thelounge/src/server.js

"use strict";

var _ = require("lodash");
var pkg = require("../package.json");
var bcrypt = require("bcrypt-nodejs");
var Client = require("./client");
var ClientManager = require("./clientManager");
var express = require("express");
var fs = require("fs");
var io = require("socket.io");
var dns = require("dns");
var Helper = require("./helper");

var manager = null;

module.exports = function() {
	manager = new ClientManager();

	var app = express()
		.use(allRequests)
		.use(index)
		.use(express.static("client"));

	var config = Helper.config;
	var server = null;

	if (!config.https.enable) {
		server = require("http");
		server = server.createServer(app).listen(config.port, config.host);
	} else {
		server = require("spdy");
		server = server.createServer({
			key: fs.readFileSync(Helper.expandHome(config.https.key)),
			cert: fs.readFileSync(Helper.expandHome(config.https.certificate))
		}, app).listen(config.port, config.host);
	}

	if (config.identd.enable) {
		if (manager.identHandler) {
			log.warn("Using both identd and oidentd at the same time!");
		}

		require("./identd").start(config.identd.port);
	}

	var sockets = io(server, {
		transports: config.transports
	});

	sockets.on("connect", function(socket) {
		if (config.public) {
			auth.call(socket);
		} else {
			init(socket);
		}
	});

	manager.sockets = sockets;

	var protocol = config.https.enable ? "https" : "http";
	log.info("The Lounge v" + pkg.version + " is now running on", protocol + "://" + (config.host || "*") + ":" + config.port + "/", (config.public ? "in public mode" : "in private mode"));
	log.info("Press ctrl-c to stop\n");

	if (!config.public) {
		manager.loadUsers();
		if (config.autoload) {
			manager.autoload();
		}
	}
};

function getClientIp(req) {
	if (!Helper.config.reverseProxy) {
		return req.connection.remoteAddress;
	} else {
		return req.headers["x-forwarded-for"] || req.connection.remoteAddress;
	}
}

function allRequests(req, res, next) {
	res.setHeader("X-Content-Type-Options", "nosniff");
	return next();
}

// Information to populate the About section in UI, either from npm or from git
var gitCommit = null;
try {
	gitCommit = require("child_process")
		.execSync("git rev-parse --short HEAD 2> /dev/null") // Returns hash of current commit
		.toString()
		.trim();
} catch (e) {
	// Not a git repository or git is not installed: treat it as npm release
}

function index(req, res, next) {
	if (req.url.split("?")[0] !== "/") {
		return next();
	}

	return fs.readFile("client/index.html", "utf-8", function(err, file) {
		var data = _.merge(
			pkg,
			Helper.config
		);
		data.gitCommit = gitCommit;
		var template = _.template(file);
		res.setHeader("Content-Security-Policy", "default-src *; style-src * 'unsafe-inline'; script-src 'self'; child-src 'none'; object-src 'none'; form-action 'none'; referrer no-referrer;");
		res.setHeader("Content-Type", "text/html");
		res.writeHead(200);
		res.end(template(data));
	});
}

function init(socket, client) {
	if (!client) {
		socket.emit("auth", {success: true});
		socket.on("auth", auth);
	} else {
		socket.on(
			"input",
			function(data) {
				client.input(data);
			}
		);
		socket.on(
			"more",
			function(data) {
				client.more(data);
			}
		);
		socket.on(
			"conn",
			function(data) {
				// prevent people from overriding webirc settings
				data.ip = null;
				data.hostname = null;
				client.connect(data);
			}
		);
		if (!Helper.config.public) {
			socket.on(
				"change-password",
				function(data) {
					var old = data.old_password;
					var p1 = data.new_password;
					var p2 = data.verify_password;
					if (typeof p1 === "undefined" || p1 === "") {
						socket.emit("change-password", {
							error: "Please enter a new password"
						});
						return;
					}
					if (p1 !== p2) {
						socket.emit("change-password", {
							error: "Both new password fields must match"
						});
						return;
					}
					if (!bcrypt.compareSync(old || "", client.config.password)) {
						socket.emit("change-password", {
							error: "The current password field does not match your account password"
						});
						return;
					}

