Maxim Dolgolyov
952a54f97c
## P0 - admin.html:2608, red-book-ecosystem.html:489-495 — XSS: u.name/node.name_ru/description обернуты в LS.esc() - classController.js getAnnouncements — добавлена проверка teacher_id (B14: учитель A не может читать объявления класса B) ## P1 — auth & validation - authController.js — минимум пароля 6→8 символов (register + change password + login.html) - gamificationController adminAward — валидация max XP/coins (1M), Number coercion - shopController adminAwardCoins — валидация max + проверка changes>0 ## P1 — race conditions - petController.buyBg — atomic UPDATE WHERE coins>=? (race-safe) - shopController.purchaseItem — atomic conditional UPDATE - liveController — добавлен question_id в live_answers (миграция с пересозданием таблицы), история ответов сохраняется при смене вопроса учителем - ws-server: invalidateDrawCache экспортирован, classroomController grant/revoke вызывают его → permission revoke применяется мгновенно (раньше до 10s stale) ## P1 — rate limits & retry - rateLimit middleware: новый параметр byUser=true (использует req.user.id вместо IP — не блокирует пользователей за NAT) - routes/classroom.js: reactionLimiter (15/5s) на /chat/:msgId/react, handLimiter (5/5s) на raise/lower hand - api.js sendAnswer — retry 3x с exp backoff (300/1200/2700ms), не повторяет на 4xx (F5) ## P1 — performance - classroomController.getStrokes — LIMIT 5000 + флаг hasMore (защита от OOM на 10K+ strokes) - whiteboard.js _liveStrokes — TTL 1.5s на каждый live preview (auto-cleanup при крашe ремоут юзера) ## Infrastructure - config.js: TURN_URL/USER/PASS env vars - server.js: GET /api/ice-servers возвращает STUN + опциональный TURN из env - classroom-rtc.js: фетчит /api/ice-servers вместо хардкода (поддержка TURN для NAT/CGNAT школьных сетей) - .env.example: документация TURN - db.js: PRAGMA synchronous=NORMAL (5x быстрее с WAL), cache_size 16MB, temp_store=MEMORY - ws-server.js closeAll() + server.js shutdown — graceful WS shutdown при SIGTERM ## False positives (не баги, агенты ошиблись) - assignmentController FK на tests — на самом деле users (migrate.js:317-318) - .env в git — gitignore корректно исключает - admin.html без requireAuth — есть LS.initPage() который вызывает requireAuth - submissionsController IDOR — обе ручки уже проверяют teacher_id - screenSender = null inside try/catch — на самом деле снаружи - SSE без backoff — есть exponential 2s→30s - sessionController NOT IN на пустом массиве — есть guard usedIds.length>0 - getChat без LIMIT — есть LIMIT 100/200 - trust proxy — установлен на server.js:105 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
355 lines
15 KiB
JavaScript
355 lines
15 KiB
JavaScript
const config = require('./config'); // validates .env, fails fast on error
|
|
const logger = require('./utils/logger'); // structured logging
|
|
|
|
require('./db/migrate'); // авто-миграция при каждом старте
|
|
const { seedDefaults: seedPermissions } = require('./controllers/permissionsController');
|
|
seedPermissions();
|
|
const express = require('express');
|
|
const cors = require('cors');
|
|
const path = require('path');
|
|
const compression = require('compression');
|
|
|
|
const authRoutes = require('./routes/auth');
|
|
const subjectRoutes = require('./routes/subjects');
|
|
const sessionRoutes = require('./routes/sessions');
|
|
const adminRoutes = require('./routes/admin');
|
|
