src/middleware/index.js

"use strict";

var async = require('async');
var fs = require('fs');
var path = require('path');
var csrf = require('csurf');
var validator = require('validator');
var nconf = require('nconf');
var ensureLoggedIn = require('connect-ensure-login');
var toobusy = require('toobusy-js');

var plugins = require('../plugins');
var languages = require('../languages');
var meta = require('../meta');
var user = require('../user');
var groups = require('../groups');

var analytics = require('../analytics');

var controllers = {
	api: require('./../controllers/api'),
	helpers: require('../controllers/helpers')
};

var middleware = {};

middleware.applyCSRF = csrf();

middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');

require('./admin')(middleware);
require('./header')(middleware);
require('./render')(middleware);
require('./maintenance')(middleware);
require('./user')(middleware);
require('./headers')(middleware);

middleware.authenticate = function (req, res, next) {
	if (req.user) {
		return next();
	} else if (plugins.hasListeners('action:middleware.authenticate')) {
		return plugins.fireHook('action:middleware.authenticate', {
			req: req,
			res: res,
			next: next
		});
	}

	controllers.helpers.notAllowed(req, res);
};

middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {
	/*
		The "self" part of this middleware hinges on you having used
		middleware.exposeUid prior to invoking this middleware.
	*/
	if (req.user) {
		if (req.user.uid === res.locals.uid) {
			return next();
		}

		user.isAdminOrGlobalMod(req.uid, function (err, ok) {
			if (err) {
				return next(err);
			} else if (ok) {
				return next();
			} else {
				controllers.helpers.notAllowed(req, res);
			}
		});
	} else {
		controllers.helpers.notAllowed(req, res);
	}
};

middleware.pageView = function (req, res, next) {
	analytics.pageView({
		ip: req.ip,
		path: req.path,
		uid: req.uid
	});

	plugins.fireHook('action:middleware.pageView', {req: req});

	if (req.user) {
		user.updateLastOnlineTime(req.user.uid);
		if (req.path.startsWith('/api/users') || req.path.startsWith('/users')) {
			user.updateOnlineUsers(req.user.uid, next);
		} else {
			user.updateOnlineUsers(req.user.uid);
			next();
		}
	} else {
		next();
	}
};


middleware.pluginHooks = function (req, res, next) {
	async.each(plugins.loadedHooks['filter:router.page'] || [], function (hookObj, next) {
		hookObj.method(req, res, next);
	}, function () {
		// If it got here, then none of the subscribed hooks did anything, or there were no hooks
		next();
	});
};

middleware.validateFiles = function (req, res, next) {
	if (!Array.isArray(req.files.files) || !req.files.files.length) {
		return next(new Error(['[[error:invalid-files]]']));
	}

	next();
};

middleware.prepareAPI = function (req, res, next) {
	res.locals.isAPI = true;
	next();
};

middleware.routeTouchIcon = function (req, res) {
	if (meta.config['brand:touchIcon'] && validator.isURL(meta.config['brand:touchIcon'])) {
		return res.redirect(meta.config['brand:touchIcon']);
	} else {
		return res.sendFile(path.join(__dirname, '../../public', meta.config['brand:touchIcon'] || '/logo.png'), {
			maxAge: req.app.enabled('cache') ? 5184000000 : 0
		});
	}
};

middleware.privateTagListing = function (req, res, next) {
	if (!req.user && parseInt(meta.config.privateTagListing, 10) === 1) {
		controllers.helpers.notAllowed(req, res);
	} else {
		next();
	}
};

middleware.exposeGroupName = function (req, res, next) {
	expose('groupName', groups.getGroupNameByGroupSlug, 'slug', req, res, next);
};

middleware.exposeUid = function (req, res, next) {
	expose('uid', user.getUidByUserslug, 'userslug', req, res, next);
};

function expose(exposedField, method, field, req, res, next) {
	if (!req.params.hasOwnProperty(field)) {
		return next();
	}
	method(req.params[field], function (err, id) {
		if (err) {
			return next(err);
		}

