overleaf/services/web/app/coffee/infrastructure/Server.coffee

Path = require "path"
express = require('express')
Settings = require('settings-sharelatex')
logger = require 'logger-sharelatex'
metrics = require('metrics-sharelatex')
crawlerLogger = require('./CrawlerLogger')
expressLocals = require('./ExpressLocals')
Router = require('../router')
helmet = require "helmet"
metrics.inc("startup")
UserSessionsRedis = require('../Features/User/UserSessionsRedis')
Csrf = require('./Csrf')

sessionsRedisClient = UserSessionsRedis.client()

session = require("express-session")
RedisStore = require('connect-redis')(session)
bodyParser = require('body-parser')
methodOverride = require('method-override')
cookieParser = require('cookie-parser')
bearerToken = require('express-bearer-token')

# Init the session store
sessionStore = new RedisStore(client:sessionsRedisClient)

passport = require('passport')
LocalStrategy = require('passport-local').Strategy

Mongoose = require("./Mongoose")

oneDayInMilliseconds = 86400000
ReferalConnect = require('../Features/Referal/ReferalConnect')
RedirectManager = require("./RedirectManager")
ProxyManager = require("./ProxyManager")
translations = require("translations-sharelatex").setup(Settings.i18n)
Modules = require "./Modules"

ErrorController = require "../Features/Errors/ErrorController"
UserSessionsManager = require "../Features/User/UserSessionsManager"
AuthenticationController = require "../Features/Authentication/AuthenticationController"


metrics.event_loop?.monitor(logger)

Settings.editorIsOpen ||= true

if Settings.cacheStaticAssets
	staticCacheAge = (oneDayInMilliseconds * 365)
else
	staticCacheAge = 0

app = express()

webRouter = express.Router()
privateApiRouter = express.Router()
publicApiRouter = express.Router()

if Settings.behindProxy
	app.enable('trust proxy')

webRouter.use express.static(__dirname + '/../../../public', {maxAge: staticCacheAge })
app.set 'views', __dirname + '/../../views'
app.set 'view engine', 'pug'
Modules.loadViewIncludes app


app.use bodyParser.urlencoded({ extended: true, limit: "2mb"})
# Make sure we can process the max doc length plus some overhead for JSON encoding
app.use bodyParser.json({limit: Settings.max_doc_length + 64 * 1024}) # 64kb overhead
app.use methodOverride()
app.use bearerToken()

app.use metrics.http.monitor(logger)
RedirectManager.apply(webRouter)
ProxyManager.apply(publicApiRouter)


webRouter.use cookieParser(Settings.security.sessionSecret)
webRouter.use session
	resave: false
	saveUninitialized:false
	secret:Settings.security.sessionSecret
	proxy: Settings.behindProxy
	cookie:
		domain: Settings.cookieDomain
		maxAge: Settings.cookieSessionLength
		secure: Settings.secureCookie
	store: sessionStore
	key: Settings.cookieName
	rolling: true

# passport
webRouter.use passport.initialize()
webRouter.use passport.session()

passport.use(new LocalStrategy(
	{
		passReqToCallback: true,
		usernameField: 'email',
		passwordField: 'password'
	},
	AuthenticationController.doPassportLogin
))
passport.serializeUser(AuthenticationController.serializeUser)
passport.deserializeUser(AuthenticationController.deserializeUser)

Modules.hooks.fire 'passportSetup', passport, (err) ->
	if err?
		logger.err {err}, "error setting up passport in modules"

Modules.applyNonCsrfRouter(webRouter, privateApiRouter, publicApiRouter)

webRouter.csrf = new Csrf()
webRouter.use webRouter.csrf.middleware
webRouter.use translations.expressMiddlewear
webRouter.use translations.setLangBasedOnDomainMiddlewear

