + '/s/' + note.shortid) - break - } - }) -} - -function publishSlideActions (req, res, next) { - findNote(req, res, function (note) { - var action = req.params.action - switch (action) { - case 'edit': - res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)) + '?both') - break - default: - res.redirect(config.serverURL + '/p/' + note.shortid) - break - } - }) -} - function githubActions (req, res, next) { var noteId = req.params.noteId - findNote(req, res, function (note) { + noteUtil.findNote(req, res, function (note) { var action = req.params.action switch (action) { case 'gist': @@ -480,7 +67,7 @@ function githubActionGist (req, res, note) { var code = req.query.code var state = req.query.state if (!code || !state) { - return response.errorForbidden(res) + return errors.errorForbidden(res) } else { var data = { client_id: config.github.clientID, @@ -520,14 +107,14 @@ function githubActionGist (req, res, note) { res.setHeader('referer', '') res.redirect(body.html_url) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } }) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } }) } @@ -535,7 +122,7 @@ function githubActionGist (req, res, note) { function gitlabActions (req, res, next) { var noteId = req.params.noteId - findNote(req, res, function (note) { + noteUtil.findNote(req, res, function (note) { var action = req.params.action switch (action) { case 'projects': @@ -555,7 +142,7 @@ function gitlabActionProjects (req, res, note) { id: req.user.id } }).then(function (user) { - if (!user) { return response.errorNotFound(res) } + if (!user) { return errors.errorNotFound(res) } var ret = { baseURL: config.gitlab.baseURL, version: config.gitlab.version } ret.accesstoken = user.accessToken ret.profileid = user.profileid @@ -572,69 +159,11 @@ function gitlabActionProjects (req, res, note) { ) }).catch(function (err) { logger.error('gitlab action projects failed: ' + err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } } -function showPublishSlide (req, res, next) { - var include = [{ - model: models.User, - as: 'owner' - }, { - model: models.User, - as: 'lastchangeuser' - }] - findNote(req, res, function (note) { - // force to use short id - var shortid = req.params.shortid - if ((note.alias && shortid !== note.alias) || (!note.alias && shortid !== note.shortid)) { return res.redirect(config.serverURL + '/p/' + (note.alias || note.shortid)) } - note.increment('viewcount').then(function (note) { - if (!note) { - return response.errorNotFound(res) - } - var body = note.content - var extracted = models.Note.extractMeta(body) - var markdown = extracted.markdown - var meta = models.Note.parseMeta(extracted.meta) - var createtime = note.createdAt - var updatetime = note.lastchangeAt - var title = models.Note.decodeTitle(note.title) - title = models.Note.generateWebTitle(meta.title || title) - var data = { - title: title, - description: meta.description || (markdown ? models.Note.generateDescription(markdown) : null), - viewcount: note.viewcount, - createtime: createtime, - updatetime: updatetime, - body: markdown, - theme: meta.slideOptions && utils.isRevealTheme(meta.slideOptions.theme), - meta: JSON.stringify(extracted.meta), - owner: note.owner ? note.owner.id : null, - ownerprofile: note.owner ? models.User.getProfile(note.owner) : null, - lastchangeuser: note.lastchangeuser ? note.lastchangeuser.id : null, - lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, - robots: meta.robots || false, // default allow robots - GA: meta.GA, - disqus: meta.disqus, - cspNonce: res.locals.nonce, - dnt: req.headers.dnt - } - return renderPublishSlide(data, res) - }).catch(function (err) { - logger.error(err) - return response.errorInternalError(res) - }) - }, include) -} - -function renderPublishSlide (data, res) { - res.set({ - 'Cache-Control': 'private' // only cache by client - }) - res.render('slide.ejs', data) -} - module.exports = response diff --git a/lib/utils.js b/lib/utils.js index 1725f6e88..270cbd6a2 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -1,6 +1,4 @@ 'use strict' -const fs = require('fs') -const path = require('path') exports.isSQLite = function isSQLite (sequelize) { return sequelize.options.dialect === 'sqlite' @@ -27,10 +25,3 @@ exports.getImageMimeType = function getImageMimeType (imagePath) { return undefined } } - -exports.isRevealTheme = function isRevealTheme (theme) { - if (fs.existsSync(path.join(__dirname, '..', 'public', 'build', 'reveal.js', 'css', 'theme', theme + '.css'))) { - return theme - } - return undefined -} diff --git a/lib/web/auth/email/index.js b/lib/web/auth/email/index.js index 32e214289..06560545d 100644 --- a/lib/web/auth/email/index.js +++ b/lib/web/auth/email/index.js @@ -9,7 +9,7 @@ const models = require('../../../models') const logger = require('../../../logger') const { setReturnToFromReferer } = require('../utils') const { urlencodedParser } = require('../../utils') -const response = require('../../../response') +const errors = require('../../../errors') let emailAuth = module.exports = Router() @@ -39,8 +39,8 @@ passport.use(new LocalStrategy({ if (config.allowEmailRegister) { emailAuth.post('/register', urlencodedParser, function (req, res, next) { - if (!req.body.email || !req.body.password) return response.errorBadRequest(res) - if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res) + if (!req.body.email || !req.body.password) return errors.errorBadRequest(res) + if (!validator.isEmail(req.body.email)) return errors.errorBadRequest(res) models.User.findOrCreate({ where: { email: req.body.email @@ -63,14 +63,14 @@ if (config.allowEmailRegister) { return res.redirect(config.serverURL + '/') }).catch(function (err) { logger.error('auth callback failed: ' + err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) }) } emailAuth.post('/login', urlencodedParser, function (req, res, next) { - if (!req.body.email || !req.body.password) return response.errorBadRequest(res) - if (!validator.isEmail(req.body.email)) return response.errorBadRequest(res) + if (!req.body.email || !req.body.password) return errors.errorBadRequest(res) + if (!validator.isEmail(req.body.email)) return errors.errorBadRequest(res) setReturnToFromReferer(req) passport.authenticate('local', { successReturnToOrRedirect: config.serverURL + '/', diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js index 961436646..28f3e471b 100644 --- a/lib/web/auth/ldap/index.js +++ b/lib/web/auth/ldap/index.js @@ -8,7 +8,7 @@ const models = require('../../../models') const logger = require('../../../logger') const { setReturnToFromReferer } = require('../utils') const { urlencodedParser } = require('../../utils') -const response = require('../../../response') +const errors = require('../../../errors') let ldapAuth = module.exports = Router() @@ -81,7 +81,7 @@ passport.use(new LDAPStrategy({ })) ldapAuth.post('/auth/ldap', urlencodedParser, function (req, res, next) { - if (!req.body.username || !req.body.password) return response.errorBadRequest(res) + if (!req.body.username || !req.body.password) return errors.errorBadRequest(res) setReturnToFromReferer(req) passport.authenticate('ldapauth', { successReturnToOrRedirect: config.serverURL + '/', diff --git a/lib/web/baseRouter.js b/lib/web/baseRouter.js index b918ce759..df5e2777b 100644 --- a/lib/web/baseRouter.js +++ b/lib/web/baseRouter.js @@ -6,17 +6,19 @@ const response = require('../response') const baseRouter = module.exports = Router() +const errors = require('../errors') + // get index baseRouter.get('/', response.showIndex) // get 403 forbidden baseRouter.get('/403', function (req, res) { - response.errorForbidden(res) + errors.errorForbidden(res) }) // get 404 not found baseRouter.get('/404', function (req, res) { - response.errorNotFound(res) + errors.errorNotFound(res) }) // get 500 internal error baseRouter.get('/500', function (req, res) { - response.errorInternalError(res) + errors.errorInternalError(res) }) diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js index 0b59218b8..aa02e9b09 100644 --- a/lib/web/imageRouter/index.js +++ b/lib/web/imageRouter/index.js @@ -5,7 +5,7 @@ const formidable = require('formidable') const config = require('../../config') const logger = require('../../logger') -const response = require('../../response') +const errors = require('../../errors') const imageRouter = module.exports = Router() @@ -22,7 +22,7 @@ imageRouter.post('/uploadimage', function (req, res) { form.parse(req, function (err, fields, files) { if (err || !files.image || !files.image.path) { logger.error(`formidable error: ${err}`) - response.errorForbidden(res) + errors.errorForbidden(res) } else { logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`) diff --git a/lib/web/middleware/checkURIValid.js b/lib/web/middleware/checkURIValid.js index 88065e79c..cd6dabd2f 100644 --- a/lib/web/middleware/checkURIValid.js +++ b/lib/web/middleware/checkURIValid.js @@ -1,14 +1,14 @@ 'use strict' const logger = require('../../logger') -const response = require('../../response') +const errors = require('../../errors') module.exports = function (req, res, next) { try { decodeURIComponent(req.path) } catch (err) { logger.error(err) - return response.errorBadRequest(res) + return errors.errorBadRequest(res) } next() } diff --git a/lib/web/middleware/tooBusy.js b/lib/web/middleware/tooBusy.js index 49efbe373..a2101975a 100644 --- a/lib/web/middleware/tooBusy.js +++ b/lib/web/middleware/tooBusy.js @@ -2,14 +2,14 @@ const toobusy = require('toobusy-js') -const response = require('../../response') +const errors = require('../../errors') const config = require('../../config') toobusy.maxLag(config.tooBusyLag) module.exports = function (req, res, next) { if (toobusy()) { - response.errorServiceUnavailable(res) + errors.errorServiceUnavailable(res) } else { next() } diff --git a/lib/web/note/actions.js b/lib/web/note/actions.js new file mode 100644 index 000000000..9ff7fedbf --- /dev/null +++ b/lib/web/note/actions.js @@ -0,0 +1,122 @@ +const models = require('../../models') +const logger = require('../../logger') +const config = require('../../config') +const errors = require('../../errors') +const fs = require('fs') +const shortId = require('shortid') +const markdownpdf = require('markdown-pdf') +const moment = require('moment') +const querystring = require('querystring') + +exports.getInfo = function getInfo (req, res, note) { + const body = note.content + const extracted = models.Note.extractMeta(body) + const markdown = extracted.markdown + const meta = models.Note.parseMeta(extracted.meta) + const createtime = note.createdAt + const updatetime = note.lastchangeAt + const title = models.Note.decodeTitle(note.title) + const data = { + title: meta.title || title, + description: meta.description || (markdown ? models.Note.generateDescription(markdown) : null), + viewcount: note.viewcount, + createtime: createtime, + updatetime: updatetime + } + res.set({ + 'Access-Control-Allow-Origin': '*', // allow CORS as API + 'Access-Control-Allow-Headers': 'Range', + 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', + 'Cache-Control': 'private', // only cache by client + 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling + }) + res.send(data) +} + +exports.createPDF = function createPDF (req, res, note) { + const url = config.serverURL || 'http://' + req.get('host') + const body = note.content + const extracted = models.Note.extractMeta(body) + let content = extracted.markdown + const title = models.Note.decodeTitle(note.title) + + if (!fs.existsSync(config.tmpPath)) { + fs.mkdirSync(config.tmpPath) + } + const path = config.tmpPath + '/' + Date.now() + '.pdf' + content = content.replace(/\]\(\//g, '](' + url + '/') + markdownpdf().from.string(content).to(path, function () { + if (!fs.existsSync(path)) { + logger.error('PDF seems to not be generated as expected. File doesn\'t exist: ' + path) + return errors.errorInternalError(res) + } + const stream = fs.createReadStream(path) + let filename = title + // Be careful of special characters + filename = encodeURIComponent(filename) + // Ideally this should strip them + res.setHeader('Content-disposition', 'attachment; filename="' + filename + '.pdf"') + res.setHeader('Cache-Control', 'private') + res.setHeader('Content-Type', 'application/pdf; charset=UTF-8') + res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling + stream.pipe(res) + fs.unlinkSync(path) + }) +} + +exports.createGist = function createGist (req, res, note) { + const data = { + client_id: config.github.clientID, + redirect_uri: config.serverURL + '/auth/github/callback/' + models.Note.encodeNoteId(note.id) + '/gist', + scope: 'gist', + state: shortId.generate() + } + const query = querystring.stringify(data) + res.redirect('https://github.com/login/oauth/authorize?' + query) +} + +exports.getRevision = function getRevision (req, res, note) { + const actionId = req.params.actionId + if (actionId) { + const time = moment(parseInt(actionId)) + if (time.isValid()) { + models.Revision.getPatchedNoteRevisionByTime(note, time, function (err, content) { + if (err) { + logger.error(err) + return errors.errorInternalError(res) + } + if (!content) { + return errors.errorNotFound(res) + } + res.set({ + 'Access-Control-Allow-Origin': '*', // allow CORS as API + 'Access-Control-Allow-Headers': 'Range', + 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', + 'Cache-Control': 'private', // only cache by client + 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling + }) + res.send(content) + }) + } else { + return errors.errorNotFound(res) + } + } else { + models.Revision.getNoteRevisions(note, function (err, data) { + if (err) { + logger.error(err) + return errors.errorInternalError(res) + } + const out = { + revision: data + } + res.set({ + 'Access-Control-Allow-Origin': '*', // allow CORS as API + 'Access-Control-Allow-Headers': 'Range', + 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', + 'Cache-Control': 'private', // only cache by client + 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling + }) + res.send(out) + }) + } +} diff --git a/lib/web/note/controller.js b/lib/web/note/controller.js new file mode 100644 index 000000000..e537fe08a --- /dev/null +++ b/lib/web/note/controller.js @@ -0,0 +1,147 @@ +'use strict' + +const models = require('../../models') +const logger = require('../../logger') +const config = require('../../config') +const errors = require('../../errors') + +const noteUtil = require('./util') +const noteActions = require('./actions') + +exports.publishNoteActions = function (req, res, next) { + noteUtil.findNote(req, res, function (note) { + const action = req.params.action + switch (action) { + case 'download': + exports.downloadMarkdown(req, res, note) + break + case 'edit': + res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)) + '?both') + break + default: + res.redirect(config.serverURL + '/s/' + note.shortid) + break + } + }) +} + +exports.showPublishNote = function (req, res, next) { + const include = [{ + model: models.User, + as: 'owner' + }, { + model: models.User, + as: 'lastchangeuser' + }] + noteUtil.findNote(req, res, function (note) { + // force to use short id + const shortid = req.params.shortid + if ((note.alias && shortid !== note.alias) || (!note.alias && shortid !== note.shortid)) { + return res.redirect(config.serverURL + '/s/' + (note.alias || note.shortid)) + } + note.increment('viewcount').then(function (note) { + if (!note) { + return errors.errorNotFound(res) + } + noteUtil.getPublishData(req, res, note, (data) => { + res.set({ + 'Cache-Control': 'private' // only cache by client + }) + return res.render('pretty.ejs', data) + }) + }).catch(function (err) { + logger.error(err) + return errors.errorInternalError(res) + }) + }, include) +} + +exports.showNote = function (req, res, next) { + noteUtil.findNote(req, res, function (note) { + // force to use note id + const noteId = req.params.noteId + const id = models.Note.encodeNoteId(note.id) + if ((note.alias && noteId !== note.alias) || (!note.alias && noteId !== id)) { + return res.redirect(config.serverURL + '/' + (note.alias || id)) + } + const body = note.content + const extracted = models.Note.extractMeta(body) + const meta = models.Note.parseMeta(extracted.meta) + let title = models.Note.decodeTitle(note.title) + title = models.Note.generateWebTitle(meta.title || title) + const opengraph = models.Note.parseOpengraph(meta, title) + res.set({ + 'Cache-Control': 'private', // only cache by client + 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling + }) + return res.render('codimd.ejs', { + title: title, + opengraph: opengraph + }) + }) +} + +exports.createFromPOST = function (req, res, next) { + let body = '' + if (req.body && req.body.length > config.documentMaxLength) { + return errors.errorTooLong(res) + } else if (req.body) { + body = req.body + } + body = body.replace(/[\r]/g, '') + return noteUtil.newNote(req, res, body) +} + +exports.doAction = function (req, res, next) { + const noteId = req.params.noteId + noteUtil.findNote(req, res, function (note) { + const action = req.params.action + switch (action) { + case 'publish': + case 'pretty': // pretty deprecated + res.redirect(config.serverURL + '/s/' + (note.alias || note.shortid)) + break + case 'slide': + res.redirect(config.serverURL + '/p/' + (note.alias || note.shortid)) + break + case 