// FIXME: https://github.com/nodejs/node/pull/16853
+import { VideosCaptionCache } from './server/lib/cache/videos-caption-cache'
+
require('tls').DEFAULT_ECDH_CURVE = 'auto'
import { isTestInstance } from './server/helpers/core-utils'
// ----------- Node modules -----------
import * as bodyParser from 'body-parser'
import * as express from 'express'
-import * as http from 'http'
import * as morgan from 'morgan'
-import * as path from 'path'
-import * as bitTorrentTracker from 'bittorrent-tracker'
import * as cors from 'cors'
-import { Server as WebSocketServer } from 'ws'
-
-const TrackerServer = bitTorrentTracker.Server
+import * as cookieParser from 'cookie-parser'
+import * as helmet from 'helmet'
process.title = 'peertube'
const app = express()
// ----------- Core checker -----------
-import { checkMissedConfig, checkFFmpeg, checkConfig } from './server/initializers/checker'
+import { checkMissedConfig, checkFFmpeg, checkConfig, checkActivityPubUrls } from './server/initializers/checker'
// Do not use barrels because we don't want to load all modules here (we need to initialize database first)
import { logger } from './server/helpers/logger'
-import { ACCEPT_HEADERS, API_VERSION, CONFIG, STATIC_PATHS } from './server/initializers/constants'
+import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants'
const missed = checkMissedConfig()
if (missed.length !== 0) {
// Trust our proxy (IP forwarding...)
app.set('trust proxy', CONFIG.TRUST_PROXY)
+// Security middleware
+app.use(helmet({
+ frameguard: {
+ action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+ },
+ dnsPrefetchControl: {
+ allow: true
+ },
+ contentSecurityPolicy: {
+ directives: {
+ defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'],
+ fontSrc: ["'self'", 'data:'],
+ frameSrc: ["'none'"],
+ mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'],
+ objectSrc: ["'none'"],
+ scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
+ styleSrc: ["'self'", "'unsafe-inline'"],
+ upgradeInsecureRequests: false
+ },
+ browserSniff: false // assumes a modern browser, but allows CDN in front
+ },
+ referrerPolicy: {
+ policy: 'strict-origin-when-cross-origin'
+ }
+}))
+app.use((_, res, next) => {
+ [
+ "vibrate 'none'",
+ "geolocation 'none'",
+ "camera 'none'",
+ "microphone 'none'",
+ "magnetometer 'none'",
+ "payment 'none'",
+ "accelerometer 'none'"
+ ].forEach(e => res.append('Feature-Policy', e + ';'))
+ next()
+})
+
// ----------- Database -----------
// Initialize database and models
feedsRouter,
staticRouter,
servicesRouter,
- webfingerRouter
+ webfingerRouter,
+ trackerRouter,
+ createWebsocketServer
} from './server/controllers'
import { Redis } from './server/lib/redis'
import { BadActorFollowScheduler } from './server/lib/schedulers/bad-actor-follow-scheduler'
import { RemoveOldJobsScheduler } from './server/lib/schedulers/remove-old-jobs-scheduler'
+import { UpdateVideosScheduler } from './server/lib/schedulers/update-videos-scheduler'
// ----------- Command line -----------
// Enable CORS for develop
if (isTestInstance()) {
- app.use((req, res, next) => {
- // These routes have already cors
- if (
- req.path.indexOf(STATIC_PATHS.TORRENTS) === -1 &&
- req.path.indexOf(STATIC_PATHS.WEBSEED) === -1
- ) {
- return (cors({
- origin: 'http://localhost:3000',
- exposedHeaders: 'Retry-After',
- credentials: true
- }))(req, res, next)
- }
-
- return next()
- })
+ app.use(cors({
+ origin: '*',
+ exposedHeaders: 'Retry-After',
+ credentials: true
+ }))
}
// For the logger
type: [ 'application/json', 'application/*+json' ],
limit: '500kb'
}))
-
-// ----------- Tracker -----------
-
-const trackerServer = new TrackerServer({
- http: false,
- udp: false,
- ws: false,
- dht: false
-})
-
-trackerServer.on('error', function (err) {
- logger.error('Error in websocket tracker.', err)
-})
-
-trackerServer.on('warning', function (err) {
- logger.error('Warning in websocket tracker.', err)
-})
-
-const server = http.createServer(app)
-const wss = new WebSocketServer({ server: server, path: '/tracker/socket' })
-wss.on('connection', function (ws) {
- trackerServer.onWebSocketConnection(ws)
-})
-
-const onHttpRequest = trackerServer.onHttpRequest.bind(trackerServer)
-app.get('/tracker/announce', (req, res) => onHttpRequest(req, res, { action: 'announce' }))
-app.get('/tracker/scrape', (req, res) => onHttpRequest(req, res, { action: 'scrape' }))
+// Cookies
+app.use(cookieParser())
// ----------- Views, routes and static files -----------
app.use('/', activityPubRouter)
app.use('/', feedsRouter)
app.use('/', webfingerRouter)
-
-// Client files
-app.use('/', clientsRouter)
+app.use('/', trackerRouter)
// Static files
app.use('/', staticRouter)
-// Always serve index client page (the client is a single page application, let it handle routing)
-app.use('/*', function (req, res) {
- if (req.accepts(ACCEPT_HEADERS) === 'html') {
- return res.sendFile(path.join(__dirname, '../client/dist/index.html'))
- }
-
- return res.status(404).end()
-})
+// Client files, last valid routes!
+app.use('/', clientsRouter)
// ----------- Errors -----------
return res.status(err.status || 500).end()
})
+const server = createWebsocketServer(app)
+
// ----------- Run -----------
async function startApplication () {
await installApplication()
+ // Check activity pub urls are valid
+ checkActivityPubUrls()
+ .catch(err => {
+ logger.error('Error in ActivityPub URLs checker.', { err })
+ process.exit(-1)
+ })
+
// Email initialization
Emailer.Instance.init()
await Emailer.Instance.checkConnectionOrDie()
await JobQueue.Instance.init()
// Caches initializations
- VideosPreviewCache.Instance.init(CONFIG.CACHE.PREVIEWS.SIZE)
+ VideosPreviewCache.Instance.init(CONFIG.CACHE.PREVIEWS.SIZE, CACHE.PREVIEWS.MAX_AGE)
+ VideosCaptionCache.Instance.init(CONFIG.CACHE.VIDEO_CAPTIONS.SIZE, CACHE.VIDEO_CAPTIONS.MAX_AGE)
// Enable Schedulers
BadActorFollowScheduler.Instance.enable()
RemoveOldJobsScheduler.Instance.enable()
+ UpdateVideosScheduler.Instance.enable()
// Redis initialization
Redis.Instance.init()