# Measure expiry from last request, not last login
webRouter.use (req, res, next) ->
	req.session.touch()
	if AuthenticationController.isUserLoggedIn(req)
		UserSessionsManager.touch(AuthenticationController.getSessionUser(req), (err)->)
	next()

webRouter.use ReferalConnect.use
expressLocals(app, webRouter, privateApiRouter, publicApiRouter)

if app.get('env') == 'production'
	logger.info "Production Enviroment"
	app.enable('view cache')

app.use (req, res, next)->
	metrics.inc "http-request"
	crawlerLogger.log(req)
	next()

webRouter.use (req, res, next) ->
	if Settings.editorIsOpen
		next()
	else if req.url.indexOf("/admin") == 0
		next()
	else
		res.status(503)
		res.render("general/closed", {title:"maintenance"})

# add security headers using Helmet
webRouter.use (req, res, next) ->
	isLoggedIn = AuthenticationController.isUserLoggedIn(req)
	isProjectPage = !!req.path.match('^/project/[a-f0-9]{24}$')

	helmet({ # note that more headers are added by default
		dnsPrefetchControl: false
		referrerPolicy: { policy: 'origin-when-cross-origin' }
		noCache: isLoggedIn || isProjectPage
		noSniff: false
		hsts: false
		frameguard: false
	})(req, res, next)

profiler = require "v8-profiler"
privateApiRouter.get "/profile", (req, res) ->
	time = parseInt(req.query.time || "1000")
	profiler.startProfiling("test")
	setTimeout () ->
		profile = profiler.stopProfiling("test")
		res.json(profile)
	, time

app.get "/heapdump", (req, res)->
	require('heapdump').writeSnapshot '/tmp/' + Date.now() + '.web.heapsnapshot', (err, filename)->
		res.send filename

logger.info ("creating HTTP server").yellow
server = require('http').createServer(app)

# provide settings for separate web and api processes
# if enableApiRouter and enableWebRouter are not defined they default
# to true.
notDefined = (x) -> !x?
enableApiRouter = Settings.web?.enableApiRouter
if enableApiRouter or notDefined(enableApiRouter)
	logger.info("providing api router");
	app.use(privateApiRouter)
	app.use(ErrorController.handleApiError)

enableWebRouter = Settings.web?.enableWebRouter
if enableWebRouter or notDefined(enableWebRouter)
	logger.info("providing web router");
	app.use(publicApiRouter) # public API goes with web router for public access
	app.use(ErrorController.handleApiError)
	app.use(webRouter)
	app.use(ErrorController.handleError)

router = new Router(webRouter, privateApiRouter, publicApiRouter)

module.exports =
	app: app
	server: server
Use new metrics package 2014-05-07 10:29:04 -04:00			`Path = require "path"`
Intial open source comment 2014-02-12 05:23:40 -05:00			`express = require('express')`
			`Settings = require('settings-sharelatex')`
			`logger = require 'logger-sharelatex'`
Remove the Metrics module, use metrics-sharelatex 2017-04-03 11:18:30 -04:00			`metrics = require('metrics-sharelatex')`
Intial open source comment 2014-02-12 05:23:40 -05:00			`crawlerLogger = require('./CrawlerLogger')`
			`expressLocals = require('./ExpressLocals')`
			`Router = require('../router')`
add security headers using Helmet - use all Helmet's default headers except `X-DNS-Prefetch-Control` - use `Referrer-Policy` - use cache headers when: - a user is logged in, OR - a project is displayed 2017-09-12 05:16:40 -04:00			`helmet = require "helmet"`
Intial open source comment 2014-02-12 05:23:40 -05:00			`metrics.inc("startup")`
WIP: start moving web sessions to cluster 2016-11-08 10:32:36 -05:00			`UserSessionsRedis = require('../Features/User/UserSessionsRedis')`
Merge pull request #1072 from sharelatex/spd-open-with-overleaf Implement v1 open-with-overleaf API in v2 (part 1) GitOrigin-RevId: 488f4eeefc29086a72295ccbc7c63d2f927add12 2018-11-15 04:40:33 -05:00			`Csrf = require('./Csrf')`
WIP: start moving web sessions to cluster 2016-11-08 10:32:36 -05:00
			`sessionsRedisClient = UserSessionsRedis.client()`
v2, seems to work... 2014-09-26 12:04:33 -04:00
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`session = require("express-session")`
			`RedisStore = require('connect-redis')(session)`
			`bodyParser = require('body-parser')`
			`methodOverride = require('method-override')`
			`cookieParser = require('cookie-parser')`
Merge pull request #1047 from sharelatex/ew-oauth-authorization add oauth middlewear GitOrigin-RevId: b68360763e1060fdbcbb4348d3d691a803fbfa41 2018-10-30 14:18:42 -04:00			`bearerToken = require('express-bearer-token')`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00
WIP: start moving web sessions to cluster 2016-11-08 10:32:36 -05:00			`# Init the session store`
			`sessionStore = new RedisStore(client:sessionsRedisClient)`
v2, seems to work... 2014-09-26 12:04:33 -04:00
Basic passport integration 2016-09-02 11:17:37 -04:00			`passport = require('passport')`
			`LocalStrategy = require('passport-local').Strategy`

