browserid

#!/usr/bin/env node

/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is Mozilla BrowserID.
 *
 * The Initial Developer of the Original Code is Mozilla.
 * Portions created by the Initial Developer are Copyright (C) 2011
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */

const
fs = require('fs'),
path = require('path'),
url = require('url'),
http = require('http');
sessions = require('connect-cookie-session'),
urlparse = require('urlparse');

// add lib/ to the require path
require.paths.unshift(path.join(__dirname, '..', 'lib'));

const
wsapi = require('browserid/wsapi.js'),
ca = require('browserid/ca.js'),
httputils = require('httputils.js'),
express = require('express'),
secrets = require('secrets.js'),
db = require('db.js'),
config = require('configuration.js'),
heartbeat = require('heartbeat.js'),
metrics = require("metrics.js"),
logger = require("logging.js").logger
forward = require('browserid/http_forward'),
shutdown = require('shutdown');

var app = undefined;

app = express.createServer();

logger.info("browserid server starting up");

const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_path'));
const COOKIE_KEY = 'browserid_state';

// verify that we have a keysigner configured
if (!config.get('keysigner_url')) {
  logger.error('missing required configuration - url for the keysigner (KEYSIGNER_URL in env)');
  process.exit(1);
}

function internal_redirector(new_url, suppress_noframes) {
  return function(req, resp, next) {
    if (suppress_noframes)
      resp.removeHeader('x-frame-options');
    req.url = new_url;
    return next();
  };
}

function router(app) {
  app.set("views", path.join(__dirname, "..", "resources", "views"));

  app.set('view options', {
    production: config.get('use_minified_resources')
  });

  // this should probably be an internal redirect
  // as soon as relative paths are figured out.
  app.get('/sign_in', function(req, res, next ) {
    metrics.userEntry(req);
    res.render('dialog.ejs', {
      title: 'A Better Way to Sign In',
      layout: 'dialog_layout.ejs',
      useJavascript: true,
      production: config.get('use_minified_resources')
    });
  });

  app.get("/unsupported_dialog", function(req,res) {
    res.render('unsupported_dialog.ejs', {layout: 'dialog_layout.ejs', useJavascript: false});
  });

  // simple redirects (internal for now)
  app.get('/register_iframe', internal_redirector('/dialog/register_iframe.html',true));

  // Used for a relay page for communication.
  app.get("/relay", function(req,res, next) {
    // Allow the relay to be run within a frame
    res.removeHeader('x-frame-options');
    res.render('relay.ejs', {
      layout: false,
      production: config.get('use_minified_resources')
    });
  });


  app.get('/', function(req,res) {
    res.render('index.ejs', {title: 'A Better Way to Sign In', fullpage: true});
  });

  app.get("/signup", function(req, res) {
    res.render('signup.ejs', {title: 'Sign Up', fullpage: false});
  });

  app.get("/forgot", function(req, res) {
    res.render('forgot.ejs', {title: 'Forgot Password', fullpage: false, email: req.query.email});
  });

  app.get("/signin", function(req, res) {
    res.render('signin.ejs', {title: 'Sign In', fullpage: false});
  });

  app.get("/about", function(req, res) {
    res.render('about.ejs', {title: 'About', fullpage: false});
  });

  app.get("/tos", function(req, res) {
    res.render('tos.ejs', {title: 'Terms of Service', fullpage: false});
  });

  app.get("/privacy", function(req, res) {
    res.render('privacy.ejs', {title: 'Privacy Policy', fullpage: false});
  });

  app.get("/verify_email_address", function(req, res) {
    res.render('verifyuser.ejs', {title: 'Complete Registration', fullpage: true, token: req.query.token});
  });

  app.get("/add_email_address", function(req,res) {
    res.render('verifyemail.ejs', {title: 'Verify Email Address', fullpage: false});
  });

  // REDIRECTS
  REDIRECTS = {
    "/manage": "/",
    "/users": "/",
    "/users/": "/",
    "/primaries" : "/developers",
    "/primaries/" : "/developers",
    "/developers" : "https://github.com/mozilla/browserid/wiki/How-to-Use-BrowserID-on-Your-Site"
  };

  // set up all the redirects
  // oh my watch out for scope issues on var url - closure time
  for (var url in REDIRECTS) {
    (function(from,to) {
      app.get(from, function(req, res) {
        res.redirect(to);
      });
    })(url, REDIRECTS[url]);
  }

  // register all the WSAPI handlers
  wsapi.setup(app);

  // setup health check / heartbeat
  heartbeat.setup(app, function(cb) {
    // let's check stuff!  first the heartbeat of our keysigner
    heartbeat.check(config.get('keysigner_url'), cb);
  });

  // the public key
  app.get("/pk", function(req, res) {
    res.json(ca.PUBLIC_KEY.toSimpleObject());
  });

