Home Explore Help
Sign In
wiki
/
weseek__growi
mirror of https://github.com/weseek/growi
2
0
Fork 0
Files Issues 0 Wiki
Tree: 2d2dc2a0b1
Branches Tags
weseek__growi
/
apps
/
app
/
src
/
server
/
routes
/
index.js

index.js 13 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181 
  1. import { SCOPE } from '@growi/core/dist/interfaces';
    2. 

  2. import csrf from 'csurf';
    3. 

  3. import express from 'express';
    4. 

  4. 

  5. import { middlewareFactory as rateLimiterFactory } from '~/features/rate-limiter';
    6. 

  6. 

  7. import { accessTokenParser } from '../middlewares/access-token-parser';
    8. 

  8. import { generateAddActivityMiddleware } from '../middlewares/add-activity';
    9. 

  9. import apiV1FormValidator from '../middlewares/apiv1-form-validator';
    10. 

  10. import * as applicationNotInstalled from '../middlewares/application-not-installed';
    11. 

  11. import { excludeReadOnlyUser, excludeReadOnlyUserIfCommentNotAllowed } from '../middlewares/exclude-read-only-user';
    12. 

  12. import injectResetOrderByTokenMiddleware from '../middlewares/inject-reset-order-by-token-middleware';
    13. 

  13. import injectUserRegistrationOrderByTokenMiddleware from '../middlewares/inject-user-registration-order-by-token-middleware';
    14. 

  14. import * as loginFormValidator from '../middlewares/login-form-validator';
    15. 

  15. import {
    16. 

  16.   generateUnavailableWhenMaintenanceModeMiddleware, generateUnavailableWhenMaintenanceModeMiddlewareForApi,
    17. 

  17. } from '../middlewares/unavailable-when-maintenance-mode';
    18. 

  18. 

  19. import * as attachment from './attachment';
    20. 

  20. import { routesFactory as attachmentApiRoutesFactory } from './attachment/api';
    21. 

  21. import * as forgotPassword from './forgot-password';
    22. 

  22. import nextFactory from './next';
    23. 

  23. import * as userActivation from './user-activation';
    24. 

  24. 

  25. 

  26. const multer = require('multer');
    27. 

  27. const autoReap = require('multer-autoreap');
    28. 

  28. 

  29. const csrfProtection = csrf({ cookie: false });
    30. 

  30. 

  31. autoReap.options.reapOnError = true; // continue reaping the file even if an error occurs
    32. 

  32. 

  33. /** @param {import('~/server/crowi').default} crowi Crowi instance */
    34. 

  34. module.exports = function(crowi, app) {
    35. 

  35.   const autoReconnectToSearch = require('../middlewares/auto-reconnect-to-search')(crowi);
    36. 

  36.   const applicationInstalled = require('../middlewares/application-installed')(crowi);
    37. 

  37.   const loginRequiredStrictly = require('../middlewares/login-required')(crowi);
    38. 

  38.   const loginRequired = require('../middlewares/login-required')(crowi, true);
    39. 

  39.   const adminRequired = require('../middlewares/admin-required')(crowi);
    40. 

  40.   const addActivity = generateAddActivityMiddleware(crowi);
    41. 

  41. 

  42.   const uploads = multer({ dest: `${crowi.tmpDir}uploads` });
    43. 

  43.   const page = require('./page')(crowi, app);
    44. 

  44.   const login = require('./login')(crowi, app);
    45. 

  45.   const loginPassport = require('./login-passport')(crowi, app);
    46. 

  46.   const admin = require('./admin')(crowi, app);
    47. 

  47.   const attachmentApi = attachmentApiRoutesFactory(crowi).api;
    48. 

  48.   const comment = require('./comment')(crowi, app);
    49. 

  49.   const tag = require('./tag')(crowi, app);
    50. 

  50.   const search = require('./search')(crowi, app);
    51. 

  51.   const ogp = require('./ogp')(crowi);
    52. 

  52.   const { createApiRouter } = require('~/server/util/createApiRouter');
    53. 

  53. 

  54.   const next = nextFactory(crowi);
    55. 

  55. 

  56.   const unavailableWhenMaintenanceMode = generateUnavailableWhenMaintenanceModeMiddleware(crowi);
    57. 

