overleaf/services/web/app/coffee/infrastructure/Server.coffee

Path = require "path"
express = require('express')
Settings = require('settings-sharelatex')
logger = require 'logger-sharelatex'
metrics = require('metrics-sharelatex')
crawlerLogger = require('./CrawlerLogger')
expressLocals = require('./ExpressLocals')
Router = require('../router')
metrics.inc("startup")
UserSessionsRedis = require('../Features/User/UserSessionsRedis')

sessionsRedisClient = UserSessionsRedis.client()

session = require("express-session")
RedisStore = require('connect-redis')(session)
bodyParser = require('body-parser')
multer  = require('multer')
methodOverride = require('method-override')
csrf = require('csurf')
csrfProtection = csrf()
cookieParser = require('cookie-parser')

# Init the session store
sessionStore = new RedisStore(client:sessionsRedisClient)

passport = require('passport')
LocalStrategy = require('passport-local').Strategy

Mongoose = require("./Mongoose")

oneDayInMilliseconds = 86400000
ReferalConnect = require('../Features/Referal/ReferalConnect')
RedirectManager = require("./RedirectManager")
OldAssetProxy = require("./OldAssetProxy")
translations = require("translations-sharelatex").setup(Settings.i18n)
Modules = require "./Modules"

ErrorController = require "../Features/Errors/ErrorController"
UserSessionsManager = require "../Features/User/UserSessionsManager"
AuthenticationController = require "../Features/Authentication/AuthenticationController"


metrics.event_loop?.monitor(logger)

Settings.editorIsOpen ||= true

if Settings.cacheStaticAssets
	staticCacheAge = (oneDayInMilliseconds * 365)
else
	staticCacheAge = 0

app = express()

webRouter = express.Router()
apiRouter = express.Router()

if Settings.behindProxy
	app.enable('trust proxy')

webRouter.use express.static(__dirname + '/../../../public', {maxAge: staticCacheAge })
app.set 'views', __dirname + '/../../views'
app.set 'view engine', 'pug'
Modules.loadViewIncludes app


app.use bodyParser.urlencoded({ extended: true, limit: "2mb"})
# Make sure we can process the max doc length plus some overhead for JSON encoding
app.use bodyParser.json({limit: Settings.max_doc_length + 16 * 1024}) # 16kb overhead
app.use multer(dest: Settings.path.uploadFolder)
app.use methodOverride()

app.use metrics.http.monitor(logger)
app.use RedirectManager
app.use OldAssetProxy


webRouter.use cookieParser(Settings.security.sessionSecret)
webRouter.use session
	resave: false
	saveUninitialized:false
	secret:Settings.security.sessionSecret
	proxy: Settings.behindProxy
	cookie:
		domain: Settings.cookieDomain
		maxAge: Settings.cookieSessionLength
		secure: Settings.secureCookie
	store: sessionStore
	key: Settings.cookieName
	rolling: true

# passport
webRouter.use passport.initialize()
webRouter.use passport.session()

passport.use(new LocalStrategy(
	{
		passReqToCallback: true,
		usernameField: 'email',
		passwordField: 'password'
	},
	AuthenticationController.doPassportLogin
))
passport.serializeUser(AuthenticationController.serializeUser)
passport.deserializeUser(AuthenticationController.deserializeUser)

Modules.hooks.fire 'passportSetup', passport, (err) ->
	if err?
		logger.err {err}, "error setting up passport in modules"

Modules.applyNonCsrfRouter(webRouter, apiRouter)

webRouter.use csrfProtection
webRouter.use translations.expressMiddlewear
webRouter.use translations.setLangBasedOnDomainMiddlewear

