nodebb/src/middleware/headers.js

'use strict';

const os = require('os');
const winston = require('winston');
const _ = require('lodash');

const meta = require('../meta');
const languages = require('../languages');
const helpers = require('./helpers');
const plugins = require('../plugins');

module.exports = function (middleware) {
	middleware.addHeaders = helpers.try((req, res, next) => {
		const headers = {
			'X-Powered-By': encodeURI(meta.config['powered-by'] || 'NodeBB'),
			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
		};

		if (meta.config['csp-frame-ancestors']) {
			headers['Content-Security-Policy'] = `frame-ancestors ${meta.config['csp-frame-ancestors']}`;
			if (meta.config['csp-frame-ancestors'] === '\'none\'') {
				headers['X-Frame-Options'] = 'DENY';
			}
		} else {
			headers['Content-Security-Policy'] = 'frame-ancestors \'self\'';
			headers['X-Frame-Options'] = 'SAMEORIGIN';
		}

		if (meta.config['access-control-allow-origin']) {
			let origins = meta.config['access-control-allow-origin'].split(',');
			origins = origins.map(origin => origin && origin.trim());

			if (origins.includes(req.get('origin'))) {
				headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
				headers.Vary = headers.Vary ? `${headers.Vary}, Origin` : 'Origin';
			}
		}

		if (meta.config['access-control-allow-origin-regex']) {
			let originsRegex = meta.config['access-control-allow-origin-regex'].split(',');
			originsRegex = originsRegex.map((origin) => {
				try {
					origin = new RegExp(origin.trim());
				} catch (err) {
					winston.error(`[middleware.addHeaders] Invalid RegExp For access-control-allow-origin ${origin}`);
					origin = null;
				}
				return origin;
			});

			originsRegex.forEach((regex) => {
				if (regex && regex.test(req.get('origin'))) {
					headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));
					headers.Vary = headers.Vary ? `${headers.Vary}, Origin` : 'Origin';
				}
			});
		}

		if (meta.config['access-control-allow-credentials']) {
			headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];
		}

		if (process.env.NODE_ENV === 'development') {
			headers['X-Upstream-Hostname'] = os.hostname();
		}

		for (const [key, value] of Object.entries(headers)) {
			if (value) {
				res.setHeader(key, value);
			}
		}

		next();
	});

	middleware.autoLocale = helpers.try(async (req, res, next) => {
		await plugins.hooks.fire('filter:middleware.autoLocale', {
			req: req,
			res: res,
		});
		if (req.query.lang) {
			const langs = await listCodes();
			if (!langs.includes(req.query.lang)) {
				req.query.lang = meta.config.defaultLang;
			}
			return next();
		}
		if (parseInt(req.uid, 10) > 0 || !meta.config.autoDetectLang) {
			return next();
		}
		const langs = await listCodes();
		const lang = req.acceptsLanguages(langs);
		if (!lang) {
			return next();
		}
		req.query.lang = lang;
		next();
	});

	async function listCodes() {
		const defaultLang = meta.config.defaultLang || 'en-GB';
		try {
			const codes = await languages.listCodes();
			return _.uniq([defaultLang, ...codes]);
		} catch (err) {
			winston.error(`[middleware/autoLocale] Could not retrieve languages codes list! ${err.stack}`);
			return [defaultLang];
		}
	}
};
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`'use strict';`

feat: use const/let 4 years ago			`const os = require('os');`
			`const winston = require('winston');`
			`const _ = require('lodash');`
appending X-Upstream-Hostname header in dev mode 7 years ago
feat: use const/let 4 years ago			`const meta = require('../meta');`
			`const languages = require('../languages');`
			`const helpers = require('./helpers');`
feat: add filter:middleware.autoLocale 4 years ago			`const plugins = require('../plugins');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
Fix space-before-function-paren linter rule 8 years ago			`module.exports = function (middleware) {`
chore: eslint prefer-arrow-callback 4 years ago			`middleware.addHeaders = helpers.try((req, res, next) => {`
feat: use const/let 4 years ago			`const headers = {`
fix headers for new installs encodeURI(undefined) === "undefined" 8 years ago			`'X-Powered-By': encodeURI(meta.config['powered-by'] \|\| 'NodeBB'),`
			`'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] \|\| ''),`
ESlint comma-dangle 8 years ago			`'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] \|\| ''),`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

fix: #8432, add CSP frame-ancestors 4 years ago			`if (meta.config['csp-frame-ancestors']) {`
chore: eslint prefer-template 4 years ago			headers['Content-Security-Policy'] = `frame-ancestors ${meta.config['csp-frame-ancestors']}`;
fix: #8432, add CSP frame-ancestors 4 years ago			`if (meta.config['csp-frame-ancestors'] === '\'none\'') {`
			`headers['X-Frame-Options'] = 'DENY';`
			`}`
			`} else {`
			`headers['Content-Security-Policy'] = 'frame-ancestors \'self\'';`
			`headers['X-Frame-Options'] = 'SAMEORIGIN';`
			`}`