		res.locals[exposedField] = id;
		next();
	});
}

middleware.privateUploads = function (req, res, next) {
	if (req.user || parseInt(meta.config.privateUploads, 10) !== 1) {
		return next();
	}
	if (req.path.startsWith('/uploads/files')) {
		return res.status(403).json('not-allowed');
	}
	next();
};

middleware.busyCheck = function (req, res, next) {
	if (global.env === 'production' && (!meta.config.hasOwnProperty('eventLoopCheckEnabled') || parseInt(meta.config.eventLoopCheckEnabled, 10) === 1) && toobusy()) {
		analytics.increment('errors:503');
		res.status(503).type('text/html').sendFile(path.join(__dirname, '../../public/503.html'));
	} else {
		next();
	}
};

middleware.applyBlacklist = function (req, res, next) {
	meta.blacklist.test(req.ip, function (err) {
		next(err);
	});
};

middleware.getTranslation = function (req, res, next) {
	var language = req.params.language;
	var namespace = req.params[0];

	if (language && namespace) {
		languages.get(language, namespace, function (err, translations) {
			if (err) {
				return next(err);
			}

			res.status(200).json(translations);
		});
	} else {
		res.status(404).json('{}');
	}
};

middleware.processTimeagoLocales = function (req, res, next) {
	var fallback = req.path.indexOf('-short') === -1 ? 'jquery.timeago.en.js' : 'jquery.timeago.en-short.js',
		localPath = path.join(__dirname, '../../public/vendor/jquery/timeago/locales', req.path),
		exists;

	try {
		exists = fs.accessSync(localPath, fs.F_OK | fs.R_OK);
	} catch(e) {
		exists = false;
	}

	if (exists) {
		res.status(200).sendFile(localPath, {
			maxAge: req.app.enabled('cache') ? 5184000000 : 0
		});
	} else {
		res.status(200).sendFile(path.join(__dirname, '../../public/vendor/jquery/timeago/locales', fallback), {
			maxAge: req.app.enabled('cache') ? 5184000000 : 0
		});
	}
};


module.exports = middleware;
random jshinting expedition 2014-03-02 14:45:57 -05:00			`"use strict";`

organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`var async = require('async');`
			`var fs = require('fs');`
			`var path = require('path');`
			`var csrf = require('csurf');`
			`var validator = require('validator');`
			`var nconf = require('nconf');`
			`var ensureLoggedIn = require('connect-ensure-login');`
			`var toobusy = require('toobusy-js');`

			`var plugins = require('../plugins');`
			`var languages = require('../languages');`
			`var meta = require('../meta');`
			`var user = require('../user');`
			`var groups = require('../groups');`

			`var analytics = require('../analytics');`

			`var controllers = {`
			`api: require('./../controllers/api'),`
			`helpers: require('../controllers/helpers')`
			`};`
moved all app.configure() code into middleware/index.js + organization/cleanup 2014-03-01 17:26:26 -05:00
avoid doing nconf.get over and over again on the same key 2014-04-15 02:16:03 -04:00			`var middleware = {};`
one final push, cleanup + organize + lint; made feeds/meta/plugins routes follow same pattern as other route files 2014-03-05 17:06:24 -05:00
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`middleware.applyCSRF = csrf();`

			`middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');`

			`require('./admin')(middleware);`
			`require('./header')(middleware);`
			`require('./render')(middleware);`
			`require('./maintenance')(middleware);`
			`require('./user')(middleware);`
			`require('./headers')(middleware);`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.authenticate = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (req.user) {`
			`return next();`
			`} else if (plugins.hasListeners('action:middleware.authenticate')) {`
			`return plugins.fireHook('action:middleware.authenticate', {`
			`req: req,`
			`res: res,`
			`next: next`
			`});`
closes #2278 2014-10-17 19:37:09 -04:00			`}`

organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`controllers.helpers.notAllowed(req, res);`
			`};`
cleanup 2014-11-19 17:48:43 -05:00
updated revoke session middleware to allow self or admin or global mod invocation, tweaked tests a bit 2016-12-02 10:50:42 -05:00			`middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {`
			`/*`
			`The "self" part of this middleware hinges on you having used`
			`middleware.exposeUid prior to invoking this middleware.`
			`*/`
locking down session deletion route to admins and global mods only 2016-12-02 09:49:52 -05:00			`if (req.user) {`
updated revoke session middleware to allow self or admin or global mod invocation, tweaked tests a bit 2016-12-02 10:50:42 -05:00			`if (req.user.uid === res.locals.uid) {`
			`return next();`
			`}`

