src/middleware/headers.js

'use strict';

var os = require('os');
var winston = require('winston');
var _ = require('lodash');
const nconf = require('nconf');

var meta = require('../meta');
var languages = require('../languages');

module.exports = function (middleware) {
	middleware.addHeaders = function addHeaders(req, res, next) {
		var headers = {
			'X-Powered-By': encodeURI(meta.config['powered-by'] || 'NodeBB'),
			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
		};

		if (meta.config['access-control-allow-origin']) {
			var origins = meta.config['access-control-allow-origin'].split(',');
			origins = origins.map(function (origin) {
				return origin && origin.trim();
			});

			if (origins.includes(req.get('origin'))) {
				headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
			}
		}

		if (meta.config['access-control-allow-origin-regex']) {
			var originsRegex = meta.config['access-control-allow-origin-regex'].split(',');
			originsRegex = originsRegex.map(function (origin) {
				try {
					origin = new RegExp(origin.trim());
				} catch (err) {
					winston.error('[middleware.addHeaders] Invalid RegExp For access-control-allow-origin ' + origin);
					origin = null;
				}
				return origin;
			});

			originsRegex.forEach(function (regex) {
				if (regex && regex.test(req.get('origin'))) {
					headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
				}
			});
		}

		if (meta.config['access-control-allow-credentials']) {
			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
		}

		if (process.env.NODE_ENV === 'development') {
			headers['X-Upstream-Hostname'] = os.hostname();
		}

		// Ensure that the session is valid. This block guards against edge-cases where the server-side session has
		// been deleted (but client-side cookie still exists).
		// req.session.flash is present if you visit register/login, so all logged-in users have it, but it is missing if your server-side session got destroyed.
		if (!req.session.flash && !req.session.meta && !res.get('Set-Cookie')) {
			res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
		}

		for (var key in headers) {
			if (headers.hasOwnProperty(key) && headers[key]) {
				res.setHeader(key, headers[key]);
			}
		}

		next();
	};

	let langs = [];
	middleware.autoLocale = function autoLocale(req, res, next) {
		if (parseInt(req.uid, 10) > 0 || !meta.config.autoDetectLang) {
			return next();
		}

		var lang = req.acceptsLanguages(langs);
		if (!lang) {
			return next();
		}
		req.query.lang = lang;
		next();
	};

	languages.listCodes(function (err, codes) {
		if (err) {
			winston.error('[middleware/autoLocale] Could not retrieve languages codes list!');
			codes = [];
		}

		winston.verbose('[middleware/autoLocale] Retrieves languages list for middleware');
		var defaultLang = meta.config.defaultLang || 'en-GB';

		langs = _.uniq([defaultLang, ...codes]);
	});
};
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`'use strict';`

appending X-Upstream-Hostname header in dev mode 2018-02-20 14:51:41 -05:00			`var os = require('os');`
closes #6556 2018-06-06 13:11:43 -04:00			`var winston = require('winston');`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 2018-12-07 11:29:20 -05:00			`var _ = require('lodash');`
fix: #8142, broken site if no server-side session (#8148) * fix: #8142, broken site if no server-side session During the `addHeader` middleware, a check is now done to see if `req.session.meta` is present. This value is only present if the user has a valid server-side session. If it is missing, then it is probably safe to assume that the server-side session was deleted (either intentionally or accidentally). In that scenario, the client-side cookie should be cleared. Also, there was an issue where the sessionRefresh flag was never cleared after a successful login, so that was fixed too. * feat: exported method to get cookie config * fix: don't clear cookie if cookie is being set * fix: socket.io tests Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2020-02-06 15:52:37 -05:00			`const nconf = require('nconf');`
appending X-Upstream-Hostname header in dev mode 2018-02-20 14:51:41 -05:00
encodeURIComponent header values 2016-10-17 18:58:25 +03:00			`var meta = require('../meta');`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 2018-12-07 11:29:20 -05:00			`var languages = require('../languages');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`module.exports = function (middleware) {`
feat: give names to more middlewares 2018-12-17 16:23:38 -05:00			`middleware.addHeaders = function addHeaders(req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`var headers = {`
fix headers for new installs encodeURI(undefined) === "undefined" 2016-11-23 21:06:02 +03:00			`'X-Powered-By': encodeURI(meta.config['powered-by'] \|\| 'NodeBB'),`
			`'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',`
			`'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] \|\| ''),`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] \|\| ''),`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

closes #5574 2017-04-06 17:56:54 -04:00			`if (meta.config['access-control-allow-origin']) {`
allow multiple origins for access-control-allow-origin header add access-control-allow-credentials header to acp 2018-03-20 12:24:55 -04:00			`var origins = meta.config['access-control-allow-origin'].split(',');`
			`origins = origins.map(function (origin) {`
			`return origin && origin.trim();`
			`});`