					var salt = bcrypt.genSaltSync(8);
					var hash = bcrypt.hashSync(p1, salt);

					client.setPassword(hash, function(success) {
						var obj = {};

						if (success) {
							obj.success = "Successfully updated your password, all your other sessions were logged out";
							obj.token = client.config.token;
						} else {
							obj.error = "Failed to update your password";
						}

						socket.emit("change-password", obj);
					});
				}
			);
		}
		socket.on(
			"open",
			function(data) {
				client.open(data);
			}
		);
		socket.on(
			"sort",
			function(data) {
				client.sort(data);
			}
		);
		socket.on(
			"names",
			function(data) {
				client.names(data);
			}
		);
		socket.join(client.id);
		socket.emit("init", {
			active: client.activeChannel,
			networks: client.networks,
			token: client.config.token || null
		});
	}
}

function reverseDnsLookup(socket, client) {
	client.ip = getClientIp(socket.request);

	dns.reverse(client.ip, function(err, host) {
		if (!err && host.length) {
			client.hostname = host[0];
		} else {
			client.hostname = client.ip;
		}

		init(socket, client);
	});
}

function auth(data) {
	var socket = this;
	if (Helper.config.public) {
		var client = new Client(manager);
		manager.clients.push(client);
		socket.on("disconnect", function() {
			manager.clients = _.without(manager.clients, client);
			client.quit();
		});
		if (Helper.config.webirc) {
			reverseDnsLookup(socket, client);
		} else {
			init(socket, client);
		}
	} else {
		var success = false;
		_.each(manager.clients, function(client) {
			if (data.token) {
				if (data.token === client.config.token) {
					success = true;
				}
			} else if (client.config.user === data.user) {
				if (bcrypt.compareSync(data.password || "", client.config.password)) {
					success = true;
				}
			}
			if (success) {
				if (Helper.config.webirc !== null && !client.config["ip"]) {
					reverseDnsLookup(socket, client);
				} else {
					init(socket, client);
				}
				return false;
			}
		});
		if (!success) {
			socket.emit("auth", {success: success});
		}
	}
}
Make sure git commit check would not send stderr to the console Before that change, running a release would display this in the console: ``` fatal: Not a git repository (or any of the parent directories): .git ``` Also, this adds strict mode for that file, and make sure `gitCommit` never throws a `ReferenceError`. 2016-07-19 03:35:02 +02:00			`"use strict";`

Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`var _ = require("lodash");`
Rename package variable to pkg, as "package" is reserved. 2016-06-12 03:44:28 +02:00			`var pkg = require("../package.json");`
Use 'bcrypt-nodejs' package 2014-10-03 11:57:35 +02:00			`var bcrypt = require("bcrypt-nodejs");`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`var Client = require("./client");`
			`var ClientManager = require("./clientManager");`
Use express 2014-09-27 00:12:53 +02:00			`var express = require("express");`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`var fs = require("fs");`
			`var io = require("socket.io");`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`var dns = require("dns");`
Load home directory from helper and make it configurable. 2014-09-13 14:23:17 +02:00			`var Helper = require("./helper");`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00
Add support for oidentd spoofing 2016-04-26 22:41:08 +02:00			`var manager = null;`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`module.exports = function() {`
Add support for oidentd spoofing 2016-04-26 22:41:08 +02:00			`manager = new ClientManager();`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00
Use express 2014-09-27 00:12:53 +02:00			`var app = express()`
Add security headers to minimize XSS damage 2016-05-01 19:27:10 +02:00			`.use(allRequests)`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`.use(index)`
Added '--home <path>' option 2014-10-04 01:33:44 +02:00			`.use(express.static("client"));`
add socket.io transports to configuration 2014-11-01 21:06:01 +01:00
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`var config = Helper.config;`
Added https support 2014-09-27 01:26:21 +02:00			`var server = null;`

Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (!config.https.enable) {`
Added https support 2014-09-27 01:26:21 +02:00			`server = require("http");`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`server = server.createServer(app).listen(config.port, config.host);`
Added https support 2014-09-27 01:26:21 +02:00			`} else {`
Add support for HTTP2 2016-03-09 13:04:05 +01:00			`server = require("spdy");`
Added https support 2014-09-27 01:26:21 +02:00			`server = server.createServer({`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`key: fs.readFileSync(Helper.expandHome(config.https.key)),`
			`cert: fs.readFileSync(Helper.expandHome(config.https.certificate))`
			`}, app).listen(config.port, config.host);`
Added https support 2014-09-27 01:26:21 +02:00			`}`

Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (config.identd.enable) {`
Warn the user when both ident handlers are enabled 2016-04-26 22:53:29 +02:00			`if (manager.identHandler) {`
			`log.warn("Using both identd and oidentd at the same time!");`
			`}`

Refactoring 2014-10-11 19:33:28 +02:00			`require("./identd").start(config.identd.port);`
Set up identd and make it work on connection :sunglasses: 2014-10-11 12:09:27 +02:00			`}`

Fix complete crash when refreshing a public instance 2016-02-29 02:19:11 +01:00			`var sockets = io(server, {`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`transports: config.transports`
add socket.io transports to configuration 2014-11-01 21:06:01 +01:00			`});`

Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`sockets.on("connect", function(socket) {`
			`if (config.public) {`
			`auth.call(socket);`
			`} else {`
			`init(socket);`
			`}`
			`});`

Autoload users 2014-09-25 00:23:54 +02:00			`manager.sockets = sockets;`

Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`var protocol = config.https.enable ? "https" : "http";`
			`log.info("The Lounge v" + pkg.version + " is now running on", protocol + "://" + (config.host \|\| "*") + ":" + config.port + "/", (config.public ? "in public mode" : "in private mode"));`
Document supported node version 2016-04-26 12:51:11 +02:00			`log.info("Press ctrl-c to stop\n");`

Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`if (!config.public) {`
Autoload users 2014-09-25 00:23:54 +02:00			`manager.loadUsers();`
			`if (config.autoload) {`
			`manager.autoload();`
			`}`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`}`
			`};`

Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`function getClientIp(req) {`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (!Helper.config.reverseProxy) {`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`return req.connection.remoteAddress;`
			`} else {`
			`return req.headers["x-forwarded-for"] \|\| req.connection.remoteAddress;`
			`}`
			`}`

Add security headers to minimize XSS damage 2016-05-01 19:27:10 +02:00			`function allRequests(req, res, next) {`
			`res.setHeader("X-Content-Type-Options", "nosniff");`
			`return next();`
			`}`

Display whether instance is running from a release or from git on About section 2016-07-13 09:17:55 +02:00			`// Information to populate the About section in UI, either from npm or from git`
Make sure git commit check would not send stderr to the console Before that change, running a release would display this in the console: ``` fatal: Not a git repository (or any of the parent directories): .git ``` Also, this adds strict mode for that file, and make sure `gitCommit` never throws a `ReferenceError`. 2016-07-19 03:35:02 +02:00			`var gitCommit = null;`
Display whether instance is running from a release or from git on About section 2016-07-13 09:17:55 +02:00			`try {`
Make sure git commit check would not send stderr to the console Before that change, running a release would display this in the console: ``` fatal: Not a git repository (or any of the parent directories): .git ``` Also, this adds strict mode for that file, and make sure `gitCommit` never throws a `ReferenceError`. 2016-07-19 03:35:02 +02:00			`gitCommit = require("child_process")`
			`.execSync("git rev-parse --short HEAD 2> /dev/null") // Returns hash of current commit`
Display whether instance is running from a release or from git on About section 2016-07-13 09:17:55 +02:00			`.toString()`
			`.trim();`
			`} catch (e) {`
			`// Not a git repository or git is not installed: treat it as npm release`
			`}`

Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`function index(req, res, next) {`
Stricter eslint rule for curly brackets 2016-05-01 11:41:17 +02:00			`if (req.url.split("?")[0] !== "/") {`
			`return next();`
			`}`

Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`return fs.readFile("client/index.html", "utf-8", function(err, file) {`
			`var data = _.merge(`
Rename package variable to pkg, as "package" is reserved. 2016-06-12 03:44:28 +02:00			`pkg,`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`Helper.config`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`);`
Display whether instance is running from a release or from git on About section 2016-07-13 09:17:55 +02:00			`data.gitCommit = gitCommit;`
Update lodash 2016-02-14 18:09:51 +01:00			`var template = _.template(file);`
Add security headers to minimize XSS damage 2016-05-01 19:27:10 +02:00			`res.setHeader("Content-Security-Policy", "default-src ; style-src 'unsafe-inline'; script-src 'self'; child-src 'none'; object-src 'none'; form-action 'none'; referrer no-referrer;");`
Server correctly sends text/html MIME type and response code 200 for the root index. 2014-09-13 06:54:17 +02:00			`res.setHeader("Content-Type", "text/html");`
			`res.writeHead(200);`
Update lodash 2016-02-14 18:09:51 +01:00			`res.end(template(data));`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`});`
			`}`

Implement user token persistency 2016-05-31 23:28:31 +02:00			`function init(socket, client) {`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`if (!client) {`
Do not lose authentication token when the connection gets lost 2016-05-31 23:02:10 +02:00			`socket.emit("auth", {success: true});`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`socket.on("auth", auth);`
			`} else {`
			`socket.on(`
			`"input",`
			`function(data) {`
Allow commands on connect 2014-09-09 21:31:23 +02:00			`client.input(data);`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`}`
			`);`
			`socket.on(`
Fix the 'Show More' button 2014-09-10 21:23:56 +02:00			`"more",`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`function(data) {`
Fix the 'Show More' button 2014-09-10 21:23:56 +02:00			`client.more(data);`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`}`
			`);`
			`socket.on(`
			`"conn",`
			`function(data) {`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`// prevent people from overriding webirc settings`
			`data.ip = null;`
			`data.hostname = null;`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`client.connect(data);`
			`}`
			`);`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (!Helper.config.public) {`
frontend password change functionality - refactor clientManager.js to allow configuration parsing as a serparate function. - refactor clientManager.js to add configuration writing function. - add server.js changes to allow for new password-change functionality - add password change ui to "settings" screen - refactor client.js to use new clientManager functionality for saving the configuration files 2016-02-17 01:14:43 +01:00			`socket.on(`
			`"change-password",`
			`function(data) {`
			`var old = data.old_password;`
			`var p1 = data.new_password;`
			`var p2 = data.verify_password;`
			`if (typeof p1 === "undefined" \|\| p1 === "") {`
			`socket.emit("change-password", {`
			`error: "Please enter a new password"`
			`});`
			`return;`
			`}`
			`if (p1 !== p2) {`
			`socket.emit("change-password", {`
			`error: "Both new password fields must match"`
			`});`
			`return;`
			`}`
			`if (!bcrypt.compareSync(old \|\| "", client.config.password)) {`
			`socket.emit("change-password", {`
			`error: "The current password field does not match your account password"`
			`});`
			`return;`
			`}`
Implement user token persistency 2016-05-31 23:28:31 +02:00
frontend password change functionality - refactor clientManager.js to allow configuration parsing as a serparate function. - refactor clientManager.js to add configuration writing function. - add server.js changes to allow for new password-change functionality - add password change ui to "settings" screen - refactor client.js to use new clientManager functionality for saving the configuration files 2016-02-17 01:14:43 +01:00			`var salt = bcrypt.genSaltSync(8);`
			`var hash = bcrypt.hashSync(p1, salt);`
Implement user token persistency 2016-05-31 23:28:31 +02:00
			`client.setPassword(hash, function(success) {`
			`var obj = {};`

			`if (success) {`
			`obj.success = "Successfully updated your password, all your other sessions were logged out";`
			`obj.token = client.config.token;`
			`} else {`
			`obj.error = "Failed to update your password";`
			`}`

