server/app.ts

import { join } from "node:path";
import { handleZodError } from "@/api";
import { applyToHono } from "@/bull-board.ts";
import { configureLoggers } from "@/loggers";
import { sentry } from "@/sentry";
import { swaggerUI } from "@hono/swagger-ui";
import { OpenAPIHono } from "@hono/zod-openapi";
/* import { prometheus } from "@hono/prometheus"; */
import { getLogger } from "@logtape/logtape";
import { inspect } from "bun";
import chalk from "chalk";
import { cors } from "hono/cors";
import { createMiddleware } from "hono/factory";
import { prettyJSON } from "hono/pretty-json";
import { secureHeaders } from "hono/secure-headers";
import { config } from "~/config.ts";
import pkg from "~/package.json" with { type: "application/json" };
import { ApiError } from "./classes/errors/api-error.ts";
import { PluginLoader } from "./classes/plugin/loader.ts";
import { agentBans } from "./middlewares/agent-bans.ts";
import { boundaryCheck } from "./middlewares/boundary-check.ts";
import { ipBans } from "./middlewares/ip-bans.ts";
import { logger } from "./middlewares/logger.ts";
import { routes } from "./routes.ts";
import type { ApiRouteExports, HonoEnv } from "./types/api.ts";

export const appFactory = async (): Promise<OpenAPIHono<HonoEnv>> => {
    await configureLoggers();
    const serverLogger = getLogger("server");

    const app = new OpenAPIHono<HonoEnv>({
        strict: false,
        defaultHook: handleZodError,
    });

    app.use(ipBans);
    app.use(agentBans);
    app.use(logger);
    app.use(boundaryCheck);
    app.use(
        "/api/*",
        secureHeaders({
            contentSecurityPolicy: {
                // We will not be returning HTML, so everything should be blocked
                defaultSrc: ["'none'"],
                scriptSrc: ["'none'"],
                styleSrc: ["'none'"],
                imgSrc: ["'none'"],
                connectSrc: ["'none'"],
                fontSrc: ["'none'"],
                objectSrc: ["'none'"],
                mediaSrc: ["'none'"],
                frameSrc: ["'none'"],
                frameAncestors: ["'none'"],
                baseUri: ["'none'"],
                formAction: ["'none'"],
                childSrc: ["'none'"],
                workerSrc: ["'none'"],
                manifestSrc: ["'none'"],
            },
            referrerPolicy: "no-referrer",
            xFrameOptions: "DENY",
            xContentTypeOptions: "nosniff",
            crossOriginEmbedderPolicy: "require-corp",
            crossOriginOpenerPolicy: "same-origin",
            crossOriginResourcePolicy: "same-origin",
        }),
    );
    app.use(
        prettyJSON({
            space: 4,
        }),
    );
    app.use(
        cors({
            origin: "*",
            allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
            credentials: true,
        }),
    );
    app.use(
        createMiddleware<HonoEnv>(async (context, next) => {
            context.set("config", config);

            await next();
        }),
    );

    /* app.use("*", registerMetrics);
    app.get("/metrics", printMetrics); */
    // Disabled as federation now checks for this
    // app.use(urlCheck);

    // Inject own filesystem router
    for (const [, path] of Object.entries(routes)) {
        // use app.get(path, handler) to add routes
        const route: ApiRouteExports = await import(path);

        if (!route.default) {
            continue;
        }

        route.default(app);
    }

    serverLogger.info`Loading plugins`;

    const time1 = performance.now();

    const loader = new PluginLoader();

    const plugins = await loader.loadPlugins(
        join(process.cwd(), "plugins"),
        config.plugins?.autoload ?? true,
        config.plugins?.overrides.enabled,
        config.plugins?.overrides.disabled,
    );

    await PluginLoader.addToApp(plugins, app, serverLogger);

    const time2 = performance.now();

    serverLogger.info`Plugins loaded in ${`${chalk.gray(
        (time2 - time1).toFixed(2),
    )}ms`}`;

    app.doc31("/openapi.json", {
        openapi: "3.1.0",
        info: {
            title: "Versia Server API",
            version: pkg.version,
            license: {
                name: "AGPL-3.0",
                url: "https://www.gnu.org/licenses/agpl-3.0.html",
            },
            contact: pkg.author,
        },
    });
    app.doc("/openapi.3.0.0.json", {
        openapi: "3.0.0",
        info: {
            title: "Versia Server API",
            version: pkg.version,
            license: {
                name: "AGPL-3.0",
                url: "https://www.gnu.org/licenses/agpl-3.0.html",
            },
            contact: pkg.author,
        },
    });
    app.get("/docs", swaggerUI({ url: "/openapi.json" }));
    applyToHono(app);