  57.   const unavailableWhenMaintenanceModeForApi = generateUnavailableWhenMaintenanceModeMiddlewareForApi(crowi);
    58. 

  58. 

  59. 

  60.   /* eslint-disable max-len, comma-spacing, no-multi-spaces */
    61. 

  61. 

  62.   const [apiV3Router, apiV3AdminRouter, apiV3AuthRouter] = require('./apiv3')(crowi, app);
    63. 

  63. 

  64.   // Rate limiter
    65. 

  65.   app.use(rateLimiterFactory());
    66. 

  66. 

  67.   // API v3 for admin
    68. 

  68.   app.use('/_api/v3', apiV3AdminRouter);
    69. 

  69. 

  70.   // API v3 for auth
    71. 

  71.   app.use('/_api/v3', apiV3AuthRouter);
    72. 

  72. 

  73.   app.get('/_next/*'                  , next.delegateToNext);
    74. 

  74. 

  75.   app.get('/'                         ,  applicationInstalled, unavailableWhenMaintenanceMode, loginRequired, autoReconnectToSearch, next.delegateToNext);
    76. 

  76. 

  77.   app.get('/login/error/:reason'      , applicationInstalled, next.delegateToNext);
    78. 

  78.   app.get('/login'                    , applicationInstalled, login.preLogin, next.delegateToNext);
    79. 

  79.   app.get('/invited'                  , applicationInstalled, next.delegateToNext);
    80. 

  80.   // app.post('/login'                   , applicationInstalled, loginFormValidator.loginRules(), loginFormValidator.loginValidation, csrfProtection,  addActivity, loginPassport.loginWithLocal, loginPassport.loginWithLdap, loginPassport.loginFailure);
    81. 

  81. 

  82.   // NOTE: get method "/admin/export/:fileName" should be loaded before "/admin/*"
    83. 

  83.   app.get('/admin/export/:fileName'   , accessTokenParser([SCOPE.READ.ADMIN.EXPORT_DATA]), loginRequiredStrictly , adminRequired ,admin.export.api.validators.export.download(), admin.export.download);
    84. 

  84. 

  85.   // TODO: If you want to use accessTokenParser, you need to add scope ANY e.g. accessTokenParser([SCOPE.READ.ADMIN.ANY])
    86. 

  86.   app.get('/admin/*'                  , applicationInstalled, loginRequiredStrictly , adminRequired , next.delegateToNext);
    87. 

  87.   app.get('/admin'                    , applicationInstalled, loginRequiredStrictly , adminRequired , next.delegateToNext);
    88. 

  88. 

  89.   // installer
    90. 

  90.   app.get('/installer',
    91. 

  91.     applicationNotInstalled.generateCheckerMiddleware(crowi),
    92. 

  92.     next.delegateToNext,
    93. 

  93.     applicationNotInstalled.redirectToTopOnError);
    94. 

  94. 

  95.   // OAuth
    96. 

  96.   app.get('/passport/google'                      , loginPassport.loginWithGoogle, loginPassport.loginFailureForExternalAccount);
    97. 

  97.   app.get('/passport/github'                      , loginPassport.loginWithGitHub, loginPassport.loginFailureForExternalAccount);
    98. 

  98.   app.get('/passport/oidc'                        , loginPassport.loginWithOidc,   loginPassport.loginFailureForExternalAccount);
    99. 

  99.   app.get('/passport/saml'                        , loginPassport.loginWithSaml,   loginPassport.loginFailureForExternalAccount);
    100. 

  100.   app.get('/passport/google/callback'             , loginPassport.injectRedirectTo, loginPassport.loginPassportGoogleCallback   , loginPassport.loginFailureForExternalAccount);
    101. 

  101.   app.get('/passport/github/callback'             , loginPassport.injectRedirectTo, loginPassport.loginPassportGitHubCallback   , loginPassport.loginFailureForExternalAccount);
    102. 

  102.   app.get('/passport/oidc/callback'               , loginPassport.injectRedirectTo, loginPassport.loginPassportOidcCallback     , loginPassport.loginFailureForExternalAccount);
    103. 

  103.   app.post('/passport/saml/callback'              , addActivity, loginPassport.injectRedirectTo, loginPassport.loginPassportSamlCallback, loginPassport.loginFailureForExternalAccount);
    104. 