			`socket.emit("change-password", obj);`
frontend password change functionality - refactor clientManager.js to allow configuration parsing as a serparate function. - refactor clientManager.js to add configuration writing function. - add server.js changes to allow for new password-change functionality - add password change ui to "settings" screen - refactor client.js to use new clientManager functionality for saving the configuration files 2016-02-17 01:14:43 +01:00			`});`
			`}`
			`);`
			`}`
Server-side tracking of new message count 2014-09-21 18:46:43 +02:00			`socket.on(`
			`"open",`
			`function(data) {`
			`client.open(data);`
			`}`
Sync sidebar order 2014-09-24 21:42:36 +02:00			`);`
			`socket.on(`
			`"sort",`
			`function(data) {`
			`client.sort(data);`
			`}`
			`);`
Only update the users list when needed Currently, for join/part/kick/nick/... the server will send an updated list of users and the client will re-render the list entirely. This ends up being a very expensive operation when joined on large channels and causes the client to slow down a lot. 2016-02-17 03:29:44 +01:00			`socket.on(`
			`"names",`
			`function(data) {`
			`client.names(data);`
			`}`
			`);`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`socket.join(client.id);`
			`socket.emit("init", {`
Server-side tracking of new message count 2014-09-21 18:46:43 +02:00			`active: client.activeChannel,`
Added 'Remember' login option 2014-09-15 23:13:03 +02:00			`networks: client.networks,`
src/client: make sure config is always an object 2016-06-30 15:06:07 +02:00			`token: client.config.token \|\| null`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`});`
			`}`
			`}`

Implement user token persistency 2016-05-31 23:28:31 +02:00			`function reverseDnsLookup(socket, client) {`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`client.ip = getClientIp(socket.request);`

			`dns.reverse(client.ip, function(err, host) {`
			`if (!err && host.length) {`
			`client.hostname = host[0];`
			`} else {`
			`client.hostname = client.ip;`
			`}`

Implement user token persistency 2016-05-31 23:28:31 +02:00			`init(socket, client);`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`});`
			`}`

Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`function auth(data) {`
			`var socket = this;`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (Helper.config.public) {`
Fix complete crash when refreshing a public instance 2016-02-29 02:19:11 +01:00			`var client = new Client(manager);`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`manager.clients.push(client);`
			`socket.on("disconnect", function() {`
			`manager.clients = _.without(manager.clients, client);`
			`client.quit();`
			`});`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (Helper.config.webirc) {`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`reverseDnsLookup(socket, client);`
			`} else {`
			`init(socket, client);`
			`}`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`} else {`
Added password hashing 2014-09-11 22:37:16 +02:00			`var success = false;`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`_.each(manager.clients, function(client) {`
Added 'Remember' login option 2014-09-15 23:13:03 +02:00			`if (data.token) {`
Implement user token persistency 2016-05-31 23:28:31 +02:00			`if (data.token === client.config.token) {`
Added 'Remember' login option 2014-09-15 23:13:03 +02:00			`success = true;`
			`}`
Comply with ESLint 2015-10-01 00:39:57 +02:00			`} else if (client.config.user === data.user) {`
Fix login 2014-09-14 21:13:34 +02:00			`if (bcrypt.compareSync(data.password \|\| "", client.config.password)) {`
Added password hashing 2014-09-11 22:37:16 +02:00			`success = true;`
			`}`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`}`
Added 'Remember' login option 2014-09-15 23:13:03 +02:00			`if (success) {`
Cache loaded config and merge it with defaults Fixes #249 2016-06-08 11:26:24 +02:00			`if (Helper.config.webirc !== null && !client.config["ip"]) {`
Implement user token persistency 2016-05-31 23:28:31 +02:00			`reverseDnsLookup(socket, client);`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`} else {`
Implement user token persistency 2016-05-31 23:28:31 +02:00			`init(socket, client);`
Add WEBIRC support Fixes #181 2016-04-03 07:12:49 +02:00			`}`
Fix login 2014-09-16 19:42:49 +02:00			`return false;`
Added 'Remember' login option 2014-09-15 23:13:03 +02:00			`}`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`});`
			`if (!success) {`
Do not lose authentication token when the connection gets lost 2016-05-31 23:02:10 +02:00			`socket.emit("auth", {success: success});`
Run private server by default Use `shout start --public` or edit your `config.json` to override. 2014-08-14 18:35:37 +02:00			`}`
			`}`
			`}`