Prevent brute force login attack

[github/Chocobozzz/PeerTube.git] / server.ts

diff --git a/server.ts b/server.ts
index 44e93d1a6102324d97703cc9462b89b434305de2..b307e67a1df71ee2924f2f492bd40db69c85770e 100644 (file)
--- a/server.ts
+++ b/server.ts
@@ -27,22 +27,31 @@ const app = express()
 // ----------- Core checker -----------
 import { checkMissedConfig, checkFFmpeg, checkConfig } from './server/initializers/checker'
 
+// Do not use barrels because we don't want to load all modules here (we need to initialize database first)
+import { logger } from './server/helpers/logger'
+import { ACCEPT_HEADERS, API_VERSION, CONFIG, STATIC_PATHS } from './server/initializers/constants'
+
 const missed = checkMissedConfig()
 if (missed.length !== 0) {
-  throw new Error('Your configuration files miss keys: ' + missed)
+  logger.error('Your configuration files miss keys: ' + missed)
+  process.exit(-1)
 }
 
-import { ACCEPT_HEADERS, API_VERSION, CONFIG, STATIC_PATHS } from './server/initializers/constants'
 checkFFmpeg(CONFIG)
+  .catch(err => {
+    logger.error('Error in ffmpeg check.', { err })
+    process.exit(-1)
+  })
 
 const errorMessage = checkConfig()
 if (errorMessage !== null) {
   throw new Error(errorMessage)
 }
 
+// Trust our proxy (IP forwarding...)
+app.set('trust proxy', CONFIG.TRUST_PROXY)
+
 // ----------- Database -----------
-// Do not use barrels because we don't want to load all modules here (we need to initialize database first)
-import { logger } from './server/helpers/logger'
 
 // Initialize database and models
 import { initDatabaseModels } from './server/initializers/database'
@@ -75,6 +84,7 @@ if (isTestInstance()) {
     ) {
       return (cors({
         origin: 'http://localhost:3000',
+        exposedHeaders: 'Retry-After',
         credentials: true
       }))(req, res, next)
     }
@@ -88,11 +98,11 @@ app.use(morgan('combined', {
   stream: { write: logger.info.bind(logger) }
 }))
 // For body requests
+app.use(bodyParser.urlencoded({ extended: false }))
 app.use(bodyParser.json({
   type: [ 'application/json', 'application/*+json' ],
   limit: '500kb'
 }))
-app.use(bodyParser.urlencoded({ extended: false }))
 
 // ----------- Tracker -----------
 
@@ -104,11 +114,11 @@ const trackerServer = new TrackerServer({
 })
 
 trackerServer.on('error', function (err) {
-  logger.error(err)
+  logger.error('Error in websocket tracker.', err)
 })
 
 trackerServer.on('warning', function (err) {
-  logger.error(err)
+  logger.error('Warning in websocket tracker.', err)
 })
 
 const server = http.createServer(app)
@@ -158,8 +168,13 @@ app.use(function (req, res, next) {
 })
 
 app.use(function (err, req, res, next) {
-  logger.error(err, err)
-  res.sendStatus(err.status || 500)
+  let error = 'Unknown error.'
+  if (err) {
+    error = err.stack || err.message || err
+  }
+
+  logger.error('Error in controller.', { error })
+  return res.status(err.status || 500).end()
 })
 
 // ----------- Run -----------