  104. 

  105.   app.post('/_api/login/testLdap'    ,  accessTokenParser([SCOPE.WRITE.USER_SETTINGS.EXTERNAL_ACCOUNT]), loginRequiredStrictly , loginFormValidator.loginRules() , loginFormValidator.loginValidation , loginPassport.testLdapCredentials);
    106. 

  106. 

  107.   // importer management for admin
    108. 

  108.   app.post('/_api/admin/settings/importerEsa'   , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.importer.api.validators.importer.esa(),admin.api.importerSettingEsa);
    109. 

  109.   app.post('/_api/admin/settings/importerQiita' , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.importer.api.validators.importer.qiita(), admin.api.importerSettingQiita);
    110. 

  110.   app.post('/_api/admin/import/esa'             , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.api.importDataFromEsa);
    111. 

  111.   app.post('/_api/admin/import/testEsaAPI'      , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.api.testEsaAPI);
    112. 

  112.   app.post('/_api/admin/import/qiita'           , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.api.importDataFromQiita);
    113. 

  113.   app.post('/_api/admin/import/testQiitaAPI'    , accessTokenParser([SCOPE.WRITE.ADMIN.IMPORT_DATA]), loginRequiredStrictly , adminRequired , csrfProtection, addActivity, admin.api.testQiitaAPI);
    114. 

  114. 

  115.   // brand logo
    116. 

  116.   app.use('/attachment', attachment.getBrandLogoRouterFactory(crowi));
    117. 

  117. 

  118.   /*
    119. 

  119.    * Routes below are unavailable when maintenance mode
    120. 

  120.    */
    121. 

  121. 

  122.   // API v3
    123. 

  123.   app.use('/_api/v3', unavailableWhenMaintenanceModeForApi, apiV3Router);
    124. 

  124. 

  125.   const apiV1Router = createApiRouter();
    126. 

  126. 

  127.   apiV1Router.get('/search'              , accessTokenParser([SCOPE.READ.FEATURES.PAGE], { acceptLegacy: true }) , loginRequired , search.api.search);
    128. 

  128. 

  129.   // HTTP RPC Styled API (に徐々に移行していいこうと思う)
    130. 

  130.   apiV1Router.get('/pages.updatePost'    , accessTokenParser([SCOPE.READ.FEATURES.PAGE], { acceptLegacy: true }), loginRequired, page.api.getUpdatePost);
    131. 

  131.   apiV1Router.get('/pages.getPageTag'    , accessTokenParser([SCOPE.READ.FEATURES.PAGE], { acceptLegacy: true }) , loginRequired , page.api.getPageTag);
    132. 

  132.   // allow posting to guests because the client doesn't know whether the user logged in
    133. 

  133.   apiV1Router.post('/pages.remove'       , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE]), loginRequiredStrictly , excludeReadOnlyUser, page.validator.remove, apiV1FormValidator, page.api.remove); // (Avoid from API Token)
    134. 

  134.   apiV1Router.post('/pages.revertRemove' , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE]), loginRequiredStrictly , excludeReadOnlyUser, page.validator.revertRemove, apiV1FormValidator, page.api.revertRemove); // (Avoid from API Token)
    135. 

  135.   apiV1Router.post('/pages.unlink'       , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE]), loginRequiredStrictly , excludeReadOnlyUser, page.api.unlink); // (Avoid from API Token)
    136. 

  136.   apiV1Router.get('/tags.list'           , accessTokenParser([SCOPE.READ.FEATURES.PAGE], { acceptLegacy: true }), loginRequired, tag.api.list);
    137. 

  137.   apiV1Router.get('/tags.search'         , accessTokenParser([SCOPE.READ.FEATURES.PAGE], { acceptLegacy: true }), loginRequired, tag.api.search);
    138. 

  138.   apiV1Router.post('/tags.update'        , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE], { acceptLegacy: true }), loginRequiredStrictly, excludeReadOnlyUser, addActivity, tag.api.update);
    139. 

  139.   apiV1Router.get('/comments.get'        , accessTokenParser([SCOPE.READ.FEATURES.PAGE], { acceptLegacy: true }) , loginRequired , comment.api.get);
    140. 

