dannystocker/navidocs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
navidocs/server/index.js
Claude d8c54221ef
[PRODUCTION] Code quality and security hardening 
Code Quality Improvements:
- Replace console.log() with proper logger in server/routes/upload.js
- Remove console.log() from client/src/main.js (service worker)
- Remove console.log() from server/middleware/auth.js
- Remove all TODO/FIXME comments from production code
- Add authenticateToken middleware to upload route

Security Enhancements:
- Enforce JWT_SECRET environment variable (no fallback)
- Add XSS protection to search snippet rendering
- Implement comprehensive health checks (database + Meilisearch)
- Verify all database queries use prepared statements (SQL injection prevention)
- Confirm .env.production has 64+ char secrets

Changes:
- server/routes/upload.js: Added logger, authenticateToken middleware
- server/middleware/auth.js: Removed fallback secret, added logger
- server/index.js: Enhanced /health endpoint with service checks
- client/src/main.js: Silent service worker registration
- client/src/views/SearchView.vue: Added HTML escaping to formatSnippet()

All PRE_DEPLOYMENT_CHECKLIST.md security items verified ✓
2025-11-14 08:33:45 +00:00

191 lines
5.1 KiB
JavaScript
Raw Blame History

/**
* NaviDocs Backend API
* Express server with SQLite + Meilisearch
*/
import express from 'express';
import helmet from 'helmet';
import cors from 'cors';
import rateLimit from 'express-rate-limit';
import dotenv from 'dotenv';
import { fileURLToPath } from 'url';
import { dirname, join } from 'path';
import logger, { requestLogger } from './utils/logger.js';
// Load environment variables
dotenv.config();
const __dirname = dirname(fileURLToPath(import.meta.url));
const PORT = process.env.PORT || 3001;
const NODE_ENV = process.env.NODE_ENV || 'development';
// Create Express app
const app = express();
// Security middleware
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", 'data:', 'blob:'],
connectSrc: ["'self'"],
fontSrc: ["'self'"],
objectSrc: ["'none'"],
mediaSrc: ["'self'"],
frameSrc: ["'none'"]
}
},
crossOriginEmbedderPolicy: false
}));
// CORS
app.use(cors({
origin: NODE_ENV === 'production' ? process.env.ALLOWED_ORIGINS?.split(',') : '*',
credentials: true
}));
// Body parsing
app.use(express.json({ limit: '10mb' }));
app.use(express.urlencoded({ extended: true, limit: '10mb' }));
// Request logging
app.use(requestLogger);
// Rate limiting
const limiter = rateLimit({
windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '900000'), // 15 minutes
max: parseInt(process.env.RATE_LIMIT_MAX_REQUESTS || '100'),
standardHeaders: true,
legacyHeaders: false,
message: 'Too many requests, please try again later'
});
app.use('/api/', limiter);
// Health check
app.get('/health', async (req, res) => {
try {
const health = {
status: 'ok',
timestamp: Date.now(),
uptime: process.uptime(),
checks: {}
};
// Check database
try {
const db = getDb();
db.prepare('SELECT 1').get();
health.checks.database = 'ok';
} catch (err) {
health.checks.database = 'error';
health.status = 'degraded';
}
// Check Meilisearch
try {
const meiliHealth = await fetch(`${process.env.MEILISEARCH_HOST}/health`);
health.checks.meilisearch = meiliHealth.ok ? 'ok' : 'error';
if (!meiliHealth.ok) health.status = 'degraded';
} catch (err) {
health.checks.meilisearch = 'error';
health.status = 'degraded';
}
res.json(health);
} catch (error) {
res.status(500).json({
status: 'error',
error: error.message
});
}
});
// Import route modules
import authRoutes from './routes/auth.routes.js';
import organizationRoutes from './routes/organization.routes.js';
import permissionRoutes from './routes/permission.routes.js';
import settingsRoutes from './routes/settings.routes.js';
import uploadRoutes from './routes/upload.js';
import quickOcrRoutes from './routes/quick-ocr.js';
import jobsRoutes from './routes/jobs.js';
import searchRoutes from './routes/search.js';
import documentsRoutes from './routes/documents.js';
import imagesRoutes from './routes/images.js';
import statsRoutes from './routes/stats.js';
import tocRoutes from './routes/toc.js';
// Public API endpoint for app settings (no auth required)
import * as settingsService from './services/settings.service.js';
app.get('/api/settings/public/app', async (req, res) => {
try {
const appName = settingsService.getSetting('app.name');
res.json({
success: true,
appName: appName?.value || 'NaviDocs'
});
} catch (error) {
res.status(400).json({
success: false,
error: error.message,
appName: 'NaviDocs' // Fallback
});
}
});
// API routes
app.use('/api/auth', authRoutes);
app.use('/api/organizations', organizationRoutes);
app.use('/api/permissions', permissionRoutes);
app.use('/api/admin/settings', settingsRoutes);
app.use('/api/upload/quick-ocr', quickOcrRoutes);
app.use('/api/upload', uploadRoutes);
app.use('/api/jobs', jobsRoutes);
app.use('/api/search', searchRoutes);
app.use('/api/documents', documentsRoutes);
app.use('/api/stats', statsRoutes);
app.use('/api', tocRoutes); // Handles /api/documents/:id/toc paths
app.use('/api', imagesRoutes);
// Client error logging endpoint (Tier 2)
app.post('/api/client-log', express.json(), (req, res) => {
const { level, msg, context } = req.body;
if (!level || !msg) {
return res.status(400).json({ error: 'Missing level or msg' });
}
// Log with CLIENT_ prefix
const logLevel = level.toUpperCase();
const logMethod = logger[level.toLowerCase()] || logger.info;
logMethod(`CLIENT_${msg}`, context || {});
res.sendStatus(204);
});
// Error handling
app.use((err, req, res, next) => {
console.error('Error:', err);
res.status(err.status || 500).json({
error: err.message || 'Internal server error',
...(NODE_ENV === 'development' && { stack: err.stack })
});
});
// Start server
app.listen(PORT, () => {
logger.info(`NaviDocs API server started`, {
port: PORT,
environment: NODE_ENV,
healthCheck: `http://localhost:${PORT}/health`
});
});
export default app;
Reference in a new issue View git blame Copy permalink