v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`Mongoose = require("./Mongoose")`

Intial open source comment 2014-02-12 05:23:40 -05:00			`oneDayInMilliseconds = 86400000`
			`ReferalConnect = require('../Features/Referal/ReferalConnect')`
added redirects from config file in, used for old template paths 2014-07-01 10:44:12 -04:00			`RedirectManager = require("./RedirectManager")`
replace OldAssetProxy 2018-06-18 12:37:58 -04:00			`ProxyManager = require("./ProxyManager")`
added default lang of en-US and translations package does the set lang based on subdomain 2014-08-05 06:15:17 -04:00			`translations = require("translations-sharelatex").setup(Settings.i18n)`
Allow modules to inject parts of views 2014-09-08 10:40:46 -04:00			`Modules = require "./Modules"`
Intial open source comment 2014-02-12 05:23:40 -05:00
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`ErrorController = require "../Features/Errors/ErrorController"`
set expiry on the user sessions set. 2016-07-01 06:24:46 -04:00			`UserSessionsManager = require "../Features/User/UserSessionsManager"`
Basic passport integration 2016-09-02 11:17:37 -04:00			`AuthenticationController = require "../Features/Authentication/AuthenticationController"`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00
Intial open source comment 2014-02-12 05:23:40 -05:00
added event loop monitor 2015-06-23 08:50:42 -04:00			`metrics.event_loop?.monitor(logger)`

Intial open source comment 2014-02-12 05:23:40 -05:00			`Settings.editorIsOpen \|\|= true`

			`if Settings.cacheStaticAssets`
			`staticCacheAge = (oneDayInMilliseconds * 365)`
			`else`
			`staticCacheAge = 0`

			`app = express()`

split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`webRouter = express.Router()`
add public api router 2017-07-05 09:32:55 -04:00			`privateApiRouter = express.Router()`
			`publicApiRouter = express.Router()`
jquery translations work 2014-07-30 09:22:36 -04:00
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`if Settings.behindProxy`
			`app.enable('trust proxy')`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00
			`webRouter.use express.static(__dirname + '/../../../public', {maxAge: staticCacheAge })`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`app.set 'views', __dirname + '/../../views'`
WIP: migrate from jade to pug 2017-01-20 07:03:02 -05:00			`app.set 'view engine', 'pug'`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`Modules.loadViewIncludes app`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00


set body parser limit to 2mb 2015-07-08 09:34:59 -04:00			`app.use bodyParser.urlencoded({ extended: true, limit: "2mb"})`
Put in client side check for document getting too long 2015-11-06 07:51:43 -05:00			`# Make sure we can process the max doc length plus some overhead for JSON encoding`
increase bodyparser limit to 64kb 16kb is not enough for bibtex files with more escaping. 2018-08-06 05:52:10 -04:00			`app.use bodyParser.json({limit: Settings.max_doc_length + 64 * 1024}) # 64kb overhead`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`app.use methodOverride()`
Merge pull request #1047 from sharelatex/ew-oauth-authorization add oauth middlewear GitOrigin-RevId: b68360763e1060fdbcbb4348d3d691a803fbfa41 2018-10-30 14:18:42 -04:00			`app.use bearerToken()`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00
			`app.use metrics.http.monitor(logger)`
Add additional functionality to RedirectManager 2018-09-12 10:25:17 -04:00			`RedirectManager.apply(webRouter)`
handle dynamic Proxy URLs 2018-07-04 12:59:19 -04:00			`ProxyManager.apply(publicApiRouter)`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00

