server/packages/api/app.ts

import { resolve } from "node:path";
import { Scalar } from "@scalar/hono-api-reference";
import { config } from "@versia-server/config";
import { ApiError } from "@versia-server/kit";
import { serverLogger } from "@versia-server/logging";
import chalk from "chalk";
import { Hono } from "hono";
import { serveStatic } from "hono/bun";
import { cors } from "hono/cors";
import { createMiddleware } from "hono/factory";
import { prettyJSON } from "hono/pretty-json";
import { secureHeaders } from "hono/secure-headers";
import { openAPISpecs } from "hono-openapi";
import { Youch } from "youch";
import { applyToHono } from "@/bull-board.ts";
import pkg from "~/package.json" with { type: "application/json" };
import { PluginLoader } from "../../classes/plugin/loader.ts";
import type { ApiRouteExports, HonoEnv } from "../../types/api.ts";
import { agentBans } from "./middlewares/agent-bans.ts";
import { boundaryCheck } from "./middlewares/boundary-check.ts";
import { ipBans } from "./middlewares/ip-bans.ts";
import { logger } from "./middlewares/logger.ts";
import { rateLimit } from "./middlewares/rate-limit.ts";
import { routes } from "./routes.ts";
// Extends Zod with OpenAPI schema generation
import "zod-openapi/extend";

export const appFactory = async (): Promise<Hono<HonoEnv>> => {
    const app = new Hono<HonoEnv>({
        strict: false,
    });

    app.use(ipBans);
    app.use(agentBans);
    app.use(logger);
    app.use(boundaryCheck);
    app.use(
        "/api/*",
        secureHeaders({
            contentSecurityPolicy: {
                // We will not be returning HTML, so everything should be blocked
                defaultSrc: ["'none'"],
                scriptSrc: ["'none'"],
                styleSrc: ["'none'"],
                imgSrc: ["'none'"],
                connectSrc: ["'none'"],
                fontSrc: ["'none'"],
                objectSrc: ["'none'"],
                mediaSrc: ["'none'"],
                frameSrc: ["'none'"],
                frameAncestors: ["'none'"],
                baseUri: ["'none'"],
                formAction: ["'none'"],
                childSrc: ["'none'"],
                workerSrc: ["'none'"],
                manifestSrc: ["'none'"],
            },
            referrerPolicy: "no-referrer",
            xFrameOptions: "DENY",
            xContentTypeOptions: "nosniff",
            crossOriginEmbedderPolicy: "require-corp",
            crossOriginOpenerPolicy: "same-origin",
            crossOriginResourcePolicy: "same-origin",
        }),
    );
    app.use(
        prettyJSON({
            space: 4,
        }),
    );
    app.use(
        cors({
            origin: "*",
            allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
            credentials: true,
        }),
    );
    app.use(
        createMiddleware<HonoEnv>(async (context, next) => {
            context.set("config", config);

            await next();
        }),
    );

    // Set default ratelimits to 100 requests per minute
    app.use("/api/*", rateLimit(100));
    app.use("/api/v1/media", rateLimit(40));
    app.use("/api/v1/media/*", rateLimit(40));
    app.use("/api/v2/media", rateLimit(40));
    app.use("/api/v1/timelines/*", rateLimit(40));
    app.use("/api/v1/push/*", rateLimit(10));

    // Disabled as federation now checks for this
    // app.use(urlCheck);

    // Inject own filesystem router
    for (const [, path] of Object.entries(routes)) {
        // use app.get(path, handler) to add routes
        const route: ApiRouteExports = await import(path);

        if (!route.default) {
            continue;
        }

        route.default(app);
    }

    serverLogger.info`Loading plugins`;

    const time1 = performance.now();

    const loader = new PluginLoader();

    const plugins = await loader.loadPlugins(
        resolve("./plugins"),
        config.plugins?.autoload ?? true,
        config.plugins?.overrides.enabled,
        config.plugins?.overrides.disabled,
    );

    await PluginLoader.addToApp(plugins, app);

    const time2 = performance.now();

