const path = require('path'); const express = require('express'); const session = require('express-session'); const expressLayouts = require('express-ejs-layouts'); const SqliteStoreFactory = require('better-sqlite3-session-store'); const { csrfSync } = require('csrf-sync'); const pinoHttp = require('pino-http'); const { db } = require('../db'); const SqliteStore = SqliteStoreFactory(session); const notifications = require('./services/notifications'); const settings = require('./services/settings'); const app = express(); app.set('view engine', 'ejs'); app.set('views', path.join(__dirname, 'views')); app.set('layout', 'layout'); app.use(expressLayouts); app.set('trust proxy', 1); app.use(pinoHttp()); app.use(express.urlencoded({ extended: false })); app.use(express.json()); // Service worker — must be at root scope to intercept all page requests. app.get('/sw.js', (req, res) => { res.set('Service-Worker-Allowed', '/'); res.sendFile(path.join(__dirname, '..', 'public', 'sw.js')); }); // Static assets (CSS, JS, vendor). app.use('/static', express.static(path.join(__dirname, '..', 'public'), { maxAge: '1h' })); // Cover art is served statically; audio goes through /stream/:id for Range support + access control later. const mediaDir = process.env.MEDIA_DIR || path.join(__dirname, '..', 'media'); app.use('/media/covers', express.static(path.join(mediaDir, 'covers'), { maxAge: '1d' })); app.use('/media/avatars', express.static(path.join(mediaDir, 'avatars'), { maxAge: '1d' })); app.use('/media/generated', express.static(path.join(mediaDir, 'generated'), { maxAge: '0' })); app.use('/static/vendor/cropperjs', express.static( path.join(__dirname, '..', 'node_modules', 'cropperjs', 'dist') )); app.use(session({ store: new SqliteStore({ client: db, expired: { clear: true, intervalMs: 15 * 60 * 1000 }, }), secret: process.env.SESSION_SECRET || 'dev-insecure-secret-change-me', resave: false, saveUninitialized: false, cookie: { httpOnly: true, sameSite: 'lax', maxAge: 30 * 24 * 60 * 60 * 1000, secure: false, // flip to true behind HTTPS }, })); const { csrfSynchronisedProtection, generateToken } = csrfSync({ getTokenFromRequest: (req) => req.body?._csrf || req.headers['x-csrf-token'], }); // Attach helpers for templates. app.use((req, res, next) => { res.locals.siteName = process.env.SITE_NAME || 'Bri-Tunes'; res.locals.appBaseUrl = process.env.APP_BASE_URL || 'http://localhost:3000'; res.locals.user = req.session.user || null; res.locals.flash = req.session.flash || null; delete req.session.flash; res.locals.csrfToken = generateToken(req); res.locals.currentPath = req.path; res.locals.unreadNotifCount = req.session.user ? notifications.countUnread(req.session.user.id) : 0; res.locals.generationEnabled = settings.isGenerationEnabled(); next(); }); // Flash helper. app.use((req, _res, next) => { req.flash = (type, message) => { req.session.flash = { type, message }; }; next(); }); // Routes. app.use('/api', require('./routes/social')(csrfSynchronisedProtection)); app.use('/', require('./routes/public')); app.use('/', require('./routes/auth')(csrfSynchronisedProtection)); app.use('/account', require('./routes/account')(csrfSynchronisedProtection)); app.use('/admin', require('./routes/admin-panel')(csrfSynchronisedProtection)); app.use('/generate', require('./routes/generate')(csrfSynchronisedProtection)); app.use('/mymusic', require('./routes/admin')(csrfSynchronisedProtection)); // 404. app.use((req, res) => { res.status(404).render('error', { title: 'Not found', message: 'Page not found.' }); }); // Error handler. // eslint-disable-next-line no-unused-vars app.use((err, req, res, _next) => { req.log ? req.log.error({ err }, 'request failed') : console.error(err); const status = err.status || 500; res.status(status).render('error', { title: status === 403 ? 'Forbidden' : 'Error', message: err.expose ? err.message : (status === 403 ? 'Forbidden.' : 'Something went wrong.'), }); }); module.exports = app;