			`webRouter.use cookieParser(Settings.security.sessionSecret)`
			`webRouter.use session`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`resave: false`
added saveUninitialized option to session which is now required 2015-06-30 10:32:01 -04:00			`saveUninitialized:false`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`secret:Settings.security.sessionSecret`
			`proxy: Settings.behindProxy`
			`cookie:`
			`domain: Settings.cookieDomain`
			`maxAge: Settings.cookieSessionLength`
			`secure: Settings.secureCookie`
			`store: sessionStore`
			`key: Settings.cookieName`
Add the `rolling` option to session 2016-11-30 04:41:58 -05:00			`rolling: true`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00
Basic passport integration 2016-09-02 11:17:37 -04:00			`# passport`
			`webRouter.use passport.initialize()`
			`webRouter.use passport.session()`

			`passport.use(new LocalStrategy(`
			`{`
			`passReqToCallback: true,`
			`usernameField: 'email',`
			`passwordField: 'password'`
			`},`
			`AuthenticationController.doPassportLogin`
			`))`
			`passport.serializeUser(AuthenticationController.serializeUser)`
			`passport.deserializeUser(AuthenticationController.deserializeUser)`

Enable hook from module into passport init. 2016-11-01 10:06:54 -04:00			`Modules.hooks.fire 'passportSetup', passport, (err) ->`
			`if err?`
			`logger.err {err}, "error setting up passport in modules"`

add public api router 2017-07-05 09:32:55 -04:00			`Modules.applyNonCsrfRouter(webRouter, privateApiRouter, publicApiRouter)`
WIP: enable non-csrf routes from modules 2016-11-11 08:48:29 -05:00
Merge pull request #1072 from sharelatex/spd-open-with-overleaf Implement v1 open-with-overleaf API in v2 (part 1) GitOrigin-RevId: 488f4eeefc29086a72295ccbc7c63d2f927add12 2018-11-15 04:40:33 -05:00			`webRouter.csrf = new Csrf()`
			`webRouter.use webRouter.csrf.middleware`
WIP: enable non-csrf routes from modules 2016-11-11 08:48:29 -05:00			`webRouter.use translations.expressMiddlewear`
			`webRouter.use translations.setLangBasedOnDomainMiddlewear`

v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`# Measure expiry from last request, not last login`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`webRouter.use (req, res, next) ->`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`req.session.touch()`
Fix session touch 2016-09-22 08:48:09 -04:00			`if AuthenticationController.isUserLoggedIn(req)`
			`UserSessionsManager.touch(AuthenticationController.getSessionUser(req), (err)->)`
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`next()`
Intial open source comment 2014-02-12 05:23:40 -05:00
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`webRouter.use ReferalConnect.use`
add public api router 2017-07-05 09:32:55 -04:00			`expressLocals(app, webRouter, privateApiRouter, publicApiRouter)`
Intial open source comment 2014-02-12 05:23:40 -05:00
v1 of express4 conversion 2015-06-30 07:04:41 -04:00			`if app.get('env') == 'production'`
Intial open source comment 2014-02-12 05:23:40 -05:00			`logger.info "Production Enviroment"`
			`app.enable('view cache')`

