Bri-Tunes/src/app.js

const path = require('path');
const express = require('express');
const session = require('express-session');
const expressLayouts = require('express-ejs-layouts');
const SqliteStoreFactory = require('better-sqlite3-session-store');
const { csrfSync } = require('csrf-sync');
const pinoHttp = require('pino-http');

const { db } = require('../db');
const SqliteStore = SqliteStoreFactory(session);
const notifications = require('./services/notifications');
const settings      = require('./services/settings');

const app = express();

app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));
app.set('layout', 'layout');
app.use(expressLayouts);
app.set('trust proxy', 1);

app.use(pinoHttp());

app.use(express.urlencoded({ extended: false }));
app.use(express.json());

// Service worker — must be at root scope to intercept all page requests.
app.get('/sw.js', (req, res) => {
  res.set('Service-Worker-Allowed', '/');
  res.sendFile(path.join(__dirname, '..', 'public', 'sw.js'));
});

// Static assets (CSS, JS, vendor).
app.use('/static', express.static(path.join(__dirname, '..', 'public'), { maxAge: '1h' }));

// Cover art is served statically; audio goes through /stream/:id for Range support + access control later.
const mediaDir = process.env.MEDIA_DIR || path.join(__dirname, '..', 'media');
app.use('/media/covers',    express.static(path.join(mediaDir, 'covers'),    { maxAge: '1d' }));
app.use('/media/avatars',   express.static(path.join(mediaDir, 'avatars'),   { maxAge: '1d' }));
app.use('/media/generated', express.static(path.join(mediaDir, 'generated'), { maxAge: '0' }));
app.use('/static/vendor/cropperjs', express.static(
  path.join(__dirname, '..', 'node_modules', 'cropperjs', 'dist')
));

app.use(session({
  store: new SqliteStore({
    client: db,
    expired: { clear: true, intervalMs: 15 * 60 * 1000 },
  }),
  secret: process.env.SESSION_SECRET || 'dev-insecure-secret-change-me',
  resave: false,
  saveUninitialized: false,
  cookie: {
    httpOnly: true,
    sameSite: 'lax',
    maxAge: 30 * 24 * 60 * 60 * 1000,
    secure: false, // flip to true behind HTTPS
  },
}));

const { csrfSynchronisedProtection, generateToken } = csrfSync({
  getTokenFromRequest: (req) => req.body?._csrf || req.headers['x-csrf-token'],
});

// Attach helpers for templates.
app.use((req, res, next) => {
  res.locals.siteName   = process.env.SITE_NAME    || 'Bri-Tunes';
  res.locals.appBaseUrl = process.env.APP_BASE_URL || 'http://localhost:3000';
  res.locals.user = req.session.user || null;
  res.locals.flash = req.session.flash || null;
  delete req.session.flash;
  res.locals.csrfToken = generateToken(req);
  res.locals.currentPath = req.path;
  res.locals.unreadNotifCount  = req.session.user ? notifications.countUnread(req.session.user.id) : 0;
  res.locals.generationEnabled = settings.isGenerationEnabled();
  next();
});

// Flash helper.
app.use((req, _res, next) => {
  req.flash = (type, message) => {
    req.session.flash = { type, message };
  };
  next();
});

// Routes.
app.use('/api', require('./routes/social')(csrfSynchronisedProtection));
app.use('/', require('./routes/public'));
app.use('/', require('./routes/auth')(csrfSynchronisedProtection));
app.use('/account', require('./routes/account')(csrfSynchronisedProtection));
app.use('/admin',    require('./routes/admin-panel')(csrfSynchronisedProtection));
app.use('/generate', require('./routes/generate')(csrfSynchronisedProtection));
app.use('/mymusic',  require('./routes/admin')(csrfSynchronisedProtection));

// 404.
app.use((req, res) => {
  res.status(404).render('error', { title: 'Not found', message: 'Page not found.' });
});

// Error handler.
// eslint-disable-next-line no-unused-vars
app.use((err, req, res, _next) => {
  req.log ? req.log.error({ err }, 'request failed') : console.error(err);
  const status = err.status || 500;
  res.status(status).render('error', {
    title: status === 403 ? 'Forbidden' : 'Error',
    message: err.expose ? err.message : (status === 403 ? 'Forbidden.' : 'Something went wrong.'),
  });
});

module.exports = app;