wikijs/server/web.mjs

import bodyParser from 'body-parser'
import compression from 'compression'
import cookieParser from 'cookie-parser'
import cors from 'cors'
import express from 'express'
import session from 'express-session'
import KnexSessionStore from 'connect-session-knex'
import favicon from 'serve-favicon'
import path from 'node:path'
import { set } from 'lodash-es'

import auth from './core/auth.mjs'
import mail from './core/mail.mjs'
import system from './core/system.mjs'

import ctrlAuth from './controllers/auth.mjs'
import ctrlCommon from './controllers/common.mjs'
import ctrlSsl from './controllers/ssl.mjs'
import ctrlWs from './controllers/ws.mjs'

export async function init () {
  // ----------------------------------------
  // Load core modules
  // ----------------------------------------

  WIKI.auth = auth.init()
  WIKI.mail = mail.init()
  WIKI.system = system.init()

  // ----------------------------------------
  // Define Express App
  // ----------------------------------------

  const app = express()
  WIKI.app = app
  app.use(compression())

  // ----------------------------------------
  // Initialize HTTP/HTTPS Server
  // ----------------------------------------

  const useHTTPS = WIKI.config.ssl.enabled === true || WIKI.config.ssl.enabled === 'true' || WIKI.config.ssl.enabled === 1 || WIKI.config.ssl.enabled === '1'

  await WIKI.servers.initHTTP()
  if (useHTTPS) {
    await WIKI.servers.initHTTPS()
  }
  await WIKI.servers.initWebSocket()

  // ----------------------------------------
  // Attach WebSocket Server
  // ----------------------------------------

  ctrlWs()

  // ----------------------------------------
  // Security
  // ----------------------------------------

  app.use((req, res, next) => {
    // -> Disable X-Powered-By
    req.app.disable('x-powered-by')

    // -> Disable Frame Embedding
    if (WIKI.config.security.securityIframe) {
      res.set('X-Frame-Options', 'deny')
    }

    // -> Re-enable XSS Fitler if disabled
    res.set('X-XSS-Protection', '1; mode=block')

    // -> Disable MIME-sniffing
    res.set('X-Content-Type-Options', 'nosniff')

    // -> Disable IE Compatibility Mode
    res.set('X-UA-Compatible', 'IE=edge')

    // -> Disables referrer header when navigating to a different origin
    if (WIKI.config.security.securityReferrerPolicy) {
      res.set('Referrer-Policy', 'same-origin')
    }

    // -> Enforce HSTS
    if (WIKI.config.security.securityHSTS) {
      res.set('Strict-Transport-Security', `max-age=${WIKI.config.security.securityHSTSDuration}; includeSubDomains`)
    }

    // -> Prevent Open Redirect from user provided URL
    if (WIKI.config.security.securityOpenRedirect) {
      // Strips out all repeating / character in the provided URL
      req.url = req.url.replace(/(\/)(?=\/*\1)/g, '')
    }

    next()
  })
  app.use(cors({ origin: false }))
  app.options('*', cors({ origin: false }))
  if (WIKI.config.security.securityTrustProxy) {
    app.enable('trust proxy')
  }

  // ----------------------------------------
  // Public Assets
  // ----------------------------------------

  app.use(favicon(path.join(WIKI.ROOTPATH, 'assets', 'favicon.ico')))
  app.use('/_assets', express.static(path.join(WIKI.ROOTPATH, 'assets/_assets'), {
    index: false,
    maxAge: '7d'
  }))
  app.use('/_assets/svg/twemoji', async (req, res, next) => {
    try {
      WIKI.asar.serve('twemoji', req, res, next)
    } catch (err) {
      res.sendStatus(404)
    }
  })

  // ----------------------------------------
  // Blocks
  // ----------------------------------------

  app.use('/_blocks', express.static(path.join(WIKI.ROOTPATH, 'blocks/dist'), {
    index: false,
    maxAge: '7d'
  }))