const questionRoutes = require('./routes/questions');
|
|
const classRoutes = require('./routes/classes');
|
|
const assignmentRoutes = require('./routes/assignments');
|
|
const fileRoutes = require('./routes/files');
|
|
const testRoutes = require('./routes/tests');
|
|
const notificationRoutes = require('./routes/notifications');
|
|
const permissionRoutes = require('./routes/permissions');
|
|
const submissionRoutes = require('./routes/submissions');
|
|
const courseRoutes = require('./routes/courses');
|
|
const lessonRoutes = require('./routes/lessons');
|
|
const gamificationRoutes = require('./routes/gamification');
|
|
const shopRoutes = require('./routes/shop');
|
|
const templateRoutes = require('./routes/templates');
|
|
const bookmarkRoutes = require('./routes/bookmarks');
|
|
const searchRoutes = require('./routes/search');
|
|
const flashcardRoutes = require('./routes/flashcards');
|
|
const settingsRoutes = require('./routes/settings');
|
|
const analyticsRoutes = require('./routes/analytics');
|
|
const liveRoutes = require('./routes/live');
|
|
const classroomRoutes = require('./routes/classroom');
|
|
const guestClassroomRoutes = require('./routes/guestClassroom');
|
|
const gamesRoutes = require('./routes/games');
|
|
const knowledgeMapRoutes = require('./routes/knowledgeMap');
|
|
const petRoutes = require('./routes/pet');
|
|
const collectionRoutes = require('./routes/collection');
|
|
const redBookRoutes = require('./routes/red-book');
|
|
const parentRoutes = require('./routes/parent');
|
|
|
|
const { requestId, errorHandler } = require('./middleware/errorHandler');
|
|
|
|
const app = express();
|
|
const PORT = config.PORT;
|
|
const isProd = config.isProd;
|
|
|
|
/* ── Gzip compression (skip SSE streams — compression buffers chunks and breaks real-time) ── */
|
|
app.use(compression({
|
|
filter: (req, res) => {
|
|
if (req.path.includes('/stream') || req.headers.accept === 'text/event-stream') return false;
|
|
return compression.filter(req, res);
|
|
},
|
|
}));
|
|
|
|
/* ── Request ID — attach before everything else ── */
|
|
app.use(requestId);
|
|
|
|
/* ── Security headers (no helmet dep needed) ── */
|
|
app.use((_req, res, next) => {
|
|
res.setHeader('X-Content-Type-Options', 'nosniff');
|
|
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
|
|
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
res.setHeader('X-XSS-Protection', '1; mode=block');
|
|
// classroom.html needs microphone + camera for WebRTC
|
|
const isClassroom = _req.path === '/classroom' || _req.path === '/classroom.html';
|
|
res.setHeader('Permissions-Policy',
|
|
isClassroom
|
|
? 'camera=(self), microphone=(self), geolocation=()'
|
|
: 'camera=(), microphone=(), geolocation=()'
|
|
);
|
|
res.setHeader('Content-Security-Policy',
|
|
"default-src 'self'; " +
|
|
"script-src 'self' 'unsafe-inline' https://unpkg.com https://cdn.jsdelivr.net; " +
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; " +
|
|
"font-src 'self' https://fonts.gstatic.com https://cdn.jsdelivr.net; " +
|
|
"img-src 'self' data: blob: https:; " +
|
|
"connect-src 'self' https://cdn.jsdelivr.net https://stun.l.google.com; " +
|
|
"frame-src 'self' https://www.youtube.com https://rutube.ru https://player.vimeo.com; " +
|
|
"frame-ancestors 'self'" +
|
|
(isProd ? "; upgrade-insecure-requests" : "")
|
|
);
|
|
if (isProd) res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