    serverLogger.info`Plugins loaded in ${`${chalk.gray(
        (time2 - time1).toFixed(2),
    )}ms`}`;

    app.get(
        "/openapi.json",
        openAPISpecs(app, {
            documentation: {
                info: {
                    title: "Versia Server API",
                    version: pkg.version,
                    license: {
                        name: "AGPL-3.0",
                        url: "https://www.gnu.org/licenses/agpl-3.0.html",
                    },
                    contact: pkg.author,
                },
            },
        }),
    );

    app.get(
        "/docs",
        Scalar({
            theme: "deepSpace",
            hideClientButton: true,
            pageTitle: "Versia Server API",
            url: "/openapi.json",
        }),
    );
    applyToHono(app);

    app.options("*", (context) => {
        return context.body(null, 204);
    });

    app.all(
        "*",
        serveStatic({
            root: config.frontend.path,
        }),
    );
    // Fallback for SPAs, in case we've hit a route that is client-side
    app.all(
        "*",
        serveStatic({
            root: config.frontend.path,
            path: "index.html",
        }),
    );

    app.onError(async (error, c) => {
        if (error instanceof ApiError) {
            return c.json(
                {
                    error: error.message,
                    details: error.details,
                },
                error.status,
            );
        }

        const youch = new Youch();
        console.error(await youch.toANSI(error));

        return c.json(
            {
                error: "A server error occured",
                name: error.name,
                message: error.message,
            },
            500,
        );
    });

    return app;
};

export type App = Awaited<ReturnType<typeof appFactory>>;
test: :test_tube: Fix failing tests due to incorrect cwd resolving 2025-04-14 17:30:01 +02:00			`import { resolve } from "node:path";`
fix(api): :alien: Use new Scalar API 2025-04-16 16:40:47 +02:00			`import { Scalar } from "@scalar/hono-api-reference";`
refactor: :truck: Organize code into sub-packages, instead of a single large package 2025-06-15 04:38:20 +02:00			`import { config } from "@versia-server/config";`
refactor: :truck: Rename @versia/kit to @versia-server/kit 2025-06-15 23:50:34 +02:00			`import { ApiError } from "@versia-server/kit";`
refactor: :recycle: Rewrite logging logic into a unified package 2025-06-22 18:43:03 +02:00			`import { serverLogger } from "@versia-server/logging";`
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			`import chalk from "chalk";`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`import { Hono } from "hono";`
refactor(api): :recycle: Serve frontend from static files instead of proxying another process 2025-03-27 18:51:22 +01:00			`import { serveStatic } from "hono/bun";`
chore: :arrow_up: Upgrade dependencies 2024-12-18 20:42:40 +01:00			`import { cors } from "hono/cors";`
			`import { createMiddleware } from "hono/factory";`
			`import { prettyJSON } from "hono/pretty-json";`
			`import { secureHeaders } from "hono/secure-headers";`
chore: :arrow_up: Upgrade to Biome 2.0 2025-04-10 19:15:31 +02:00			`import { openAPISpecs } from "hono-openapi";`
feat(api): :technologist: Improve error quality with Youch 2025-03-27 19:08:38 +01:00			`import { Youch } from "youch";`
chore: :arrow_up: Upgrade to Biome 2.0 2025-04-10 19:15:31 +02:00			`import { applyToHono } from "@/bull-board.ts";`
feat(api): :sparkles: Add Swagger UI and OpenAPI endpoint 2024-08-27 18:09:15 +02:00			`import pkg from "~/package.json" with { type: "application/json" };`
refactor: :truck: Organize code into sub-packages, instead of a single large package 2025-06-15 04:38:20 +02:00			`import { PluginLoader } from "../../classes/plugin/loader.ts";`
			`import type { ApiRouteExports, HonoEnv } from "../../types/api.ts";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import { agentBans } from "./middlewares/agent-bans.ts";`
			`import { boundaryCheck } from "./middlewares/boundary-check.ts";`
			`import { ipBans } from "./middlewares/ip-bans.ts";`
			`import { logger } from "./middlewares/logger.ts";`
feat(api): :sparkles: Implement rate limiting 2025-03-27 20:12:00 +01:00			`import { rateLimit } from "./middlewares/rate-limit.ts";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import { routes } from "./routes.ts";`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`// Extends Zod with OpenAPI schema generation`
			`import "zod-openapi/extend";`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`export const appFactory = async (): Promise<Hono<HonoEnv>> => {`
			`const app = new Hono<HonoEnv>({`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`strict: false,`
			`});`