  140.   apiV1Router.post('/comments.add'       , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE], { acceptLegacy: true }), comment.api.validators.add(), loginRequiredStrictly , excludeReadOnlyUserIfCommentNotAllowed, addActivity, comment.api.add);
    141. 

  141.   apiV1Router.post('/comments.update'    , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE], { acceptLegacy: true }), comment.api.validators.add(), loginRequiredStrictly , excludeReadOnlyUserIfCommentNotAllowed, addActivity, comment.api.update);
    142. 

  142.   apiV1Router.post('/comments.remove'    , accessTokenParser([SCOPE.WRITE.FEATURES.PAGE], { acceptLegacy: true }), loginRequiredStrictly , excludeReadOnlyUserIfCommentNotAllowed, addActivity, comment.api.remove);
    143. 

  143. 

  144.   apiV1Router.post('/attachments.uploadProfileImage'   , accessTokenParser([SCOPE.WRITE.FEATURES.ATTACHMENT], { acceptLegacy: true }), loginRequiredStrictly , excludeReadOnlyUser, uploads.single('file'), autoReap, attachmentApi.uploadProfileImage);
    145. 

  145.   apiV1Router.post('/attachments.remove'               , accessTokenParser([SCOPE.WRITE.FEATURES.ATTACHMENT], { acceptLegacy: true }), loginRequiredStrictly , excludeReadOnlyUser, addActivity ,attachmentApi.remove);
    146. 

  146.   apiV1Router.post('/attachments.removeProfileImage'   , accessTokenParser([SCOPE.WRITE.FEATURES.ATTACHMENT], { acceptLegacy: true }), loginRequiredStrictly , excludeReadOnlyUser, attachmentApi.removeProfileImage);
    147. 

  147. 

  148.   // API v1
    149. 

  149.   app.use('/_api', unavailableWhenMaintenanceModeForApi, apiV1Router);
    150. 

  150. 

  151.   app.use(unavailableWhenMaintenanceMode);
    152. 

  152. 

  153.   app.get('/me'                                   , loginRequiredStrictly, next.delegateToNext);
    154. 

  154.   app.get('/me/*'                                 , loginRequiredStrictly, next.delegateToNext);
    155. 

  155. 

  156.   app.use('/attachment', accessTokenParser([SCOPE.READ.FEATURES.ATTACHMENT]), attachment.getRouterFactory(crowi));
    157. 

  157.   app.use('/download', accessTokenParser([SCOPE.READ.FEATURES.ATTACHMENT]), attachment.downloadRouterFactory(crowi));
    158. 

  158. 

  159.   app.get('/_search'                              , loginRequired, next.delegateToNext);
    160. 

  160. 

  161.   app.use('/forgot-password', express.Router()
    162. 

  162.     .use(forgotPassword.checkForgotPasswordEnabledMiddlewareFactory(crowi))
    163. 

  163.     .get('/', forgotPassword.renderForgotPassword(crowi))
    164. 

  164.     .get('/:token', injectResetOrderByTokenMiddleware, forgotPassword.renderResetPassword(crowi))
    165. 

  165.     .use(forgotPassword.handleErrorsMiddleware(crowi)));
    166. 

  166. 

  167.   app.get('/_private-legacy-pages', next.delegateToNext);
    168. 

  168. 

  169.   app.use('/user-activation', express.Router()
    170. 

  170.     .get('/:token', applicationInstalled, injectUserRegistrationOrderByTokenMiddleware, userActivation.renderUserActivationPage(crowi))
    171. 

  171.     .use(userActivation.tokenErrorHandlerMiddeware(crowi)));
    172. 

  172. 

  173.   app.get('/share$', (req, res) => res.redirect('/'));
    174. 

  174.   app.get('/share/:linkId', next.delegateToNext);
    175. 

  175. 

  176.   app.use('/ogp', express.Router().get('/:pageId([0-9a-z]{0,})', loginRequired, ogp.pageIdRequired, ogp.ogpValidator, ogp.renderOgp));
    177. 

  177. 

  178.   app.get('/*/$'                   , loginRequired, next.delegateToNext);
    179. 

  179.   app.get('/*'                     , loginRequired, autoReconnectToSearch, next.delegateToNext);
    180. 

  180. 

  181. };
    182.