|
next();
|
|
});
|
|
|
|
/* ── Request logger ── */
|
|
app.use((req, res, next) => {
|
|
const start = Date.now();
|
|
res.on('finish', () => {
|
|
const ms = Date.now() - start;
|
|
const status = res.statusCode;
|
|
const level = status >= 500 ? 'error' : status >= 400 ? 'warn' : 'info';
|
|
logger[level](`${req.method} ${req.path}`, {
|
|
status, ms, requestId: req.requestId,
|
|
userId: req.user?.id,
|
|
});
|
|
});
|
|
next();
|
|
});
|
|
|
|
/* ── CORS ── */
|
|
app.set('trust proxy', 1);
|
|
const allowedOrigins = [process.env.CLIENT_ORIGIN].filter(Boolean);
|
|
app.use(cors({
|
|
origin: (origin, cb) => {
|
|
if (!origin) return cb(null, !isProd); // dev: allow, prod: block
|
|
cb(null, allowedOrigins.includes(origin) ? origin : false);
|
|
},
|
|
credentials: true
|
|
}));
|
|
|
|
/* ── Body parser with size limit ── */
|
|
app.use(express.json({ limit: '1mb' }));
|
|
|
|
/* ── Global API rate limit ── */
|
|
const rateLimit = require('./middleware/rateLimit');
|
|
// Classroom real-time endpoints (cursor, stroke-preview) fire ~10/s per user — higher limit
|
|
app.use('/api/classroom', rateLimit({ windowMs: 60_000, max: 6000, message: 'Слишком много запросов' }));
|
|
app.use('/api', rateLimit({ windowMs: 60_000, max: 600, message: 'Слишком много запросов, подождите минуту' }));
|
|
|
|
/* ── Routes ── */
|
|
app.use('/api/auth', authRoutes);
|
|
app.use('/api/subjects', subjectRoutes);
|
|
app.use('/api/sessions', sessionRoutes);
|
|
app.use('/api/admin', adminRoutes);
|
|
app.use('/api/questions', questionRoutes);
|
|
app.use('/api/classes', classRoutes);
|
|
app.use('/api/assignments', assignmentRoutes);
|
|
app.use('/api/files', fileRoutes);
|
|
app.use('/api/tests', testRoutes);
|
|
app.use('/api/notifications', notificationRoutes);
|
|
app.use('/api/permissions', permissionRoutes);
|
|
app.use('/api/submissions', submissionRoutes);
|
|
app.use('/api/courses', courseRoutes);
|
|
app.use('/api/lessons', lessonRoutes);
|
|
app.use('/api/gamification', gamificationRoutes);
|
|
app.use('/api/shop', shopRoutes);
|
|
app.use('/api/templates', templateRoutes);
|
|
app.use('/api/bookmarks', bookmarkRoutes);
|
|
app.use('/api/search', searchRoutes);
|
|
app.use('/api/flashcards', flashcardRoutes);
|
|
app.use('/api/settings', settingsRoutes);
|
|
app.use('/api/preferences', require('./routes/preferences'));
|
|
app.use('/api/avatar', require('./routes/avatar'));
|
|
app.use('/api/analytics', analyticsRoutes);
|
|
app.use('/api/live', liveRoutes);
|
|
app.use('/api/classroom/guest', guestClassroomRoutes); // public — MUST be before /api/classroom
|
|
app.use('/api/classroom', classroomRoutes);
|
|
app.use('/api/games', gamesRoutes);
|
|
app.use('/api/knowledge-map', knowledgeMapRoutes);
|
|
app.use('/api/pet', petRoutes);
|
|
app.use('/api/collection', collectionRoutes);
|
|
app.use('/api/red-book', redBookRoutes);
|
|
app.use('/api/biochem', require('./routes/biochem'));
|
|
app.use('/api/parent', parentRoutes);
|
|
|
|
/* ── Public features endpoint (merges global + per-class for authenticated students) ── */
|
|
const _featDb = require('./db/db');
|
|
const _stmtGlobalFeats = _featDb.prepare("SELECT key, value FROM app_settings WHERE key LIKE 'feature_%'");
|
|
const _stmtClassFeats = _featDb.prepare(
|
|
'SELECT c.features FROM classes c JOIN class_members cm ON cm.class_id = c.id WHERE cm.user_id = ?'