locking down session deletion route to admins and global mods only 2016-12-02 09:49:52 -05:00			`user.isAdminOrGlobalMod(req.uid, function (err, ok) {`
linting :shipit: 2016-12-02 10:07:33 -05:00			`if (err) {`
			`return next(err);`
			`} else if (ok) {`
locking down session deletion route to admins and global mods only 2016-12-02 09:49:52 -05:00			`return next();`
			`} else {`
			`controllers.helpers.notAllowed(req, res);`
			`}`
			`});`
			`} else {`
			`controllers.helpers.notAllowed(req, res);`
			`}`
			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.pageView = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`analytics.pageView({`
			`ip: req.ip,`
			`path: req.path,`
use req.uid :+1: 2016-08-26 18:55:44 +03:00			`uid: req.uid`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`});`

			`plugins.fireHook('action:middleware.pageView', {req: req});`

			`if (req.user) {`
			`user.updateLastOnlineTime(req.user.uid);`
			`if (req.path.startsWith('/api/users') \|\| req.path.startsWith('/users')) {`
			`user.updateOnlineUsers(req.user.uid, next);`
			`} else {`
			`user.updateOnlineUsers(req.user.uid);`
			`next();`
			`}`
			`} else {`
			`next();`
			`}`
			`};`
moved middleware out of webserver.js and into middleware.js 2014-03-02 14:16:16 -05:00
enabling view cache, since we require server restart on theme changes it doesn't hurt 2014-05-05 16:56:01 -04:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.pluginHooks = function (req, res, next) {`
			`async.each(plugins.loadedHooks['filter:router.page'] \|\| [], function (hookObj, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`hookObj.method(req, res, next);`
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`}, function () {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`// If it got here, then none of the subscribed hooks did anything, or there were no hooks`
			`next();`
			`});`
			`};`
moved all app.configure() code into middleware/index.js + organization/cleanup 2014-03-01 17:26:26 -05:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.validateFiles = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (!Array.isArray(req.files.files) \|\| !req.files.files.length) {`
			`return next(new Error(['[[error:invalid-files]]']));`
			`}`
moved all app.configure() code into middleware/index.js + organization/cleanup 2014-03-01 17:26:26 -05:00
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`next();`
			`};`
only use multipart on upload routes, delete temp files if there is an error in admin, admin/mods should see topic reply 2014-10-22 18:25:57 -04:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.prepareAPI = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`res.locals.isAPI = true;`
			`next();`
			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.routeTouchIcon = function (req, res) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (meta.config['brand:touchIcon'] && validator.isURL(meta.config['brand:touchIcon'])) {`
			`return res.redirect(meta.config['brand:touchIcon']);`
			`} else {`
			`return res.sendFile(path.join(__dirname, '../../public', meta.config['brand:touchIcon'] \|\| '/logo.png'), {`
			`maxAge: req.app.enabled('cache') ? 5184000000 : 0`
			`});`
			`}`
			`};`
moved all app.configure() code into middleware/index.js + organization/cleanup 2014-03-01 17:26:26 -05:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.privateTagListing = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (!req.user && parseInt(meta.config.privateTagListing, 10) === 1) {`
			`controllers.helpers.notAllowed(req, res);`
			`} else {`
			`next();`
			`}`
			`};`
moved all app.configure() code into middleware/index.js + organization/cleanup 2014-03-01 17:26:26 -05:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.exposeGroupName = function (req, res, next) {`
adde expose methods back used by plugins 2016-09-14 21:21:32 +03:00			`expose('groupName', groups.getGroupNameByGroupSlug, 'slug', req, res, next);`
			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.exposeUid = function (req, res, next) {`
adde expose methods back used by plugins 2016-09-14 21:21:32 +03:00			`expose('uid', user.getUidByUserslug, 'userslug', req, res, next);`
			`};`