    app.options("*", (context) => {
        return context.body(null, 204);
    });

    app.all("*", async (context) => {
        const replacedUrl = new URL(
            new URL(context.req.url).pathname,
            config.frontend.url,
        ).toString();

        serverLogger.debug`Proxying ${replacedUrl}`;

        const proxy = await fetch(replacedUrl, {
            headers: {
                // Include for SSR
                "X-Forwarded-Host": `${config.http.bind}:${config.http.bind_port}`,
                "Accept-Encoding": "identity",
            },
            redirect: "manual",
        }).catch((e) => {
            serverLogger.error`${e}`;
            sentry?.captureException(e);
            serverLogger.error`The Frontend is not running or the route is not found: ${replacedUrl}`;
            return null;
        });

        proxy?.headers.set("Cache-Control", "max-age=31536000");

        if (!proxy || proxy.status === 404) {
            throw new ApiError(
                404,
                "Route not found on proxy or API route. Are you using the correct HTTP method?",
            );
        }

        // Disable CSP upgrade-insecure-requests if an .onion domain is used
        if (new URL(context.req.url).hostname.endsWith(".onion")) {
            proxy.headers.set(
                "Content-Security-Policy",
                proxy.headers
                    .get("Content-Security-Policy")
                    ?.replace("upgrade-insecure-requests;", "") ?? "",
            );
        }

        return proxy;
    });

    app.onError((error, c) => {
        if (error instanceof ApiError) {
            return c.json(
                {
                    error: error.message,
                    details: error.details,
                },
                error.status,
            );
        }

        serverLogger.error`${error}`;
        serverLogger.error`${inspect(error)}`;
        sentry?.captureException(error);
        return c.json(
            {
                error: "A server error occured",
                name: error.name,
                message: error.message,
            },
            500,
        );
    });

    return app;
};

export type App = Awaited<ReturnType<typeof appFactory>>;
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			`import { join } from "node:path";`
style: :rotating_light: Run Biome 2024-08-27 18:56:20 +02:00			`import { handleZodError } from "@/api";`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`import { applyToHono } from "@/bull-board.ts";`
fix(api): :bug: Fix incorrect test case 2024-09-24 17:03:27 +02:00			`import { configureLoggers } from "@/loggers";`
feat: :sparkles: Add Sentry support 2024-07-24 18:10:29 +02:00			`import { sentry } from "@/sentry";`
refactor(api): :recycle: Refactor more routes into OpenAPI-compatible formats 2024-08-27 18:55:02 +02:00			`import { swaggerUI } from "@hono/swagger-ui";`
refactor(api): :recycle: Use OpenAPIHono instead of Hono in preparation for future changes 2024-08-27 16:40:11 +02:00			`import { OpenAPIHono } from "@hono/zod-openapi";`
fix(api): :bug: Fix incorrect test case 2024-09-24 17:03:27 +02:00			`/* import { prometheus } from "@hono/prometheus"; */`
			`import { getLogger } from "@logtape/logtape";`
chore: :arrow_up: Upgrade dependencies 2025-03-16 17:01:07 +01:00			`import { inspect } from "bun";`
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			`import chalk from "chalk";`
chore: :arrow_up: Upgrade dependencies 2024-12-18 20:42:40 +01:00			`import { cors } from "hono/cors";`
			`import { createMiddleware } from "hono/factory";`
			`import { prettyJSON } from "hono/pretty-json";`
			`import { secureHeaders } from "hono/secure-headers";`
refactor(config): :recycle: Redo config structure from scratch, simplify validation code, improve checks, add support for loading sensitive data from paths 2025-02-15 02:47:29 +01:00			`import { config } from "~/config.ts";`
feat(api): :sparkles: Add Swagger UI and OpenAPI endpoint 2024-08-27 18:09:15 +02:00			`import pkg from "~/package.json" with { type: "application/json" };`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`import { ApiError } from "./classes/errors/api-error.ts";`
refactor: :truck: Explicitely add extensions to all imports 2024-10-04 15:22:48 +02:00			`import { PluginLoader } from "./classes/plugin/loader.ts";`
			`import { agentBans } from "./middlewares/agent-bans.ts";`
			`import { boundaryCheck } from "./middlewares/boundary-check.ts";`
			`import { ipBans } from "./middlewares/ip-bans.ts";`
			`import { logger } from "./middlewares/logger.ts";`
			`import { routes } from "./routes.ts";`
			`import type { ApiRouteExports, HonoEnv } from "./types/api.ts";`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00
refactor: :recycle: Always use explicit types in every function 2024-11-02 00:43:33 +01:00			`export const appFactory = async (): Promise<OpenAPIHono<HonoEnv>> => {`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00			`await configureLoggers();`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`const serverLogger = getLogger("server");`

refactor(api): :truck: Refactor authentication middleware and implement some OpenAPI routes 2024-08-27 17:20:36 +02:00			`const app = new OpenAPIHono<HonoEnv>({`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`strict: false,`
refactor(api): :recycle: Refactor more routes into OpenAPI-compatible formats 2024-08-27 18:55:02 +02:00			`defaultHook: handleZodError,`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`});`

