2024-08-22 11:40:31 +02:00
|
|
|
import express from "express";
|
2025-02-07 17:27:45 +01:00
|
|
|
import type { Express, NextFunction, Request, RequestHandler, Response } from "express";
|
2024-08-22 11:40:31 +02:00
|
|
|
import cors from "cors";
|
2025-02-07 17:27:45 +01:00
|
|
|
import helmet from "helmet";
|
|
|
|
|
import morgan from "morgan";
|
|
|
|
|
import rateLimit from "express-rate-limit";
|
2024-08-22 11:40:31 +02:00
|
|
|
|
2024-08-25 13:36:19 +02:00
|
|
|
import allowSetup from "../middleware/allowSetup";
|
2024-08-22 11:40:31 +02:00
|
|
|
import authenticate from "../middleware/authenticate";
|
2024-08-25 13:36:19 +02:00
|
|
|
import errorHandler from "../middleware/errorHandler";
|
2024-08-22 11:40:31 +02:00
|
|
|
|
2024-10-27 11:47:13 +01:00
|
|
|
import publicAvailable from "./public";
|
2024-08-25 13:36:19 +02:00
|
|
|
import setup from "./setup";
|
2024-11-23 14:25:31 +01:00
|
|
|
import invite from "./invite";
|
2024-11-23 12:11:19 +01:00
|
|
|
import reset from "./reset";
|
2024-08-22 11:40:31 +02:00
|
|
|
import auth from "./auth";
|
2024-09-01 14:55:05 +02:00
|
|
|
import admin from "./admin/index";
|
2024-11-20 09:32:43 +01:00
|
|
|
import user from "./user";
|
2025-01-11 14:45:37 +01:00
|
|
|
import detectPWA from "../middleware/detectPWA";
|
2025-01-27 15:16:12 +01:00
|
|
|
import webapi from "./webapi";
|
2025-01-22 09:27:15 +01:00
|
|
|
import authenticateAPI from "../middleware/authenticateAPI";
|
2025-01-23 11:21:54 +01:00
|
|
|
import server from "./server";
|
|
|
|
|
import PermissionHelper from "../helpers/permissionHelper";
|
2025-01-27 15:16:12 +01:00
|
|
|
import preventWebapiAccess from "../middleware/preventWebApiAccess";
|
2025-02-08 09:30:41 +01:00
|
|
|
import ms from "ms";
|
|
|
|
|
import {
|
|
|
|
|
SECURITY_LIMIT_REQUEST_COUNT,
|
|
|
|
|
SECURITY_LIMIT_WINDOW,
|
|
|
|
|
SECURITY_STRICT_LIMIT_REQUEST_COUNT,
|
|
|
|
|
SECURITY_STRICT_LIMIT_WINDOW,
|
|
|
|
|
USE_SECURITY_LIMIT,
|
|
|
|
|
USE_SECURITY_STRICT_LIMIT,
|
|
|
|
|
} from "../env.defaults";
|
2024-08-22 11:40:31 +02:00
|
|
|
|
2025-02-07 17:27:45 +01:00
|
|
|
const strictLimiter = rateLimit({
|
2025-02-08 09:30:41 +01:00
|
|
|
windowMs: ms(SECURITY_STRICT_LIMIT_WINDOW),
|
|
|
|
|
max: SECURITY_STRICT_LIMIT_REQUEST_COUNT,
|
|
|
|
|
message: `Zu viele Anmeldeversuche innerhalb von ${SECURITY_STRICT_LIMIT_WINDOW}. Bitte warten.`,
|
|
|
|
|
skipSuccessfulRequests: true,
|
|
|
|
|
skip: () => {
|
|
|
|
|
return USE_SECURITY_STRICT_LIMIT == "false";
|
|
|
|
|
},
|
2025-02-07 17:27:45 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const generalLimiter = rateLimit({
|
2025-02-08 09:30:41 +01:00
|
|
|
windowMs: ms(SECURITY_LIMIT_WINDOW),
|
|
|
|
|
max: SECURITY_LIMIT_REQUEST_COUNT,
|
|
|
|
|
message: `Zu viele Anfragen innerhalb von ${SECURITY_LIMIT_WINDOW}. Bitte warten.`,
|
|
|
|
|
skipSuccessfulRequests: true,
|
|
|
|
|
skip: () => {
|
|
|
|
|
return USE_SECURITY_LIMIT == "false";
|
|
|
|
|
},
|
2025-02-07 17:27:45 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
function excludePaths(middleware: RequestHandler, excludedPaths: Array<string>) {
|
|
|
|
|
return (req: Request, res: Response, next: NextFunction) => {
|
|
|
|
|
if (excludedPaths.includes(req.path)) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
return middleware(req, res, next);
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-22 11:40:31 +02:00
|
|
|
export default (app: Express) => {
|
|
|
|
|
app.set("query parser", "extended");
|
2025-02-07 17:27:45 +01:00
|
|
|
app.use(cors());
|
|
|
|
|
app.options("*", cors());
|
|
|
|
|
app.use(helmet());
|
|
|
|
|
app.use(morgan("short"));
|
2024-08-22 11:40:31 +02:00
|
|
|
app.use(express.json());
|
|
|
|
|
app.use(
|
|
|
|
|
express.urlencoded({
|
|
|
|
|
extended: true,
|
|
|
|
|
})
|
|
|
|
|
);
|
|
|
|
|
|
2025-01-11 14:45:37 +01:00
|
|
|
app.use(detectPWA);
|
2024-11-27 17:06:41 +01:00
|
|
|
app.use("/api/public", publicAvailable);
|
2025-02-07 17:27:45 +01:00
|
|
|
app.use("/api/setup", strictLimiter, preventWebapiAccess, allowSetup, setup);
|
|
|
|
|
app.use("/api/reset", strictLimiter, preventWebapiAccess, reset);
|
|
|
|
|
app.use("/api/invite", strictLimiter, preventWebapiAccess, invite);
|
|
|
|
|
app.use("/api/auth", strictLimiter, preventWebapiAccess, auth);
|
2025-01-27 15:16:12 +01:00
|
|
|
app.use("/api/webapi", authenticateAPI, webapi);
|
2024-08-22 11:40:31 +02:00
|
|
|
app.use(authenticate);
|
2025-02-07 17:27:45 +01:00
|
|
|
app.use(excludePaths(generalLimiter, ["/synchronize"]));
|
2024-11-27 17:06:41 +01:00
|
|
|
app.use("/api/admin", admin);
|
2025-01-27 15:16:12 +01:00
|
|
|
app.use("/api/user", preventWebapiAccess, user);
|
|
|
|
|
app.use("/api/server", preventWebapiAccess, PermissionHelper.isAdminMiddleware(), server);
|
2024-08-22 11:40:31 +02:00
|
|
|
app.use(errorHandler);
|
|
|
|
|
};
|