'download': + exports.downloadMarkdown(req, res, note) + break + case 'info': + noteActions.getInfo(req, res, note) + break + case 'pdf': + if (config.allowPDFExport) { + noteActions.createPDF(req, res, note) + } else { + logger.error('PDF export failed: Disabled by config. Set "allowPDFExport: true" to enable. Check the documentation for details') + errors.errorForbidden(res) + } + break + case 'gist': + noteActions.createGist(req, res, note) + break + case 'revision': + noteActions.getRevision(req, res, note) + break + default: + return res.redirect(config.serverURL + '/' + noteId) + } + }) +} + +exports.downloadMarkdown = function (req, res, note) { + const body = note.content + let filename = models.Note.decodeTitle(note.title) + filename = encodeURIComponent(filename) + res.set({ + 'Access-Control-Allow-Origin': '*', // allow CORS as API + 'Access-Control-Allow-Headers': 'Range', + 'Access-Control-Expose-Headers': 'Cache-Control, Content-Encoding, Content-Range', + 'Content-Type': 'text/markdown; charset=UTF-8', + 'Cache-Control': 'private', + 'Content-disposition': 'attachment; filename=' + filename + '.md', + 'X-Robots-Tag': 'noindex, nofollow' // prevent crawling + }) + res.send(body) +} diff --git a/lib/web/note/router.js b/lib/web/note/router.js new file mode 100644 index 000000000..cf6fdf431 --- /dev/null +++ b/lib/web/note/router.js @@ -0,0 +1,30 @@ +'use strict' + +const Router = require('express').Router +const { markdownParser } = require('../utils') + +const router = module.exports = Router() + +const noteController = require('./controller') +const slide = require('./slide') + +// get new note +router.get('/new', noteController.createFromPOST) +// post new note with content +router.post('/new', markdownParser, noteController.createFromPOST) +// post new note with content and alias +router.post('/new/:noteId', markdownParser, noteController.createFromPOST) +// get publish note +router.get('/s/:shortid', noteController.showPublishNote) +// publish note actions +router.get('/s/:shortid/:action', noteController.publishNoteActions) +// get publish slide +router.get('/p/:shortid', slide.showPublishSlide) +// publish slide actions +router.get('/p/:shortid/:action', slide.publishSlideActions) +// get note by id +router.get('/:noteId', noteController.showNote) +// note actions +router.get('/:noteId/:action', noteController.doAction) +// note actions with action id +router.get('/:noteId/:action/:actionId', noteController.doAction) diff --git a/lib/web/note/slide.js b/lib/web/note/slide.js new file mode 100644 index 000000000..d2d2ccfc5 --- /dev/null +++ b/lib/web/note/slide.js @@ -0,0 +1,45 @@ +const noteUtil = require('./util') +const models = require('../../models') +const errors = require('../../errors') +const logger = require('../../logger') +const config = require('../../config') + +exports.publishSlideActions = function (req, res, next) { + noteUtil.findNote(req, res, function (note) { + const action = req.params.action + if (action === 'edit') { + res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id)) + '?both') + } else { res.redirect(config.serverURL + '/p/' + note.shortid) } + }) +} + +exports.showPublishSlide = function (req, res, next) { + const include = [{ + model: models.User, + as: 'owner' + }, { + model: models.User, + as: 'lastchangeuser' + }] + noteUtil.findNote(req, res, function (note) { + // force to use short id + const shortid = req.params.shortid + if ((note.alias && shortid !== note.alias) || (!note.alias && shortid !== note.shortid)) { + return res.redirect(config.serverURL + '/p/' + (note.alias || note.shortid)) + } + note.increment('viewcount').then(function (note) { + if (!note) { + return errors.errorNotFound(res) + } + noteUtil.getPublishData(req, res, note, (data) => { + res.set({ + 'Cache-Control': 'private' // only cache by client + }) + return res.render('slide.ejs', data) + }) + }).catch(function (err) { + logger.error(err) + return errors.errorInternalError(res) + }) + }, include) +} diff --git a/lib/web/note/util.js b/lib/web/note/util.js new file mode 100644 index 000000000..eadfb1a3d --- /dev/null +++ b/lib/web/note/util.js @@ -0,0 +1,109 @@ +const models = require('../../models') +const logger = require('../../logger') +const config = require('../../config') +const errors = require('../../errors') +const fs = require('fs') +const