|
|
);
|
|
const _stmtFreeStudentFeats = _featDb.prepare("SELECT value FROM app_settings WHERE key = 'free_student_features'");
|
|
const _jwtLib = require('jsonwebtoken');
|
|
|
|
app.get('/api/features', (req, res) => {
|
|
const rows = _stmtGlobalFeats.all();
|
|
const features = {};
|
|
for (const r of rows) {
|
|
const name = r.key.replace('feature_', '').replace('_enabled', '');
|
|
features[name] = r.value === '1';
|
|
}
|
|
// Prevent browser caching — class features change when teacher updates settings
|
|
res.setHeader('Cache-Control', 'no-store');
|
|
|
|
// For authenticated students: overlay class-specific feature flags
|
|
const token = (req.headers.authorization || '').replace('Bearer ', '');
|
|
if (token) {
|
|
try {
|
|
const payload = _jwtLib.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
|
|
if (payload.role === 'student' || payload.role === 'free_student') {
|
|
const classes = _stmtClassFeats.all(payload.id);
|
|
if (classes.length === 0 && payload.role === 'student') {
|
|
features._no_class = true; // regular student has no class — restrict access
|
|
}
|
|
for (const cls of classes) {
|
|
if (!cls.features) continue;
|
|
try {
|
|
const f = JSON.parse(cls.features);
|
|
for (const [key, val] of Object.entries(f)) {
|
|
if (val === false) features[key] = false;
|
|
}
|
|
} catch (e) { console.error('[features] class JSON parse error:', e.message); }
|
|
}
|
|
// Apply role-level free_student restrictions (set by admin)
|
|
if (payload.role === 'free_student') {
|
|
const fsRow = _stmtFreeStudentFeats.get();
|
|
if (fsRow?.value) {
|
|
try {
|
|
const fsFeats = JSON.parse(fsRow.value);
|
|
for (const [key, val] of Object.entries(fsFeats)) {
|
|
if (val === false) features[key] = false;
|
|
}
|
|
} catch (e) { console.error('[features] free_student JSON parse error:', e.message); }
|
|
}
|
|
}
|
|
}
|
|
} catch { /* invalid/expired token — anonymous features */ }
|
|
}
|
|
res.json(features);
|
|
});
|
|
|
|
/* ── Health check ── */
|
|
const _startTime = Date.now();
|
|
const _pkg = require('../package.json');
|
|
const _db = require('./db/db');
|
|
|
|
/* GET /api/ice-servers — WebRTC ICE config (STUN + optional TURN from env)
|
|
Required for clients behind symmetric NAT/CGNAT (school/corporate networks). */
|
|
app.get('/api/ice-servers', (req, res) => {
|
|
const iceServers = [
|
|
{ urls: 'stun:stun.l.google.com:19302' },
|
|
{ urls: 'stun:stun1.l.google.com:19302' },
|
|
];
|
|
if (config.TURN_URL && config.TURN_USER && config.TURN_PASS) {
|
|
iceServers.push({
|
|
urls: config.TURN_URL,
|
|
username: config.TURN_USER,
|
|
credential: config.TURN_PASS,
|
|
});
|
|
}
|
|
res.json({ iceServers });
|
|
});
|
|
|
|
app.get('/api/health', (req, res) => {
|
|
let dbStatus = 'ok';
|
|
let dbLatencyMs = null;
|
|
try {
|
|
const t0 = Date.now();
|
|
_db.prepare('SELECT 1').get();
|
|
dbLatencyMs = Date.now() - t0;
|
|
} catch {
|
|
dbStatus = 'error';
|
|
}
|
|
|
|
const status = dbStatus === 'ok' ? 'ok' : 'degraded';
|
|
const httpStatus = status === 'ok' ? 200 : 503;
|
|
|
|
// Minimal public response — no version/runtime details
|
|
const pub = { status, timestamp: new Date().toISOString() };
|
|
|
|
// Detailed response only for authenticated admins
|
|
const token = (req.headers.authorization || '').replace('Bearer ', '');
|
|
if (token) {
|
|
try {
|
|
const jwt = require('jsonwebtoken');
|
|
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
|
|
const u = _db.prepare('SELECT role FROM users WHERE id = ?').get(payload.id);
|
|
if (u?.role === 'admin') {
|
|
const uptimeSec = Math.floor((Date.now() - _startTime) / 1000);
|
|
return res.status(httpStatus).json({
|
|
...pub,
|
|
version: _pkg.version,
|
|
uptime: { seconds: uptimeSec, human: _fmtUptime(uptimeSec) },
