1 files changed, 36 insertions, 21 deletions
diff --git a/app/app.js b/app/app.js
index d9cd39c..23bf0ab 100644
--- a/app/app.js
+++ b/app/app.js
@@ -1,9 +1,9 @@
 "use strict";
 
-const http = require("http");
 const fs = require("fs");
-
-const argon2 = require("argon2");
+const http = require("http");
+const crypto = require("crypto");
+const {sj, cors} = require("./utils");
 
 const Router = require("./lib/router");
 const Static = require("./lib/static");
@@ -11,40 +11,55 @@ const Static = require("./lib/static");
 //const pipe = require("./lib/pipe");
 //const otp = require("./lib/otp");
 
+const config = require("./config");
+const {HOST, PORT} = config;
+
 if (!fs.existsSync("./logs")) fs.mkdirSync("./logs");
 if (!fs.existsSync("./users")) fs.mkdirSync("./users");
 if (!fs.existsSync("./private")) fs.mkdirSync("./private");
 
-Math.clamp = Math.clamp || ((x,l,h) => Math.max(l,Math.min(x,h)));
-const PORT = Math.clamp(+process.env.PORT||8080, 1, 65535);
-const HOST = process.env.HOST||"0.0.0.0";
-
 const server = http.createServer();
 const stat = new Static("./public");
 //const wss = new Socket(server);
 const app = new Router();
 
-const cors = fn => (req, res, ...rest) => {
-  res.setHeader("Access-Control-Allow-Origin", "*");
-  res.setHeader("Access-Control-Allow-Methods", "GET, POST");
-  fn(req, res, ...rest); };
+const auth = require("./auth")(config);
+const authed = auth.authed;
+auth.attach(app);
 
-const sj = (res, data) => {
-  res.setHeader("Content-Type", "application/json");
-  res.end(JSON.stringify(data)); };
+const noteStore = require("./note-store");
+noteStore.attach(app, auth);
 
-//app.get("/", (req, res) => {
-//  res.writeHead(302, {"Location":"https://alexishovorka.com/"});
-//  res.end();
-//});
+app.get("/user", authed((req, res) => {
+  console.log(Date.now()+" Getting user data for "+req.uid);
+  sj(res, {uid: req.uid, username: auth.getUsername(req.uid)});
+  // TODO avatar etc
+}));
 
-//await argon2.hash(password, {type: argon2.argon2id});
-//await argon2.verify(hash, password);
+// TODO https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
 
 server.on("request", (req, res) => {
   console.log(`${Date.now()} ${req.method} ${req.url}`);
+  //const scriptNonce = crypto.randomBytes(24).toString("hex");
+  //const styleNonce = crypto.randomBytes(24).toString("hex");
+  //res.setHeader("Strict-Transport-Security", "max-age=86400; includeSubDomains");
+  res.setHeader("Content-Security-Policy", ""
+    //+ `script-src 'nonce-${scriptNonce}' 'strict-dynamic'; ` // TODO
+    //+ `style-src 'nonce-${styleNonce}' 'strict-dynamic'; `
+    + "manifest-src 'self'; "
+    + "connect-src 'self'; "
+    + "worker-src 'self'; "
+    + "media-src 'self'; "
+    + "img-src 'self'; "
+    + "base-uri 'none'; "
+    + "object-src 'none'; "
+    + "form-action 'none'; "
+    + "frame-ancestors 'none'; "
+  );
+  res.setHeader("Cache-Control", 'no-cache="Set-Cookie"');
+  // TODO look into more cache headers
   app.route(req, res) || stat.route(req, res);
 });
 
 server.listen(PORT, HOST);
-console.log(`${Date.now()} Running on http://${HOST}:${PORT}`);
+console.log(Date.now()+` Running on http://${HOST}:${PORT}`);