			`app.use (req, res, next)->`
			`metrics.inc "http-request"`
			`crawlerLogger.log(req)`
			`next()`

fix close editor button - only evaulate close on web router, not api/static assets - allow /admin pages to still be available 2016-07-19 12:03:31 -04:00			`webRouter.use (req, res, next) ->`
			`if Settings.editorIsOpen`
			`next()`
			`else if req.url.indexOf("/admin") == 0`
			`next()`
			`else`
Intial open source comment 2014-02-12 05:23:40 -05:00			`res.status(503)`
sorted out titles 2014-08-01 08:47:14 -04:00			`res.render("general/closed", {title:"maintenance"})`
Intial open source comment 2014-02-12 05:23:40 -05:00
add security headers using Helmet - use all Helmet's default headers except `X-DNS-Prefetch-Control` - use `Referrer-Policy` - use cache headers when: - a user is logged in, OR - a project is displayed 2017-09-12 05:16:40 -04:00			`# add security headers using Helmet`
			`webRouter.use (req, res, next) ->`
			`isLoggedIn = AuthenticationController.isUserLoggedIn(req)`
			`isProjectPage = !!req.path.match('^/project/[a-f0-9]{24}$')`

			`helmet({ # note that more headers are added by default`
			`dnsPrefetchControl: false`
			`referrerPolicy: { policy: 'origin-when-cross-origin' }`
			`noCache: isLoggedIn \|\| isProjectPage`
remove extra security headers 2017-09-13 05:53:11 -04:00			`noSniff: false`
			`hsts: false`
			`frameguard: false`
add security headers using Helmet - use all Helmet's default headers except `X-DNS-Prefetch-Control` - use `Referrer-Policy` - use cache headers when: - a user is logged in, OR - a project is displayed 2017-09-12 05:16:40 -04:00			`})(req, res, next)`

Add in profiling end point 2015-02-03 06:05:23 -05:00			`profiler = require "v8-profiler"`
add public api router 2017-07-05 09:32:55 -04:00			`privateApiRouter.get "/profile", (req, res) ->`
Add in profiling end point 2015-02-03 06:05:23 -05:00			`time = parseInt(req.query.time \|\| "1000")`
			`profiler.startProfiling("test")`
			`setTimeout () ->`
			`profile = profiler.stopProfiling("test")`
			`res.json(profile)`
			`, time`
Intial open source comment 2014-02-12 05:23:40 -05:00
added heapdump endpoint 2015-11-30 11:16:16 -05:00			`app.get "/heapdump", (req, res)->`
persist cookie in redis for compiles. 2016-04-19 11:48:51 -04:00			`require('heapdump').writeSnapshot '/tmp/' + Date.now() + '.web.heapsnapshot', (err, filename)->`
added heapdump endpoint 2015-11-30 11:16:16 -05:00			`res.send filename`

Intial open source comment 2014-02-12 05:23:40 -05:00			`logger.info ("creating HTTP server").yellow`
			`server = require('http').createServer(app)`

use settings instead of ENV for web/api split 2017-06-06 06:31:29 -04:00			`# provide settings for separate web and api processes`
			`# if enableApiRouter and enableWebRouter are not defined they default`
			`# to true.`
			`notDefined = (x) -> !x?`
			`enableApiRouter = Settings.web?.enableApiRouter`
			`if enableApiRouter or notDefined(enableApiRouter)`
			`logger.info("providing api router");`
add public api router 2017-07-05 09:32:55 -04:00			`app.use(privateApiRouter)`
use settings instead of ENV for web/api split 2017-06-06 06:31:29 -04:00			`app.use(ErrorController.handleApiError)`

			`enableWebRouter = Settings.web?.enableWebRouter`
			`if enableWebRouter or notDefined(enableWebRouter)`
			`logger.info("providing web router");`
add public api router 2017-07-05 09:32:55 -04:00			`app.use(publicApiRouter) # public API goes with web router for public access`
use ApiErrorHandler on public api 2017-07-05 10:06:23 -04:00			`app.use(ErrorController.handleApiError)`
use settings instead of ENV for web/api split 2017-06-06 06:31:29 -04:00			`app.use(webRouter)`
			`app.use(ErrorController.handleError)`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00
add public api router 2017-07-05 09:32:55 -04:00			`router = new Router(webRouter, privateApiRouter, publicApiRouter)`
Intial open source comment 2014-02-12 05:23:40 -05:00
			`module.exports =`
			`app: app`
			`server: server`