closes #5574 8 years ago			`if (meta.config['access-control-allow-origin']) {`
feat: use const/let 4 years ago			`let origins = meta.config['access-control-allow-origin'].split(',');`
chore: eslint prefer-arrow-callback 4 years ago			`origins = origins.map(origin => origin && origin.trim());`
allow multiple origins for access-control-allow-origin header add access-control-allow-credentials header to acp 7 years ago
			`if (origins.includes(req.get('origin'))) {`
			`headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));`
feat: send 'Vary' header when ACAO header set 4 years ago			headers.Vary = headers.Vary ? `${headers.Vary}, Origin` : 'Origin';
allow multiple origins for access-control-allow-origin header add access-control-allow-credentials header to acp 7 years ago			`}`
			`}`

closes #6556 7 years ago			`if (meta.config['access-control-allow-origin-regex']) {`
feat: use const/let 4 years ago			`let originsRegex = meta.config['access-control-allow-origin-regex'].split(',');`
chore: eslint prefer-arrow-callback 4 years ago			`originsRegex = originsRegex.map((origin) => {`
closes #6556 7 years ago			`try {`
			`origin = new RegExp(origin.trim());`
			`} catch (err) {`
chore: eslint prefer-template 4 years ago			winston.error(`[middleware.addHeaders] Invalid RegExp For access-control-allow-origin ${origin}`);
closes #6556 7 years ago			`origin = null;`
			`}`
			`return origin;`
			`});`

chore: eslint prefer-arrow-callback 4 years ago			`originsRegex.forEach((regex) => {`
closes #6556 7 years ago			`if (regex && regex.test(req.get('origin'))) {`
			`headers['Access-Control-Allow-Origin'] = encodeURI(req.get('origin'));`
feat: send 'Vary' header when ACAO header set 4 years ago			headers.Vary = headers.Vary ? `${headers.Vary}, Origin` : 'Origin';
closes #6556 7 years ago			`}`
			`});`
			`}`

allow multiple origins for access-control-allow-origin header add access-control-allow-credentials header to acp 7 years ago			`if (meta.config['access-control-allow-credentials']) {`
			`headers['Access-Control-Allow-Credentials'] = meta.config['access-control-allow-credentials'];`
closes #5574 8 years ago			`}`

appending X-Upstream-Hostname header in dev mode 7 years ago			`if (process.env.NODE_ENV === 'development') {`
			`headers['X-Upstream-Hostname'] = os.hostname();`
			`}`

chore: eslint no-restricted-syntax 4 years ago			`for (const [key, value] of Object.entries(headers)) {`
			`if (value) {`
			`res.setHeader(key, value);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`}`
			`}`

			`next();`
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares 5 years ago			`});`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 6 years ago
chore: eslint prefer-arrow-callback 4 years ago			`middleware.autoLocale = helpers.try(async (req, res, next) => {`
feat: add filter:middleware.autoLocale 4 years ago			`await plugins.hooks.fire('filter:middleware.autoLocale', {`
			`req: req,`
			`res: res,`
			`});`
feat: change invalid language codes to default lang 5 years ago			`if (req.query.lang) {`
feat: add filter:middleware.autoLocale 4 years ago			`const langs = await listCodes();`
feat: change invalid language codes to default lang 5 years ago			`if (!langs.includes(req.query.lang)) {`
			`req.query.lang = meta.config.defaultLang;`
			`}`
			`return next();`
			`}`
			`if (parseInt(req.uid, 10) > 0 \|\| !meta.config.autoDetectLang) {`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 6 years ago			`return next();`
			`}`
feat: add filter:middleware.autoLocale 4 years ago			`const langs = await listCodes();`
feat: don't overwrite req.query.lang if it exists 5 years ago			`const lang = req.acceptsLanguages(langs);`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 6 years ago			`if (!lang) {`
			`return next();`
			`}`
			`req.query.lang = lang;`
			`next();`
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares 5 years ago			`});`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 6 years ago
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares 5 years ago			`async function listCodes() {`
			`const defaultLang = meta.config.defaultLang \|\| 'en-GB';`
			`try {`
			`const codes = await languages.listCodes();`
			`return _.uniq([defaultLang, ...codes]);`
			`} catch (err) {`
chore: eslint prefer-template 4 years ago			winston.error(`[middleware/autoLocale] Could not retrieve languages codes list! ${err.stack}`);
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares 5 years ago			`return [defaultLang];`
fix: #7038, autoLocale logic not playing nicely with no-refresh auths (#7059) * fix: #7038, autoLocale logic not playing nicely with no-refresh auths - on login, req.query.lang is deleted (since it seems to be left over) - on logout, the middleware.autoLocale is executed, which resets req.query.lang - middleware.autoLocale is new, just refactored existing logic in webserver.js into new middleware method. * style: tests, use lodash * fix: timeago strings not switching languages on login or out 6 years ago			`}`
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares 5 years ago			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`