# Measure expiry from last request, not last login
webRouter.use (req, res, next) ->
	req.session.touch()
	if AuthenticationController.isUserLoggedIn(req)
		UserSessionsManager.touch(AuthenticationController.getSessionUser(req), (err)->)
	next()

webRouter.use ReferalConnect.use
expressLocals(app, webRouter, apiRouter)

if app.get('env') == 'production'
	logger.info "Production Enviroment"
	app.enable('view cache')

app.use (req, res, next)->
	metrics.inc "http-request"
	crawlerLogger.log(req)
	next()

webRouter.use (req, res, next) ->
	if Settings.editorIsOpen
		next()
	else if req.url.indexOf("/admin") == 0
		next()
	else
		res.status(503)
		res.render("general/closed", {title:"maintenance"})

apiRouter.get "/status", (req, res)->
	res.send("web sharelatex is alive")

profiler = require "v8-profiler"
apiRouter.get "/profile", (req, res) ->
	time = parseInt(req.query.time || "1000")
	profiler.startProfiling("test")
	setTimeout () ->
		profile = profiler.stopProfiling("test")
		res.json(profile)
	, time

app.get "/heapdump", (req, res)->
	require('heapdump').writeSnapshot '/tmp/' + Date.now() + '.web.heapsnapshot', (err, filename)->
		res.send filename

logger.info ("creating HTTP server").yellow
server = require('http').createServer(app)

# can set WEB_TYPE=api-only or WEB_TYPE=web-only for separate web and
# api processes
switch process.env.WEB_TYPE
	when "api-only"
		logger.info("providing api router");
		app.use(apiRouter)
		app.use(ErrorController.handleApiError)
	when "web-only"
		logger.info("providing web router");
		app.use(webRouter)
		app.use(ErrorController.handleError)
	else
		logger.info("providing web and api router");
		# process api routes first, if nothing matched fall though and use
		# web middleware + routes
		app.use(apiRouter)
		app.use(ErrorController.handleApiError)
		app.use(webRouter)
		app.use(ErrorController.handleError)

router = new Router(webRouter, apiRouter)

module.exports =
	app: app
	server: server
Use new metrics package 2014-05-07 10:29:04 -04:00			`Path = require "path"`
Intial open source comment 2014-02-12 05:23:40 -05:00			`express = require('express')`
			`Settings = require('settings-sharelatex')`
			`logger = require 'logger-sharelatex'`
Remove the Metrics module, use metrics-sharelatex 2017-04-03 11:18:30 -04:00			`metrics = require('metrics-sharelatex')`
Intial open source comment 2014-02-12 05:23:40 -05:00			`crawlerLogger = require('./CrawlerLogger')`
			`expressLocals = require('./ExpressLocals')`
			`Router = require('../router')`
			`metrics.inc("startup")`
WIP: start moving web sessions to cluster 2016-11-08 10:32:36 -05:00			`UserSessionsRedis = require('../Features/User/UserSessionsRedis')`

			`sessionsRedisClient = UserSessionsRedis.client()`
v2, seems to work... 2014-09-26 12:04:33 -04:00
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`session = require("express-session")`
			`RedisStore = require('connect-redis')(session)`
			`bodyParser = require('body-parser')`
			`multer = require('multer')`
			`methodOverride = require('method-override')`
			`csrf = require('csurf')`
			`csrfProtection = csrf()`
			`cookieParser = require('cookie-parser')`

WIP: start moving web sessions to cluster 2016-11-08 10:32:36 -05:00			`# Init the session store`
			`sessionStore = new RedisStore(client:sessionsRedisClient)`
v2, seems to work... 2014-09-26 12:04:33 -04:00
Basic passport integration 2016-09-02 11:17:37 -04:00			`passport = require('passport')`
			`LocalStrategy = require('passport-local').Strategy`

v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`Mongoose = require("./Mongoose")`

