94 lines
2.9 KiB
JavaScript
94 lines
2.9 KiB
JavaScript
const path = require('path');
|
|
const express = require('express');
|
|
const session = require('express-session');
|
|
const expressLayouts = require('express-ejs-layouts');
|
|
const SqliteStoreFactory = require('better-sqlite3-session-store');
|
|
const { csrfSync } = require('csrf-sync');
|
|
const pinoHttp = require('pino-http');
|
|
|
|
const { db } = require('../db');
|
|
const SqliteStore = SqliteStoreFactory(session);
|
|
|
|
const app = express();
|
|
|
|
app.set('view engine', 'ejs');
|
|
app.set('views', path.join(__dirname, 'views'));
|
|
app.set('layout', 'layout');
|
|
app.use(expressLayouts);
|
|
app.set('trust proxy', 1);
|
|
|
|
app.use(pinoHttp());
|
|
|
|
app.use(express.urlencoded({ extended: false }));
|
|
app.use(express.json());
|
|
|
|
// Static assets (CSS, JS, vendor).
|
|
app.use('/static', express.static(path.join(__dirname, '..', 'public'), { maxAge: '1h' }));
|
|
|
|
// Cover art is served statically; audio goes through /stream/:id for Range support + access control later.
|
|
const mediaDir = process.env.MEDIA_DIR || path.join(__dirname, '..', 'media');
|
|
app.use('/media/covers', express.static(path.join(mediaDir, 'covers'), { maxAge: '1d' }));
|
|
|
|
app.use(session({
|
|
store: new SqliteStore({
|
|
client: db,
|
|
expired: { clear: true, intervalMs: 15 * 60 * 1000 },
|
|
}),
|
|
secret: process.env.SESSION_SECRET || 'dev-insecure-secret-change-me',
|
|
resave: false,
|
|
saveUninitialized: false,
|
|
cookie: {
|
|
httpOnly: true,
|
|
sameSite: 'lax',
|
|
maxAge: 30 * 24 * 60 * 60 * 1000,
|
|
secure: false, // flip to true behind HTTPS
|
|
},
|
|
}));
|
|
|
|
const { csrfSynchronisedProtection, generateToken } = csrfSync({
|
|
getTokenFromRequest: (req) => req.body && req.body._csrf,
|
|
});
|
|
|
|
// Attach helpers for templates.
|
|
app.use((req, res, next) => {
|
|
res.locals.user = req.session.user || null;
|
|
res.locals.flash = req.session.flash || null;
|
|
delete req.session.flash;
|
|
res.locals.csrfToken = generateToken(req);
|
|
res.locals.currentPath = req.path;
|
|
next();
|
|
});
|
|
|
|
// Flash helper.
|
|
app.use((req, _res, next) => {
|
|
req.flash = (type, message) => {
|
|
req.session.flash = { type, message };
|
|
};
|
|
next();
|
|
});
|
|
|
|
// Routes.
|
|
app.use('/', require('./routes/public'));
|
|
app.use('/', require('./routes/auth')(csrfSynchronisedProtection));
|
|
app.use('/account', require('./routes/account')(csrfSynchronisedProtection));
|
|
app.use('/admin/users', require('./routes/users-admin')(csrfSynchronisedProtection));
|
|
app.use('/admin', require('./routes/admin')(csrfSynchronisedProtection));
|
|
|
|
// 404.
|
|
app.use((req, res) => {
|
|
res.status(404).render('error', { title: 'Not found', message: 'Page not found.' });
|
|
});
|
|
|
|
// Error handler.
|
|
// eslint-disable-next-line no-unused-vars
|
|
app.use((err, req, res, _next) => {
|
|
req.log ? req.log.error({ err }, 'request failed') : console.error(err);
|
|
const status = err.status || 500;
|
|
res.status(status).render('error', {
|
|
title: status === 403 ? 'Forbidden' : 'Error',
|
|
message: err.expose ? err.message : (status === 403 ? 'Forbidden.' : 'Something went wrong.'),
|
|
});
|
|
});
|
|
|
|
module.exports = app;
|