			`if (origins.includes(req.get('origin'))) {`
			`headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));`
			`}`
			`}`

closes #6556 2018-06-06 13:11:43 -04:00			`if (meta.config['access-control-allow-origin-regex']) {`
			`var originsRegex = meta.config['access-control-allow-origin-regex'].split(',');`
			`originsRegex = originsRegex.map(function (origin) {`
			`try {`
			`origin = new RegExp(origin.trim());`
			`} catch (err) {`
			`winston.error('[middleware.addHeaders] Invalid RegExp For access-control-allow-origin ' + origin);`
			`origin = null;`
			`}`
			`return origin;`
			`});`

			`originsRegex.forEach(function (regex) {`
			`if (regex && regex.test(req.get('origin'))) {`
			`headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));`
			`}`
			`});`
			`}`

allow multiple origins for access-control-allow-origin header add access-control-allow-credentials header to acp 2018-03-20 12:24:55 -04:00			`if (meta.config['access-control-allow-credentials']) {`
			`headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];`
closes #5574 2017-04-06 17:56:54 -04:00			`}`

appending X-Upstream-Hostname header in dev mode 2018-02-20 14:51:41 -05:00			`if (process.env.NODE_ENV === 'development') {`
			`headers['X-Upstream-Hostname'] = os.hostname();`
			`}`

fix: tweak to session validation in addHeaders 2020-02-18 16:06:00 -05:00			`// Ensure that the session is valid. This block guards against edge-cases where the server-side session has`
fix: #8142 invalid session warning if server-side session destroyed Resolved regression caused by 5a0c7c1497ed2de84ad317f7e3fcc6b1354b08eb 2020-05-15 16:41:05 -04:00			`// been deleted (but client-side cookie still exists).`
			`// req.session.flash is present if you visit register/login, so all logged-in users have it, but it is missing if your server-side session got destroyed.`
			`if (!req.session.flash && !req.session.meta && !res.get('Set-Cookie')) {`
fix: #8142, broken site if no server-side session (#8148) * fix: #8142, broken site if no server-side session During the `addHeader` middleware, a check is now done to see if `req.session.meta` is present. This value is only present if the user has a valid server-side session. If it is missing, then it is probably safe to assume that the server-side session was deleted (either intentionally or accidentally). In that scenario, the client-side cookie should be cleared. Also, there was an issue where the sessionRefresh flag was never cleared after a successful login, so that was fixed too. * feat: exported method to get cookie config * fix: don't clear cookie if cookie is being set * fix: socket.io tests Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com> 2020-02-06 15:52:37 -05:00			`res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());`
			`}`

encodeURIComponent header values 2016-10-17 18:58:25 +03:00			`for (var key in headers) {`
fix headers for new installs encodeURI(undefined) === "undefined" 2016-11-23 21:06:02 +03:00			`if (headers.hasOwnProperty(key) && headers[key]) {`
fixes #5230 2016-11-23 12:25:01 -05:00			`res.setHeader(key, headers[key]);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`}`
			`}`

			`next();`
			`};`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 2018-12-07 11:29:20 -05:00
			`let langs = [];`
feat: give names to more middlewares 2018-12-17 16:23:38 -05:00			`middleware.autoLocale = function autoLocale(req, res, next) {`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 2018-12-07 11:29:20 -05:00			`if (parseInt(req.uid, 10) > 0 \|\| !meta.config.autoDetectLang) {`
			`return next();`
			`}`

			`var lang = req.acceptsLanguages(langs);`
			`if (!lang) {`
			`return next();`
			`}`
			`req.query.lang = lang;`
			`next();`
			`};`

			`languages.listCodes(function (err, codes) {`
			`if (err) {`
			`winston.error('[middleware/autoLocale] Could not retrieve languages codes list!');`
			`codes = [];`
			`}`

			`winston.verbose('[middleware/autoLocale] Retrieves languages list for middleware');`
			`var defaultLang = meta.config.defaultLang \|\| 'en-GB';`

			`langs = _.uniq([defaultLang, ...codes]);`
			`});`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`