			`app.use(ipBans);`
			`app.use(agentBans);`
			`app.use(logger);`
			`app.use(boundaryCheck);`
feat: :sparkles: Add more utility middleware 2024-08-19 21:17:25 +02:00			`app.use(`
fix: :bug: Only apply security headers to /api/* 2024-08-19 21:26:13 +02:00			`"/api/*",`
feat: :sparkles: Add more utility middleware 2024-08-19 21:17:25 +02:00			`secureHeaders({`
			`contentSecurityPolicy: {`
			`// We will not be returning HTML, so everything should be blocked`
			`defaultSrc: ["'none'"],`
			`scriptSrc: ["'none'"],`
			`styleSrc: ["'none'"],`
			`imgSrc: ["'none'"],`
			`connectSrc: ["'none'"],`
			`fontSrc: ["'none'"],`
			`objectSrc: ["'none'"],`
			`mediaSrc: ["'none'"],`
			`frameSrc: ["'none'"],`
			`frameAncestors: ["'none'"],`
			`baseUri: ["'none'"],`
			`formAction: ["'none'"],`
			`childSrc: ["'none'"],`
			`workerSrc: ["'none'"],`
			`manifestSrc: ["'none'"],`
			`},`
			`referrerPolicy: "no-referrer",`
			`xFrameOptions: "DENY",`
			`xContentTypeOptions: "nosniff",`
			`crossOriginEmbedderPolicy: "require-corp",`
			`crossOriginOpenerPolicy: "same-origin",`
			`crossOriginResourcePolicy: "same-origin",`
			`}),`
			`);`
			`app.use(`
			`prettyJSON({`
			`space: 4,`
			`}),`
			`);`
			`app.use(`
			`cors({`
			`origin: "*",`
			`allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE"],`
			`credentials: true,`
			`}),`
			`);`
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00			`app.use(`
			`createMiddleware<HonoEnv>(async (context, next) => {`
			`context.set("config", config);`

			`await next();`
			`}),`
			`);`

fix: :fire: Remove Prometheus integration as it is causing issues 2024-08-19 21:53:39 +02:00			`/* app.use("*", registerMetrics);`
			`app.get("/metrics", printMetrics); */`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`// Disabled as federation now checks for this`
			`// app.use(urlCheck);`

			`// Inject own filesystem router`
			`for (const [, path] of Object.entries(routes)) {`
			`// use app.get(path, handler) to add routes`
			`const route: ApiRouteExports = await import(path);`

refactor(api): :fire: Remove all useless route metadata objects 2024-12-30 20:18:48 +01:00			`if (!route.default) {`
feat(api): :sparkles: Add initial Push Notifications support 2025-01-02 01:29:33 +01:00			`continue;`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`}`

			`route.default(app);`
			`}`

feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			serverLogger.info`Loading plugins`;

refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			`const time1 = performance.now();`

feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00			`const loader = new PluginLoader();`