Intial open source comment 2014-02-12 05:23:40 -05:00			`oneDayInMilliseconds = 86400000`
			`ReferalConnect = require('../Features/Referal/ReferalConnect')`
added redirects from config file in, used for old template paths 2014-07-01 10:44:12 -04:00			`RedirectManager = require("./RedirectManager")`
added asset proxying from templates in, used for old images etc which people linked to 2014-07-01 11:00:42 -04:00			`OldAssetProxy = require("./OldAssetProxy")`
added default lang of en-US and translations package does the set lang based on subdomain 2014-08-05 06:15:17 -04:00			`translations = require("translations-sharelatex").setup(Settings.i18n)`
Allow modules to inject parts of views 2014-09-08 10:40:46 -04:00			`Modules = require "./Modules"`
Intial open source comment 2014-02-12 05:23:40 -05:00
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`ErrorController = require "../Features/Errors/ErrorController"`
set expiry on the user sessions set. 2016-07-01 06:24:46 -04:00			`UserSessionsManager = require "../Features/User/UserSessionsManager"`
Basic passport integration 2016-09-02 11:17:37 -04:00			`AuthenticationController = require "../Features/Authentication/AuthenticationController"`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00
Intial open source comment 2014-02-12 05:23:40 -05:00
added event loop monitor 2015-06-23 08:50:42 -04:00			`metrics.event_loop?.monitor(logger)`

Intial open source comment 2014-02-12 05:23:40 -05:00			`Settings.editorIsOpen \|\|= true`

			`if Settings.cacheStaticAssets`
			`staticCacheAge = (oneDayInMilliseconds * 365)`
			`else`
			`staticCacheAge = 0`

			`app = express()`

split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`webRouter = express.Router()`
			`apiRouter = express.Router()`
jquery translations work 2014-07-30 09:22:36 -04:00
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`if Settings.behindProxy`
			`app.enable('trust proxy')`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00
			`webRouter.use express.static(__dirname + '/../../../public', {maxAge: staticCacheAge })`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`app.set 'views', __dirname + '/../../views'`
WIP: migrate from jade to pug 2017-01-20 07:03:02 -05:00			`app.set 'view engine', 'pug'`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`Modules.loadViewIncludes app`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00


set body parser limit to 2mb 2015-07-08 09:34:59 -04:00			`app.use bodyParser.urlencoded({ extended: true, limit: "2mb"})`
Put in client side check for document getting too long 2015-11-06 07:51:43 -05:00			`# Make sure we can process the max doc length plus some overhead for JSON encoding`
			`app.use bodyParser.json({limit: Settings.max_doc_length + 16 * 1024}) # 16kb overhead`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`app.use multer(dest: Settings.path.uploadFolder)`
			`app.use methodOverride()`

			`app.use metrics.http.monitor(logger)`
			`app.use RedirectManager`
			`app.use OldAssetProxy`


			`webRouter.use cookieParser(Settings.security.sessionSecret)`
			`webRouter.use session`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`resave: false`
added saveUninitialized option to session which is now required 2015-06-30 10:32:01 -04:00			`saveUninitialized:false`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`secret:Settings.security.sessionSecret`
			`proxy: Settings.behindProxy`
			`cookie:`
			`domain: Settings.cookieDomain`
			`maxAge: Settings.cookieSessionLength`
			`secure: Settings.secureCookie`
			`store: sessionStore`
			`key: Settings.cookieName`
Add the `rolling` option to session 2016-11-30 04:41:58 -05:00			`rolling: true`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00
Basic passport integration 2016-09-02 11:17:37 -04:00			`# passport`
			`webRouter.use passport.initialize()`
			`webRouter.use passport.session()`

			`passport.use(new LocalStrategy(`
			`{`
			`passReqToCallback: true,`
			`usernameField: 'email',`
			`passwordField: 'password'`
			`},`
			`AuthenticationController.doPassportLogin`
			`))`
			`passport.serializeUser(AuthenticationController.serializeUser)`
			`passport.deserializeUser(AuthenticationController.deserializeUser)`

Enable hook from module into passport init. 2016-11-01 10:06:54 -04:00			`Modules.hooks.fire 'passportSetup', passport, (err) ->`
			`if err?`
			`logger.err {err}, "error setting up passport in modules"`

WIP: enable non-csrf routes from modules 2016-11-11 08:48:29 -05:00			`Modules.applyNonCsrfRouter(webRouter, apiRouter)`