			`app.use(ipBans);`
			`app.use(agentBans);`
			`app.use(logger);`
			`app.use(boundaryCheck);`
feat: :sparkles: Add more utility middleware 2024-08-19 21:17:25 +02:00			`app.use(`
fix: :bug: Only apply security headers to /api/* 2024-08-19 21:26:13 +02:00			`"/api/*",`
feat: :sparkles: Add more utility middleware 2024-08-19 21:17:25 +02:00			`secureHeaders({`
			`contentSecurityPolicy: {`
			`// We will not be returning HTML, so everything should be blocked`
			`defaultSrc: ["'none'"],`
			`scriptSrc: ["'none'"],`
			`styleSrc: ["'none'"],`
			`imgSrc: ["'none'"],`
			`connectSrc: ["'none'"],`
			`fontSrc: ["'none'"],`
			`objectSrc: ["'none'"],`
			`mediaSrc: ["'none'"],`
			`frameSrc: ["'none'"],`
			`frameAncestors: ["'none'"],`
			`baseUri: ["'none'"],`
			`formAction: ["'none'"],`
			`childSrc: ["'none'"],`
			`workerSrc: ["'none'"],`
			`manifestSrc: ["'none'"],`
			`},`
			`referrerPolicy: "no-referrer",`
			`xFrameOptions: "DENY",`
			`xContentTypeOptions: "nosniff",`
			`crossOriginEmbedderPolicy: "require-corp",`
			`crossOriginOpenerPolicy: "same-origin",`
			`crossOriginResourcePolicy: "same-origin",`
			`}),`
			`);`
			`app.use(`
			`prettyJSON({`
			`space: 4,`
			`}),`
			`);`
			`app.use(`
			`cors({`
			`origin: "*",`
			`allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE"],`
			`credentials: true,`
			`}),`
			`);`
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00			`app.use(`
			`createMiddleware<HonoEnv>(async (context, next) => {`
			`context.set("config", config);`

			`await next();`
			`}),`
			`);`

feat(api): :sparkles: Implement rate limiting 2025-03-27 20:12:00 +01:00			`// Set default ratelimits to 100 requests per minute`
			`app.use("/api/*", rateLimit(100));`
			`app.use("/api/v1/media", rateLimit(40));`
			`app.use("/api/v1/media/*", rateLimit(40));`
			`app.use("/api/v2/media", rateLimit(40));`
			`app.use("/api/v1/timelines/*", rateLimit(40));`
			`app.use("/api/v1/push/*", rateLimit(10));`

refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`// Disabled as federation now checks for this`
			`// app.use(urlCheck);`

			`// Inject own filesystem router`
			`for (const [, path] of Object.entries(routes)) {`
			`// use app.get(path, handler) to add routes`
			`const route: ApiRouteExports = await import(path);`

refactor(api): :fire: Remove all useless route metadata objects 2024-12-30 20:18:48 +01:00			`if (!route.default) {`
feat(api): :sparkles: Add initial Push Notifications support 2025-01-02 01:29:33 +01:00			`continue;`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`}`