  // ----------------------------------------
  // SSL Handlers
  // ----------------------------------------

  app.use('/', ctrlSsl())

  // ----------------------------------------
  // Passport Authentication
  // ----------------------------------------

  app.use(cookieParser())
  app.use(session({
    secret: WIKI.config.auth.secret,
    resave: false,
    saveUninitialized: false,
    store: new KnexSessionStore(session)({
      knex: WIKI.db.knex
    })
  }))
  app.use(WIKI.auth.passport.initialize())
  app.use(WIKI.auth.authenticate)

  // ----------------------------------------
  // GraphQL Server
  // ----------------------------------------

  app.use(bodyParser.json({ limit: WIKI.config.bodyParserLimit || '1mb' }))
  await WIKI.servers.startGraphQL()

  // ----------------------------------------
  // SEO
  // ----------------------------------------

  app.use((req, res, next) => {
    if (req.path.length > 1 && req.path.endsWith('/')) {
      let query = req.url.slice(req.path.length) || ''
      res.redirect(301, req.path.slice(0, -1) + query)
    } else {
      set(res.locals, 'pageMeta.url', `${WIKI.config.host}${req.path}`)
      next()
    }
  })

  // ----------------------------------------
  // View Engine Setup
  // ----------------------------------------

  app.set('views', path.join(WIKI.SERVERPATH, 'views'))
  app.set('view engine', 'pug')

  app.use(bodyParser.urlencoded({ extended: false, limit: '1mb' }))

  // ----------------------------------------
  // View accessible data
  // ----------------------------------------

  app.locals.analyticsCode = {}
  app.locals.basedir = WIKI.ROOTPATH
  app.locals.config = WIKI.config
  app.locals.pageMeta = {
    title: '',
    description: WIKI.config.description,
    image: '',
    url: '/'
  }
  app.locals.devMode = WIKI.devMode

  // ----------------------------------------
  // HMR (Dev Mode Only)
  // ----------------------------------------

  if (global.DEV) {
    app.use(global.WP_DEV.devMiddleware)
    app.use(global.WP_DEV.hotMiddleware)
  }

  // ----------------------------------------
  // Routing
  // ----------------------------------------

  app.use(async (req, res, next) => {
    const currentSite = await WIKI.db.sites.getSiteByHostname({ hostname: req.hostname })
    if (!currentSite) {
      return res.status(404).send('Site Not Found')
    }

    res.locals.siteConfig = {
      id: currentSite.id,
      title: currentSite.config.title,
      darkMode: currentSite.config.theme.dark,
      lang: currentSite.config.locales.primary,
      rtl: false, // TODO: handle RTL
      company: currentSite.config.company,
      contentLicense: currentSite.config.contentLicense
    }
    res.locals.theming = {

    }
    res.locals.langs = await WIKI.db.locales.getNavLocales({ cache: true })
    res.locals.analyticsCode = await WIKI.db.analytics.getCode({ cache: true })
    next()
  })

  app.use('/', ctrlAuth())
  app.use('/', ctrlCommon())

  // ----------------------------------------
  // Error handling
  // ----------------------------------------

  app.use((req, res, next) => {
    const err = new Error('Not Found')
    err.status = 404
    next(err)
  })

  app.use((err, req, res, next) => {
    if (req.path === '/_graphql') {
      res.status(err.status || 500).json({
        data: {},
        errors: [{
          message: err.message,
          path: []
        }]
      })
    } else {
      res.status(err.status || 500)
      set(res.locals, 'pageMeta.title', 'Error')
      res.render('error', {
        message: err.message,
        error: WIKI.IS_DEBUG ? err : {}
      })
    }
  })

  // ----------------------------------------
  // Start HTTP Server(s)
  // ----------------------------------------

  await WIKI.servers.startHTTP()

  if (useHTTPS) {
    await WIKI.servers.startHTTPS()
  }

  return true
}