path = require('path') + +exports.findNote = function (req, res, callback, include) { + const id = req.params.noteId || req.params.shortid + models.Note.parseNoteId(id, function (err, _id) { + if (err) { + logger.error(err) + return errors.errorInternalError(res) + } + models.Note.findOne({ + where: { + id: _id + }, + include: include || null + }).then(function (note) { + if (!note) { + return exports.newNote(req, res, null) + } + if (!exports.checkViewPermission(req, note)) { + return errors.errorForbidden(res) + } else { + return callback(note) + } + }).catch(function (err) { + logger.error(err) + return errors.errorInternalError(res) + }) + }) +} + +exports.checkViewPermission = function (req, note) { + if (note.permission === 'private') { + return !(!req.isAuthenticated() || note.ownerId !== req.user.id) + } else if (note.permission === 'limited' || note.permission === 'protected') { + return req.isAuthenticated() + } else { + return true + } +} + +exports.newNote = function (req, res, body) { + let owner = null + const noteId = req.params.noteId ? req.params.noteId : null + if (req.isAuthenticated()) { + owner = req.user.id + } else if (!config.allowAnonymous) { + return errors.errorForbidden(res) + } + if (config.allowFreeURL && noteId && !config.forbiddenNoteIDs.includes(noteId)) { + req.alias = noteId + } else if (noteId) { + return req.method === 'POST' ? errors.errorForbidden(res) : errors.errorNotFound(res) + } + models.Note.create({ + ownerId: owner, + alias: req.alias ? req.alias : null, + content: body + }).then(function (note) { + return res.redirect(config.serverURL + '/' + (note.alias ? note.alias : models.Note.encodeNoteId(note.id))) + }).catch(function (err) { + logger.error(err) + return errors.errorInternalError(res) + }) +} + +exports.getPublishData = function (req, res, note, callback) { + const body = note.content + const extracted = models.Note.extractMeta(body) + const markdown = extracted.markdown + const meta = models.Note.parseMeta(extracted.meta) + const createtime = note.createdAt + const updatetime = note.lastchangeAt + let title = models.Note.decodeTitle(note.title) + title = models.Note.generateWebTitle(meta.title || title) + const ogdata = models.Note.parseOpengraph(meta, title) + const data = { + title: title, + description: meta.description || (markdown ? models.Note.generateDescription(markdown) : null), + viewcount: note.viewcount, + createtime: createtime, + updatetime: updatetime, + body: markdown, + theme: meta.slideOptions && isRevealTheme(meta.slideOptions.theme), + meta: JSON.stringify(extracted.meta), + owner: note.owner ? note.owner.id : null, + ownerprofile: note.owner ? models.User.getProfile(note.owner) : null, + lastchangeuser: note.lastchangeuser ? note.lastchangeuser.id : null, + lastchangeuserprofile: note.lastchangeuser ? models.User.getProfile(note.lastchangeuser) : null, + robots: meta.robots || false, // default allow robots + GA: meta.GA, + disqus: meta.disqus, + cspNonce: res.locals.nonce, + dnt: req.headers.dnt, + opengraph: ogdata + } + callback(data) +} + +function isRevealTheme (theme) { + if (fs.existsSync(path.join(__dirname, '..', 'public', 'build', 'reveal.js', 'css', 'theme', theme + '.css'))) { + return theme + } + return undefined +} diff --git a/lib/web/noteRouter.js b/lib/web/noteRouter.js deleted file mode 100644 index 58e93019a..000000000 --- a/lib/web/noteRouter.js +++ /dev/null @@ -1,30 +0,0 @@ -'use strict' - -const Router = require('express').Router - -const response = require('../response') - -const { markdownParser } = require('./utils') - -const noteRouter = module.exports = Router() - -// get new note -noteRouter.get('/new', response.postNote) -// post new note with content -noteRouter.post('/new', markdownParser, response.postNote) -// post new note with content and alias -noteRouter.post('/new/:noteId', markdownParser, response.postNote) -// get publish note -noteRouter.get('/s/:shortid', response.showPublishNote) -// publish note actions -noteRouter.get('/s/:shortid/:action', response.publishNoteActions) -// get publish slide -noteRouter.get('/p/:shortid', response.showPublishSlide) -// publish slide actions -noteRouter.get('/p/:shortid/:action', response.publishSlideActions) -// get note by id -noteRouter.get('/:noteId', response.showNote) -// note actions -noteRouter.get('/:noteId/:action', response.noteActions) -// note actions with action id -noteRouter.get('/:noteId/:action/:actionId', response.noteActions) diff --git a/lib/web/statusRouter.js b/lib/web/statusRouter.js index 1d9a11571..025aafd41 100644 --- a/lib/web/statusRouter.js +++ b/lib/web/statusRouter.js @@ -2,7 +2,7 @@ const Router = require('express').Router -const response = require('../response') +const errors = require('../errors') const realtime = require('../realtime') const config = require('../config') const models = require('../models') @@ -27,11 +27,11 @@ statusRouter.get('/status', function (req, res, next) { statusRouter.get('/temp', function (req, res) { var host = req.get('host') if (config.allowOrigin.indexOf(host) === -1) { - response.errorForbidden(res) + errors.errorForbidden(res) } else { var tempid = req.query.tempid if (!tempid) { - response.errorForbidden(res) + errors.errorForbidden(res) } else { models.Temp.findOne({ where: { @@ -39,7 +39,7 @@ statusRouter.get('/temp', function (req, res) { } }).then(function (temp) { if (!temp) { - response.errorNotFound(res) + errors.errorNotFound(res) } else { res.header('Access-Control-Allow-Origin', '*') res.send({ @@ -53,7 +53,7 @@ statusRouter.get('/temp', function (req, res) { } }).catch(function (err) { logger.error(err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) } } @@ -62,11 +62,11 @@ statusRouter.get('/temp', function (req, res) { statusRouter.post('/temp', urlencodedParser, function (req, res) { var host = req.get('host') if (config.allowOrigin.indexOf(host) === -1) { - response.errorForbidden(res) + errors.errorForbidden(res) } else { var data = req.body.data if (!data) { - response.errorForbidden(res) + errors.errorForbidden(res) } else { logger.debug(`SERVER received temp from [${host}]: ${req.body.data}`) models.Temp.create({ @@ -79,11 +79,11 @@ statusRouter.post('/temp', urlencodedParser, function (req, res) { id: temp.id }) } else { - response.errorInternalError(res) + errors.errorInternalError(res) } }).catch(function (err) { logger.error(err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) } } diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js index 73b519ec8..f1f999f15 100644 --- a/lib/web/userRouter.js +++ b/lib/web/userRouter.js @@ -4,7 +4,7 @@ const archiver = require('archiver') const async = require('async') const Router = require('express').Router -const response = require('../response') +const errors = require('../errors') const config = require('../config') const models = require('../models') const logger = require('../logger') @@ -20,7 +20,7 @@ UserRouter.get('/me', function (req, res) { id: req.user.id } }).then(function (user) { - if (!user) { return response.errorNotFound(res) } + if (!user) { return errors.errorNotFound(res) } var profile = models.User.getProfile(user) res.send({ status: 'ok', @@ -30,7 +30,7 @@ UserRouter.get('/me', function (req, res) { }) }).catch(function (err) { logger.error('read me failed: ' + err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) } else { res.send({ @@ -48,21 +48,21 @@ UserRouter.get('/me/delete/:token?', function (req, res) { } }).then(function (user) { if (!user) { - return response.errorNotFound(res) + return errors.errorNotFound(res) } if (user.deleteToken === req.params.token) { user.destroy().then(function () { res.redirect(config.serverURL + '/') }) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } }).catch(function (err) { logger.error('delete user failed: ' + err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } }) @@ -78,7 +78,7 @@ UserRouter.get('/me/export', function (req, res) { archive.pipe(res) archive.on('error', function (err) { logger.error('export user data failed: ' + err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) models.User.findOne({ where: { @@ -107,7 +107,7 @@ UserRouter.get('/me/export', function (req, res) { callback(null, null) }, function (err) { if (err) { - return response.errorInternalError(res) + return errors.errorInternalError(res) } archive.finalize() @@ -115,10 +115,10 @@ UserRouter.get('/me/export', function (req, res) { }) }).catch(function (err) { logger.error('export user data failed: ' + err) - return response.errorInternalError(res) + return errors.errorInternalError(res) }) } else { - return response.errorForbidden(res) + return errors.errorForbidden(res) } })