  // vep bundle of JavaScript
  app.get("/vepbundle", function(req, res) {
    fs.readFile(__dirname + "/../node_modules/jwcrypto/vepbundle.js", function(error, content) {
      if (error) {
        res.writeHead(500);
        res.end("oops");
        console.log(error);
      } else {
        res.writeHead(200, {'Content-Type': 'text/javascript'});
        res.write(content);
        res.end();
      }
    });
  });

  shutdown.installUpdateHandler(app, function(readyForShutdown) {
    logger.debug("closing database connection");
    db.close(readyForShutdown)
  });
};

// request to logger, dev formatted which omits personal data in the requests
app.use(express.logger({
  format: config.get('express_log_format'),
  stream: {
    write: function(x) {
      logger.info(typeof x === 'string' ? x.trim() : x);
    }
  }
}));

// if these are verify requests, we'll redirect them off
// to the verifier
if (config.get('verifier_url')) {
  app.use(function(req, res, next) {
    if (/^\/verify$/.test(req.url)) {
      forward(
        config.get('verifier_url'), req, res,
        function(err) {
          if (err) {
            logger.error("error forwarding request:", err);
          }
        });
    } else {
      return next();
    }
  });
}

// over SSL?
var overSSL = (config.get('scheme') == 'https');

app.use(express.cookieParser());

var cookieSessionMiddleware = sessions({
  secret: COOKIE_SECRET,
  key: COOKIE_KEY,
  cookie: {
    path: '/wsapi',
    httpOnly: true,
    // IMPORTANT: we allow users to go 1 weeks on the same device
    // without entering their password again
    maxAge: config.get('authentication_duration_ms'),
    secure: overSSL
  }
});

// cookie sessions && cache control
app.use(function(req, resp, next) {
  // cookie sessions are only applied to calls to /wsapi
  // as all other resources can be aggressively cached
  // by layers higher up based on cache control headers.
  // the fallout is that all code that interacts with sessions
  // should be under /wsapi
  if (/^\/wsapi/.test(req.url)) {
    // explicitly disallow caching on all /wsapi calls (issue #294)
    resp.setHeader('Cache-Control', 'no-cache, max-age=0');

    // we set this parameter so the connect-cookie-session
    // sends the cookie even though the local connection is HTTP
    // (the load balancer does SSL)
    if (overSSL)
      req.connection.proxySecure = true;

    return cookieSessionMiddleware(req, resp, next);

  } else {
    return next();
  }
});

config.performSubstitution(app);

// verify all JSON responses are objects - prevents regression on issue #217
app.use(function(req, resp, next) {
  var realRespJSON = resp.json;
  resp.json = function(obj) {
    if (!obj || typeof obj !== 'object') {
      logger.error("INTERNAL ERROR!  *all* json responses must be objects");
      throw "internal error";
    }
    realRespJSON.call(resp, obj);
  };
  return next();
});

app.use(express.bodyParser());

// Check CSRF token early.  POST requests are only allowed to
// /wsapi and they always must have a valid csrf token
app.use(function(req, resp, next) {
  // only on POSTs
  if (req.method == "POST") {
    var denied = false;
    if (!/^\/wsapi/.test(req.url)) { // post requests only allowed to /wsapi
      denied = true;
      logger.warn("CSRF validation failure: POST only allowed to /wsapi urls.  not '" + req.url + "'");
    }

    else if (req.session === undefined) { // there must be a session
      denied = true;
      logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");
    }

    // the session must have a csrf token
    else if (typeof req.session.csrf !== 'string') {
      denied = true;
      logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
    }

    // and the token must match what is sent in the post body
    else if (req.body.csrf != req.session.csrf) {
      denied = true;
      // if any of these things are false, then we'll block the request
      logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);
    }

    if (denied) return httputils.badRequest(resp, "CSRF violation");

  }
  return next();
});

// a tweak to get the content type of host-meta correct
app.use(function(req, resp, next) {
  if (req.url === '/.well-known/host-meta') {
    resp.setHeader('content-type', 'text/xml');
  }
  next();
});

// Strict Transport Security
app.use(function(req, resp, next) {
  if (overSSL) {
    // expires in 30 days, include subdomains like www
    resp.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
  }
  next();
});

// prevent framing
app.use(function(req, resp, next) {
  resp.setHeader('x-frame-options', 'DENY');
  next();
});

// add the actual URL handlers other than static
router(app);

// use the express 'static' middleware for serving of static files (cache headers, HTTP range, etc)
app.use(express.static(path.join(__dirname, "..", "resources", "static")));

// open the databse
db.open(config.get('database'), function () {

  // shut down express gracefully on SIGINT
  shutdown.handleTerminationSignals(app, function(readyForShutdown) {
    db.close(readyForShutdown)
  });

  var bindTo = config.get('bind_to');
  app.listen(bindTo.port, bindTo.host, function() {
    logger.info("running on http://" + app.address().address + ":" + app.address().port);
  });
});