|
|
db: { status: dbStatus, latency_ms: dbLatencyMs },
|
|
node: process.version,
|
|
env: process.env.NODE_ENV || 'development',
|
|
});
|
|
}
|
|
} catch { /* invalid token → fall through to public response */ }
|
|
}
|
|
|
|
res.status(httpStatus).json(pub);
|
|
});
|
|
|
|
function _fmtUptime(s) {
|
|
const d = Math.floor(s / 86400);
|
|
const h = Math.floor((s % 86400) / 3600);
|
|
const m = Math.floor((s % 3600) / 60);
|
|
const sec = s % 60;
|
|
if (d > 0) return `${d}d ${h}h ${m}m`;
|
|
if (h > 0) return `${h}h ${m}m ${sec}s`;
|
|
if (m > 0) return `${m}m ${sec}s`;
|
|
return `${sec}s`;
|
|
}
|
|
|
|
/* ── Static frontend ── */
|
|
const frontendDir = path.join(__dirname, '../../frontend');
|
|
const jsDir = path.join(__dirname, '../../js');
|
|
const staticCache = isProd ? { maxAge: '7d' } : { setHeaders: (res) => res.setHeader('Cache-Control', 'no-store') };
|
|
app.use('/js', express.static(jsDir, staticCache));
|
|
app.use('/css', express.static(path.join(frontendDir, 'css'), staticCache));
|
|
app.use('/img', express.static(path.join(frontendDir, 'img'), staticCache));
|
|
app.use('/avatars', express.static(path.join(__dirname, '../../uploads/avatars'), { maxAge: '1d' }));
|
|
|
|
// Redirect legacy .html URLs → clean URLs (301)
|
|
app.use((req, res, next) => {
|
|
if (req.path.endsWith('.html') && !req.path.startsWith('/api/')) {
|
|
const clean = req.path.slice(0, -5);
|
|
const qs = req.url.slice(req.path.length); // preserve ?query
|
|
return res.redirect(301, clean + qs);
|
|
}
|
|
next();
|
|
});
|
|
|
|
// Serve HTML files without extension (/dashboard → dashboard.html)
|
|
// In dev: disable cache so edits are always picked up immediately
|
|
const htmlCacheOpts = isProd ? { extensions: ['html'] } : {
|
|
extensions: ['html'],
|
|
setHeaders: (res, filePath) => {
|
|
if (filePath.endsWith('.html')) res.setHeader('Cache-Control', 'no-store');
|
|
},
|
|
};
|
|
app.use(express.static(frontendDir, htmlCacheOpts));
|
|
|
|
app.get('/', (_req, res) => res.sendFile(path.join(frontendDir, 'login.html')));
|
|
app.get('/login', (_req, res) => res.sendFile(path.join(frontendDir, 'login.html')));
|
|
|
|
/* ── Custom error pages ── */
|
|
app.get('/403', (_req, res) => res.status(403).sendFile(path.join(frontendDir, '403.html')));
|
|
app.get('/404', (_req, res) => res.status(404).sendFile(path.join(frontendDir, '404.html')));
|
|
app.get('/500', (_req, res) => res.status(500).sendFile(path.join(frontendDir, '500.html')));
|
|
/* ── Global error handler ── */
|
|
app.use(errorHandler);
|
|
|
|
app.use((_req, res) => res.status(404).sendFile(path.join(frontendDir, '404.html')));
|
|
|
|
const server = app.listen(PORT, () => logger.info(`Server running on port ${PORT}`, { env: config.NODE_ENV }));
|
|
|
|
/* ── WebSocket server for low-latency classroom events (cursor + preview) ── */
|
|
require('./ws-server').attach(server);
|
|
|
|
/* ── Graceful shutdown ── */
|
|
function shutdown(signal) {
|
|
logger.info(`${signal} received — shutting down gracefully`);
|
|
// Close WebSocket connections first so HTTP server can stop accepting new requests cleanly
|
|
try { require('./ws-server').closeAll(); } catch (e) { logger.error('ws close error', { err: e.message }); }
|
|
server.close(() => {
|
|
try {
|
|
const _shutDb = require('./db/db');
|
|
_shutDb.exec('PRAGMA optimize');
|
|
_shutDb.close();
|
|
} catch (e) { logger.error('db close error', { err: e.message }); }
|
|
logger.info('Server closed');
|
|
process.exit(0);
|
|
});
|
|
// Force exit after 5s if connections hang
|
|
setTimeout(() => process.exit(1), 5000).unref();
|
|
}
|
|
process.on('SIGTERM', () => shutdown('SIGTERM'));
|
|
process.on('SIGINT', () => shutdown('SIGINT'));
|