			`function expose(exposedField, method, field, req, res, next) {`
			`if (!req.params.hasOwnProperty(field)) {`
			`return next();`
			`}`
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`method(req.params[field], function (err, id) {`
adde expose methods back used by plugins 2016-09-14 21:21:32 +03:00			`if (err) {`
			`return next(err);`
			`}`

			`res.locals[exposedField] = id;`
			`next();`
			`});`
			`}`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.privateUploads = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (req.user \|\| parseInt(meta.config.privateUploads, 10) !== 1) {`
			`return next();`
Allow session cookie domain customization 2014-07-24 22:26:19 +02:00			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (req.path.startsWith('/uploads/files')) {`
			`return res.status(403).json('not-allowed');`
			`}`
			`next();`
			`};`
fixed #1988 2014-08-13 16:03:33 -04:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.busyCheck = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (global.env === 'production' && (!meta.config.hasOwnProperty('eventLoopCheckEnabled') \|\| parseInt(meta.config.eventLoopCheckEnabled, 10) === 1) && toobusy()) {`
			`analytics.increment('errors:503');`
			`res.status(503).type('text/html').sendFile(path.join(__dirname, '../../public/503.html'));`
			`} else {`
			`next();`
closes #3435 2015-08-17 14:53:37 -04:00			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.applyBlacklist = function (req, res, next) {`
			`meta.blacklist.test(req.ip, function (err) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`next(err);`
			`});`
			`};`

Standard language codes (#5218) * Use standard language codes. Fallback for plugins. * Fix transifex config * Tab vs space here for some reason * Remove redundancies * config.relative_path instead of allcaps * added upgrade script for existing users' accounts 2016-11-23 09:50:49 -07:00			`middleware.getTranslation = function (req, res, next) {`
			`var language = req.params.language;`
Fix reverse proxies breaking admin translations 2017-01-07 22:48:57 -07:00			`var namespace = req.params[0];`
rm cls because it's not ready yet 2016-06-24 16:57:58 -04:00
Standard language codes (#5218) * Use standard language codes. Fallback for plugins. * Fix transifex config * Tab vs space here for some reason * Remove redundancies * config.relative_path instead of allcaps * added upgrade script for existing users' accounts 2016-11-23 09:50:49 -07:00			`if (language && namespace) {`
			`languages.get(language, namespace, function (err, translations) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (err) {`
			`return next(err);`
			`}`

Standard language codes (#5218) * Use standard language codes. Fallback for plugins. * Fix transifex config * Tab vs space here for some reason * Remove redundancies * config.relative_path instead of allcaps * added upgrade script for existing users' accounts 2016-11-23 09:50:49 -07:00			`res.status(200).json(translations);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`});`
			`} else {`
			`res.status(404).json('{}');`
Made the session cookie aware of the possible relative path (#4663) 2016-05-18 18:43:46 +02:00			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`
closes #3435 2015-08-17 14:53:37 -04:00
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.processTimeagoLocales = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`var fallback = req.path.indexOf('-short') === -1 ? 'jquery.timeago.en.js' : 'jquery.timeago.en-short.js',`
			`localPath = path.join(__dirname, '../../public/vendor/jquery/timeago/locales', req.path),`
			`exists;`
moved all app.configure() code into middleware/index.js + organization/cleanup 2014-03-01 17:26:26 -05:00
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`try {`
			`exists = fs.accessSync(localPath, fs.F_OK \| fs.R_OK);`
			`} catch(e) {`
			`exists = false;`
			`}`
moved middleware out of webserver.js and into middleware.js 2014-03-02 14:16:16 -05:00
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`if (exists) {`
			`res.status(200).sendFile(localPath, {`
			`maxAge: req.app.enabled('cache') ? 5184000000 : 0`
			`});`
			`} else {`
			`res.status(200).sendFile(path.join(__dirname, '../../public/vendor/jquery/timeago/locales', fallback), {`
			`maxAge: req.app.enabled('cache') ? 5184000000 : 0`
			`});`
			`}`
Add missing new lines at end of files. 2014-04-10 20:31:57 +01:00			`};`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00

			`module.exports = middleware;`