Files
TSSBOT-web/server.cjs
T
2026-05-14 16:02:56 +01:00

285 lines
7.9 KiB
JavaScript

const fs = require('node:fs')
const http = require('node:http')
const path = require('node:path')
const PORT = Number(process.env.PORT || 3001)
const API_UPSTREAM = process.env.API_UPSTREAM || 'http://127.0.0.1:6000'
const PUBLIC_ORIGIN = process.env.PUBLIC_ORIGIN || ''
const API_CACHE_TTL_MS = Number(process.env.API_CACHE_TTL_MS || 15000)
const API_RATE_LIMIT_WINDOW_MS = Number(process.env.API_RATE_LIMIT_WINDOW_MS || 60000)
const API_RATE_LIMIT_MAX = Number(process.env.API_RATE_LIMIT_MAX || 120)
const DIST_DIR = path.join(__dirname, 'dist')
const MAX_TEAM_NAME_LENGTH = 80
const MAX_CACHE_ENTRIES = 200
const MAX_RATE_LIMIT_KEYS = 1000
const mimeTypes = {
'.css': 'text/css; charset=utf-8',
'.html': 'text/html; charset=utf-8',
'.ico': 'image/x-icon',
'.js': 'text/javascript; charset=utf-8',
'.json': 'application/json; charset=utf-8',
'.map': 'application/json; charset=utf-8',
'.png': 'image/png',
'.svg': 'image/svg+xml',
'.webp': 'image/webp',
}
function send(res, status, body, headers = {}) {
res.writeHead(status, headers)
res.end(body)
}
const jsonHeaders = {
'content-type': 'application/json; charset=utf-8',
'cache-control': 'no-store',
'x-content-type-options': 'nosniff',
}
const apiCache = new Map()
const rateLimits = new Map()
function sendJson(res, status, body, headers = {}) {
send(res, status, JSON.stringify(body), { ...jsonHeaders, ...headers })
}
function publicOrigins(req) {
const origins = PUBLIC_ORIGIN.split(',')
.map((origin) => origin.trim())
.filter(Boolean)
if (!origins.length) {
const host = req.headers['x-forwarded-host'] || req.headers.host
const proto = req.headers['x-forwarded-proto'] || (req.socket.encrypted ? 'https' : 'http')
if (host) {
origins.push(`${proto}://${String(host).split(',')[0].trim()}`)
}
}
return origins
}
function isSameOriginRequest(req) {
const origins = publicOrigins(req)
const origin = req.headers.origin
const referer = req.headers.referer
const fetchSite = req.headers['sec-fetch-site']
const fetchDest = req.headers['sec-fetch-dest']
if (fetchDest === 'document') return false
if (origin && !origins.includes(origin)) return false
if (referer) {
try {
if (!origins.includes(new URL(referer).origin)) return false
} catch {
return false
}
}
if (fetchSite) {
return fetchSite === 'same-origin'
}
return Boolean(origin || referer)
}
function clientIp(req) {
const forwardedFor = req.headers['x-forwarded-for']
if (forwardedFor) return String(forwardedFor).split(',')[0].trim()
return req.socket.remoteAddress || 'unknown'
}
function isRateLimited(req) {
const now = Date.now()
const ip = clientIp(req)
const current = rateLimits.get(ip)
if (!current || current.resetAt <= now) {
rateLimits.set(ip, { count: 1, resetAt: now + API_RATE_LIMIT_WINDOW_MS })
return false
}
current.count += 1
return current.count > API_RATE_LIMIT_MAX
}
function pruneMaps() {
const now = Date.now()
for (const [key, value] of apiCache) {
if (value.expiresAt <= now || apiCache.size > MAX_CACHE_ENTRIES) apiCache.delete(key)
}
for (const [key, value] of rateLimits) {
if (value.resetAt <= now || rateLimits.size > MAX_RATE_LIMIT_KEYS) rateLimits.delete(key)
}
}
function allowedApiTarget(req) {
if (req.method !== 'GET' && req.method !== 'HEAD') return null
const requestUrl = new URL(req.url, `http://${req.headers.host || 'localhost'}`)
const url = new URL(`${requestUrl.pathname}${requestUrl.search}`, API_UPSTREAM)
const params = requestUrl.searchParams
const pathname = requestUrl.pathname
if (pathname === '/api/tss/leaderboard/teams') {
const keys = [...params.keys()]
const limit = Number(params.get('limit') || 100)