			`route.default(app);`
			`}`

feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			serverLogger.info`Loading plugins`;

refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			`const time1 = performance.now();`

feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			`const loader = new PluginLoader();`

feat(plugin): :sparkles: Add override settings to plugin loading 2024-10-06 15:55:15 +02:00			`const plugins = await loader.loadPlugins(`
test: :test_tube: Fix failing tests due to incorrect cwd resolving 2025-04-14 17:30:01 +02:00			`resolve("./plugins"),`
refactor(config): :fire: Remove old oidc section in config 2024-10-11 17:03:33 +02:00			`config.plugins?.autoload ?? true,`
feat(plugin): :sparkles: Add override settings to plugin loading 2024-10-06 15:55:15 +02:00			`config.plugins?.overrides.enabled,`
			`config.plugins?.overrides.disabled,`
			`);`
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00
refactor: :recycle: Rewrite logging logic into a unified package 2025-06-22 18:43:03 +02:00			`await PluginLoader.addToApp(plugins, app);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			`const time2 = performance.now();`
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00
refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			serverLogger.info`Plugins loaded in ${`${chalk.gray(
			`(time2 - time1).toFixed(2),`
			)}ms`}`;
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`app.get(`
			`"/openapi.json",`
			`openAPISpecs(app, {`
			`documentation: {`
			`info: {`
			`title: "Versia Server API",`
			`version: pkg.version,`
			`license: {`
			`name: "AGPL-3.0",`
			`url: "https://www.gnu.org/licenses/agpl-3.0.html",`
			`},`
			`contact: pkg.author,`
			`},`
feat(api): :sparkles: Add Swagger UI and OpenAPI endpoint 2024-08-27 18:09:15 +02:00			`},`
refactor(api): :recycle: Move from @hono/zod-openapi to hono-openapi hono-openapi is easier to work with and generates better OpenAPI definitions 2025-03-29 03:30:06 +01:00			`}),`
			`);`

feat(api): :sparkles: Add OpenAPI visualizer 2025-03-24 15:25:40 +01:00			`app.get(`
			`"/docs",`
fix(api): :alien: Use new Scalar API 2025-04-16 16:40:47 +02:00			`Scalar({`
feat(api): :sparkles: Add OpenAPI visualizer 2025-03-24 15:25:40 +01:00			`theme: "deepSpace",`
			`hideClientButton: true,`
			`pageTitle: "Versia Server API",`
			`url: "/openapi.json",`
			`}),`
			`);`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`applyToHono(app);`
feat(api): :sparkles: Add Swagger UI and OpenAPI endpoint 2024-08-27 18:09:15 +02:00
fix: :fire: Remove Prometheus integration as it is causing issues 2024-08-19 21:53:39 +02:00			`app.options("*", (context) => {`
fix(api): :label: Use context.body for 204 responses 2024-12-30 16:18:28 +01:00			`return context.body(null, 204);`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`});`

refactor(api): :recycle: Serve frontend from static files instead of proxying another process 2025-03-27 18:51:22 +01:00			`app.all(`
			`"*",`
			`serveStatic({`
			`root: config.frontend.path,`
			`}),`
			`);`
			`// Fallback for SPAs, in case we've hit a route that is client-side`
			`app.all(`
			`"*",`
			`serveStatic({`
			`root: config.frontend.path,`
			`path: "index.html",`
			`}),`
			`);`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00
feat(api): :technologist: Improve error quality with Youch 2025-03-27 19:08:38 +01:00			`app.onError(async (error, c) => {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`if (error instanceof ApiError) {`
			`return c.json(`
			`{`
			`error: error.message,`
			`details: error.details,`
			`},`
			`error.status,`
			`);`
			`}`

feat(api): :technologist: Improve error quality with Youch 2025-03-27 19:08:38 +01:00			`const youch = new Youch();`
			`console.error(await youch.toANSI(error));`

refactor: :recycle: Use native Hono return functions instead of custom ones 2024-08-19 21:03:59 +02:00			`return c.json(`
feat(api): :sparkles: Add global server error handler 2024-07-20 00:30:13 +02:00			`{`
			`error: "A server error occured",`
			`name: error.name,`
			`message: error.message,`
			`},`
			`500,`
			`);`
			`});`

refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`return app;`
			`};`
refactor: :arrow_up: Upgrade dependencies, use JSR for Hono 2024-07-11 12:56:28 +02:00
			`export type App = Awaited<ReturnType<typeof appFactory>>;`