			`webRouter.use csrfProtection`
			`webRouter.use translations.expressMiddlewear`
			`webRouter.use translations.setLangBasedOnDomainMiddlewear`

v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`# Measure expiry from last request, not last login`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`webRouter.use (req, res, next) ->`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`req.session.touch()`
Fix session touch 2016-09-22 08:48:09 -04:00			`if AuthenticationController.isUserLoggedIn(req)`
			`UserSessionsManager.touch(AuthenticationController.getSessionUser(req), (err)->)`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`next()`
Intial open source comment 2014-02-12 05:23:40 -05:00
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`webRouter.use ReferalConnect.use`
			`expressLocals(app, webRouter, apiRouter)`
Intial open source comment 2014-02-12 05:23:40 -05:00
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`if app.get('env') == 'production'`
Intial open source comment 2014-02-12 05:23:40 -05:00			`logger.info "Production Enviroment"`
			`app.enable('view cache')`

			`app.use (req, res, next)->`
			`metrics.inc "http-request"`
			`crawlerLogger.log(req)`
			`next()`

fix close editor button - only evaulate close on web router, not api/static assets - allow /admin pages to still be available 2016-07-19 12:03:31 -04:00			`webRouter.use (req, res, next) ->`
			`if Settings.editorIsOpen`
			`next()`
			`else if req.url.indexOf("/admin") == 0`
			`next()`
			`else`
Intial open source comment 2014-02-12 05:23:40 -05:00			`res.status(503)`
sorted out titles 2014-08-01 08:47:14 -04:00			`res.render("general/closed", {title:"maintenance"})`
Intial open source comment 2014-02-12 05:23:40 -05:00
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`apiRouter.get "/status", (req, res)->`
Intial open source comment 2014-02-12 05:23:40 -05:00			`res.send("web sharelatex is alive")`
set expiry on the user sessions set. 2016-07-01 06:24:46 -04:00
Add in profiling end point 2015-02-03 06:05:23 -05:00			`profiler = require "v8-profiler"`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`apiRouter.get "/profile", (req, res) ->`
Add in profiling end point 2015-02-03 06:05:23 -05:00			`time = parseInt(req.query.time \|\| "1000")`
			`profiler.startProfiling("test")`
			`setTimeout () ->`
			`profile = profiler.stopProfiling("test")`
			`res.json(profile)`
			`, time`
Intial open source comment 2014-02-12 05:23:40 -05:00
added heapdump endpoint 2015-11-30 11:16:16 -05:00			`app.get "/heapdump", (req, res)->`
persist cookie in redis for compiles. 2016-04-19 11:48:51 -04:00			`require('heapdump').writeSnapshot '/tmp/' + Date.now() + '.web.heapsnapshot', (err, filename)->`
added heapdump endpoint 2015-11-30 11:16:16 -05:00			`res.send filename`

Intial open source comment 2014-02-12 05:23:40 -05:00			`logger.info ("creating HTTP server").yellow`
			`server = require('http').createServer(app)`

support separate processes for web and api via an environment variable WEB_TYPE 2017-05-22 08:31:02 -04:00			`# can set WEB_TYPE=api-only or WEB_TYPE=web-only for separate web and`
			`# api processes`
			`switch process.env.WEB_TYPE`
			`when "api-only"`
			`logger.info("providing api router");`
			`app.use(apiRouter)`
			`app.use(ErrorController.handleApiError)`
			`when "web-only"`
			`logger.info("providing web router");`
			`app.use(webRouter)`
			`app.use(ErrorController.handleError)`
			`else`
			`logger.info("providing web and api router");`
			`# process api routes first, if nothing matched fall though and use`
			`# web middleware + routes`
			`app.use(apiRouter)`
			`app.use(ErrorController.handleApiError)`
			`app.use(webRouter)`
			`app.use(ErrorController.handleError)`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00
			`router = new Router(webRouter, apiRouter)`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`module.exports =`
			`app: app`
			`server: server`