fosrl.pangolin/server/apiServer.ts

import express from "express";
import cors from "cors";
import cookieParser from "cookie-parser";
import config from "@server/lib/config";
import logger from "@server/logger";
import {
    errorHandlerMiddleware,
    notFoundMiddleware
} from "@server/middlewares";
import { authenticated, unauthenticated } from "@server/routers/external";
import { router as wsRouter, handleWSUpgrade } from "@server/routers/ws";
import { logIncomingMiddleware } from "./middlewares/logIncoming";
import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";
import helmet from "helmet";
import rateLimit from "express-rate-limit";
import createHttpError from "http-errors";
import HttpCode from "./types/HttpCode";
import requestTimeoutMiddleware from "./middlewares/requestTimeout";
import { createStore } from "./lib/rateLimitStore";

const dev = config.isDev;
const externalPort = config.getRawConfig().server.external_port;

export function createApiServer() {
    const apiServer = express();
    const prefix = `/api/v1`;

    const trustProxy = config.getRawConfig().server.trust_proxy;
    if (trustProxy) {
        apiServer.set("trust proxy", trustProxy);
    }

    const corsConfig = config.getRawConfig().server.cors;

    const options = {
        ...(corsConfig?.origins
            ? { origin: corsConfig.origins }
            : {
                  origin: (origin: any, callback: any) => {
                      callback(null, true);
                  }
              }),
        ...(corsConfig?.methods && { methods: corsConfig.methods }),
        ...(corsConfig?.allowed_headers && {
            allowedHeaders: corsConfig.allowed_headers
        }),
        credentials: !(corsConfig?.credentials === false)
    };

    logger.debug("Using CORS options", options);

    apiServer.use(cors(options));

    if (!dev) {
        apiServer.use(helmet());
        apiServer.use(csrfProtectionMiddleware);
    }

    apiServer.use(cookieParser());
    apiServer.use(express.json());

    // Add request timeout middleware
    apiServer.use(requestTimeoutMiddleware(60000)); // 60 second timeout

    if (!dev) {
        apiServer.use(
            rateLimit({
                windowMs:
                    config.getRawConfig().rate_limits.global.window_minutes *
                    60 *
                    1000,
                max: config.getRawConfig().rate_limits.global.max_requests,
                keyGenerator: (req) => `apiServerGlobal:${req.ip}:${req.path}`,
                handler: (req, res, next) => {
                    const message = `Rate limit exceeded. You can make ${config.getRawConfig().rate_limits.global.max_requests} requests every ${config.getRawConfig().rate_limits.global.window_minutes} minute(s).`;
                    return next(
                        createHttpError(HttpCode.TOO_MANY_REQUESTS, message)
                    );
                },
                store: createStore()
            })
        );
    }

    // API routes
    apiServer.use(logIncomingMiddleware);
    apiServer.use(prefix, unauthenticated);
    apiServer.use(prefix, authenticated);

    // WebSocket routes
    apiServer.use(prefix, wsRouter);

    // Error handling
    apiServer.use(notFoundMiddleware);
    apiServer.use(errorHandlerMiddleware);

    // Create HTTP server
    const httpServer = apiServer.listen(externalPort, (err?: any) => {
        if (err) throw err;
        logger.info(
            `API server is running on http://localhost:${externalPort}`
        );
    });

    // Handle WebSocket upgrades
    handleWSUpgrade(httpServer);