feat(plugin): :sparkles: Add override settings to plugin loading 2024-10-06 15:55:15 +02:00			`const plugins = await loader.loadPlugins(`
			`join(process.cwd(), "plugins"),`
refactor(config): :fire: Remove old oidc section in config 2024-10-11 17:03:33 +02:00			`config.plugins?.autoload ?? true,`
feat(plugin): :sparkles: Add override settings to plugin loading 2024-10-06 15:55:15 +02:00			`config.plugins?.overrides.enabled,`
			`config.plugins?.overrides.disabled,`
			`);`
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00
refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			`await PluginLoader.addToApp(plugins, app, serverLogger);`
refactor(api): :recycle: Move /api/v1/sso to OpenID plugin 2024-09-24 14:42:39 +02:00
refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			`const time2 = performance.now();`
feat(plugin): :sparkles: Add dynamic plugin and manifest loader 2024-09-23 11:51:15 +02:00
refactor(plugin): :recycle: Move plugin loading to PluginLoader class 2024-11-10 13:08:26 +01:00			serverLogger.info`Plugins loaded in ${`${chalk.gray(
			`(time2 - time1).toFixed(2),`
			)}ms`}`;
refactor(plugin): :recycle: Move parts of OpenID logic to plugin 2024-08-29 20:32:04 +02:00
feat(api): :sparkles: Add Swagger UI and OpenAPI endpoint 2024-08-27 18:09:15 +02:00			`app.doc31("/openapi.json", {`
			`openapi: "3.1.0",`
			`info: {`
			`title: "Versia Server API",`
			`version: pkg.version,`
			`license: {`
			`name: "AGPL-3.0",`
			`url: "https://www.gnu.org/licenses/agpl-3.0.html",`
			`},`
			`contact: pkg.author,`
			`},`
			`});`
			`app.doc("/openapi.3.0.0.json", {`
			`openapi: "3.0.0",`
			`info: {`
			`title: "Versia Server API",`
			`version: pkg.version,`
			`license: {`
			`name: "AGPL-3.0",`
			`url: "https://www.gnu.org/licenses/agpl-3.0.html",`
			`},`
			`contact: pkg.author,`
			`},`
			`});`
			`app.get("/docs", swaggerUI({ url: "/openapi.json" }));`
feat(federation): :sparkles: Add UI to view BullMQ metadata 2024-11-25 13:09:28 +01:00			`applyToHono(app);`
feat(api): :sparkles: Add Swagger UI and OpenAPI endpoint 2024-08-27 18:09:15 +02:00
fix: :fire: Remove Prometheus integration as it is causing issues 2024-08-19 21:53:39 +02:00			`app.options("*", (context) => {`
fix(api): :label: Use context.body for 204 responses 2024-12-30 16:18:28 +01:00			`return context.body(null, 204);`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`});`

			`app.all("*", async (context) => {`
			`const replacedUrl = new URL(`
			`new URL(context.req.url).pathname,`
			`config.frontend.url,`
			`).toString();`

			serverLogger.debug`Proxying ${replacedUrl}`;

			`const proxy = await fetch(replacedUrl, {`
			`headers: {`
			`// Include for SSR`
			"X-Forwarded-Host": `${config.http.bind}:${config.http.bind_port}`,
			`"Accept-Encoding": "identity",`
			`},`
			`redirect: "manual",`
			`}).catch((e) => {`
			serverLogger.error`${e}`;
feat(api): :sparkles: Add more Sentry logging 2024-07-24 19:04:00 +02:00			`sentry?.captureException(e);`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			serverLogger.error`The Frontend is not running or the route is not found: ${replacedUrl}`;
			`return null;`
			`});`

			`proxy?.headers.set("Cache-Control", "max-age=31536000");`

			`if (!proxy \|\| proxy.status === 404) {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`throw new ApiError(`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`404,`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`"Route not found on proxy or API route. Are you using the correct HTTP method?",`
refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`);`
			`}`

			`// Disable CSP upgrade-insecure-requests if an .onion domain is used`
			`if (new URL(context.req.url).hostname.endsWith(".onion")) {`
			`proxy.headers.set(`
			`"Content-Security-Policy",`
			`proxy.headers`
			`.get("Content-Security-Policy")`
			`?.replace("upgrade-insecure-requests;", "") ?? "",`
			`);`
			`}`

			`return proxy;`
			`});`

refactor: :recycle: Use native Hono return functions instead of custom ones 2024-08-19 21:03:59 +02:00			`app.onError((error, c) => {`
refactor(api): :recycle: Throw ApiError instead of returning error JSON 2024-12-30 18:00:23 +01:00			`if (error instanceof ApiError) {`
			`return c.json(`
			`{`
			`error: error.message,`
			`details: error.details,`
			`},`
			`error.status,`
			`);`
			`}`

feat(api): :sparkles: Log all server errors in logs 2024-07-24 17:19:23 +02:00			serverLogger.error`${error}`;
chore: :arrow_up: Upgrade dependencies 2025-03-16 17:01:07 +01:00			serverLogger.error`${inspect(error)}`;
feat: :sparkles: Add Sentry support 2024-07-24 18:10:29 +02:00			`sentry?.captureException(error);`
refactor: :recycle: Use native Hono return functions instead of custom ones 2024-08-19 21:03:59 +02:00			`return c.json(`
feat(api): :sparkles: Add global server error handler 2024-07-20 00:30:13 +02:00			`{`
			`error: "A server error occured",`
			`name: error.name,`
			`message: error.message,`
			`},`
			`500,`
			`);`
			`});`

refactor(api): :recycle: Use Web Workers instead of spawning the same process once for each thread 2024-06-27 02:44:08 +02:00			`return app;`
			`};`
refactor: :arrow_up: Upgrade dependencies, use JSR for Hono 2024-07-11 12:56:28 +02:00
			`export type App = Awaited<ReturnType<typeof appFactory>>;`