if (keys.some((key) => key !== 'limit') || !Number.isInteger(limit) || limit < 1 || limit > 100) {
return null
}
return url
}
if (pathname === '/api/tss/teams/resolve') {
const keys = [...params.keys()]
const name = params.get('name') || ''
if (keys.some((key) => key !== 'name') || name.length < 2 || name.length > MAX_TEAM_NAME_LENGTH) {
return null
}
return url
}
const teamMatch = pathname.match(/^\/api\/tss\/teams\/([^/]+)(?:\/(history|games))?$/)
if (!teamMatch || [...params.keys()].length) return null
try {
const teamName = decodeURIComponent(teamMatch[1])
if (!teamName || teamName.length > MAX_TEAM_NAME_LENGTH) return null
} catch {
return null
}
return url
}
function proxyRequest(req, res) {
pruneMaps()
if (!isSameOriginRequest(req)) {
return sendJson(res, 403, { error: 'API access is restricted to this site' })
}
if (isRateLimited(req)) {
return sendJson(res, 429, { error: 'Too many API requests' }, { 'retry-after': String(Math.ceil(API_RATE_LIMIT_WINDOW_MS / 1000)) })
}
const target = allowedApiTarget(req)
if (!target) {
return sendJson(res, 404, { error: 'API route not found' })
}
const cacheKey = req.method === 'GET' ? target.toString() : ''
const cached = cacheKey ? apiCache.get(cacheKey) : null
if (cached && cached.expiresAt > Date.now()) {
return send(res, 200, cached.body, cached.headers)
}
const responseChunks = []
const proxy = http.request(
target,
{
method: req.method,
headers: {
accept: 'application/json',
host: target.host,
'user-agent': req.headers['user-agent'] || 'tssbot-web',
},
},
(proxyRes) => {
const headers = {
...proxyRes.headers,
'cache-control': 'private, max-age=15',
'x-content-type-options': 'nosniff',
}
delete headers['access-control-allow-origin']
delete headers['access-control-allow-credentials']
res.writeHead(proxyRes.statusCode || 502, headers)
proxyRes.on('data', (chunk) => {
if (cacheKey && (proxyRes.statusCode || 0) >= 200 && (proxyRes.statusCode || 0) < 300) {
responseChunks.push(chunk)
}
})
proxyRes.on('end', () => {
if (cacheKey && responseChunks.length) {
apiCache.set(cacheKey, {
body: Buffer.concat(responseChunks),
headers,
expiresAt: Date.now() + API_CACHE_TTL_MS,
})
}
})
proxyRes.pipe(res)
},
)
proxy.on('error', (error) => {
sendJson(res, 502, { error: 'API proxy failed', detail: error.message })
})
req.pipe(proxy)
}
function serveStatic(req, res) {
const requestPath = decodeURIComponent(new URL(req.url, `http://localhost:${PORT}`).pathname)
const relativePath = requestPath === '/' ? '/index.html' : requestPath
const filePath = path.normalize(path.join(DIST_DIR, relativePath))
if (!filePath.startsWith(DIST_DIR)) {
return send(res, 403, 'Forbidden', { 'content-type': 'text/plain; charset=utf-8' })
}
fs.readFile(filePath, (error, data) => {
if (error) {
fs.readFile(path.join(DIST_DIR, 'index.html'), (indexError, indexData) => {
if (indexError) {
return send(res, 404, 'Build not found. Run npm run build first.', {
'content-type': 'text/plain; charset=utf-8',
})
}
send(res, 200, indexData, { 'content-type': mimeTypes['.html'] })
})
return
}
const ext = path.extname(filePath)
send(res, 200, data, {
'content-type': mimeTypes[ext] || 'application/octet-stream',
'cache-control': ext === '.html' ? 'no-cache' : 'public, max-age=31536000, immutable',
})
})
}
http
.createServer((req, res) => {
if (req.url === '/health') {
sendJson(res, 200, { ok: true })
return
}
if (req.method === 'OPTIONS' && req.url.startsWith('/api/')) {
sendJson(res, 403, { error: 'CORS requests are not allowed' })
return
}
if (req.url.startsWith('/api/')) {
proxyRequest(req, res)
return
}
serveStatic(req, res)
})
.listen(PORT, '0.0.0.0', () => {
console.log(`tssbot-web serving http://localhost:${PORT}`)
console.log(`proxying API requests to ${API_UPSTREAM}`)
})