    return httpServer;
}
use bottom sheet instead of vaul drawer 2024-12-30 15:48:34 -05:00			`import express from "express";`
Seperate servers 2024-12-07 22:07:13 -05:00			`import cors from "cors";`
			`import cookieParser from "cookie-parser";`
refactor and reorganize 2025-01-01 21:41:31 -05:00			`import config from "@server/lib/config";`
Seperate servers 2024-12-07 22:07:13 -05:00			`import logger from "@server/logger";`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`import {`
			`errorHandlerMiddleware,`
Merge branch 'dev' of https://github.com/fosrl/pangolin into dev 2025-07-14 22:21:04 -07:00			`notFoundMiddleware`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`} from "@server/middlewares";`
Seperate servers 2024-12-07 22:07:13 -05:00			`import { authenticated, unauthenticated } from "@server/routers/external";`
			`import { router as wsRouter, handleWSUpgrade } from "@server/routers/ws";`
			`import { logIncomingMiddleware } from "./middlewares/logIncoming";`
CSRF prevention 2024-12-25 22:04:20 -05:00			`import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`import helmet from "helmet";`
introduce strict rate limitso on auth router endpoints 2025-07-14 18:00:41 -07:00			`import rateLimit from "express-rate-limit";`
			`import createHttpError from "http-errors";`
			`import HttpCode from "./types/HttpCode";`
Merge branch 'dev' of https://github.com/fosrl/pangolin into dev 2025-07-14 22:21:04 -07:00			`import requestTimeoutMiddleware from "./middlewares/requestTimeout";`
add stores 2025-07-16 15:50:03 -07:00			`import { createStore } from "./lib/rateLimitStore";`
Seperate servers 2024-12-07 22:07:13 -05:00
add toggle resource visibility closes #442 2025-03-31 10:10:28 -04:00			`const dev = config.isDev;`
make config class and separate migrations script 2025-01-01 17:50:12 -05:00			`const externalPort = config.getRawConfig().server.external_port;`
Seperate servers 2024-12-07 22:07:13 -05:00
			`export function createApiServer() {`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`const apiServer = express();`
Pull up downstream changes 2025-07-13 21:57:24 -07:00			const prefix = `/api/v1`;
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00
forward headers from server component and make trust_proxy config a number 2025-06-19 11:22:29 -04:00			`const trustProxy = config.getRawConfig().server.trust_proxy;`
			`if (trustProxy) {`
			`apiServer.set("trust proxy", trustProxy);`
optionally generate traefik files, set cors in config, and set trust proxy in config 2025-01-15 23:26:31 -05:00			`}`
allow controlling cors from config and add cors middleware to traefik 2025-01-13 23:59:10 -05:00
			`const corsConfig = config.getRawConfig().server.cors;`

			`const options = {`
			`...(corsConfig?.origins`
			`? { origin: corsConfig.origins }`
			`: {`
			`origin: (origin: any, callback: any) => {`
			`callback(null, true);`
			`}`
			`}),`
			`...(corsConfig?.methods && { methods: corsConfig.methods }),`
			`...(corsConfig?.allowed_headers && {`
			`allowedHeaders: corsConfig.allowed_headers`
			`}),`
			`credentials: !(corsConfig?.credentials === false)`
			`};`

			`logger.debug("Using CORS options", options);`

			`apiServer.use(cors(options));`

			`if (!dev) {`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`apiServer.use(helmet());`
CSRF prevention 2024-12-25 22:04:20 -05:00			`apiServer.use(csrfProtectionMiddleware);`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`}`
CSRF prevention 2024-12-25 22:04:20 -05:00
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`apiServer.use(cookieParser());`
			`apiServer.use(express.json());`

Pull up downstream changes 2025-07-13 21:57:24 -07:00			`// Add request timeout middleware`
			`apiServer.use(requestTimeoutMiddleware(60000)); // 60 second timeout`

env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`if (!dev) {`
			`apiServer.use(`
introduce strict rate limitso on auth router endpoints 2025-07-14 18:00:41 -07:00			`rateLimit({`
			`windowMs:`
			`config.getRawConfig().rate_limits.global.window_minutes *`
			`60 *`
			`1000,`
make config class and separate migrations script 2025-01-01 17:50:12 -05:00			`max: config.getRawConfig().rate_limits.global.max_requests,`
introduce strict rate limitso on auth router endpoints 2025-07-14 18:00:41 -07:00			keyGenerator: (req) => `apiServerGlobal:${req.ip}:${req.path}`,
			`handler: (req, res, next) => {`
			const message = `Rate limit exceeded. You can make ${config.getRawConfig().rate_limits.global.max_requests} requests every ${config.getRawConfig().rate_limits.global.window_minutes} minute(s).`;
			`return next(`
			`createHttpError(HttpCode.TOO_MANY_REQUESTS, message)`
			`);`
add stores 2025-07-16 15:50:03 -07:00			`},`
			`store: createStore()`
CSRF prevention 2024-12-25 22:04:20 -05:00			`})`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`);`
			`}`

			`// API routes`
			`apiServer.use(logIncomingMiddleware);`
			`apiServer.use(prefix, unauthenticated);`
			`apiServer.use(prefix, authenticated);`

			`// WebSocket routes`
			`apiServer.use(prefix, wsRouter);`

			`// Error handling`
			`apiServer.use(notFoundMiddleware);`
			`apiServer.use(errorHandlerMiddleware);`

			`// Create HTTP server`
			`const httpServer = apiServer.listen(externalPort, (err?: any) => {`
			`if (err) throw err;`
			`logger.info(`
CSRF prevention 2024-12-25 22:04:20 -05:00			`API server is running on http://localhost:${externalPort}`
env context and refactor api support different ports 2024-12-12 22:46:58 -05:00			`);`
			`});`

			`// Handle WebSocket upgrades`
			`handleWSUpgrade(httpServer);`

			`return httpServer;`
Seperate servers 2024-12-07 22:07:13 -05:00			`}`