diff --git a/app.ts b/app.ts index d7975f8b..dca01d4a 100644 --- a/app.ts +++ b/app.ts @@ -1,6 +1,9 @@ import { response } from "@/response"; import { sentry } from "@/sentry"; import { Hono } from "@hono/hono"; +import { cors } from "@hono/hono/cors"; +import { prettyJSON } from "@hono/hono/pretty-json"; +import { secureHeaders } from "@hono/hono/secure-headers"; import { getLogger } from "@logtape/logtape"; import { config } from "~/packages/config-manager/index"; import { agentBans } from "./middlewares/agent-bans"; @@ -24,6 +27,47 @@ export const appFactory = async () => { app.use(bait); app.use(logger); app.use(boundaryCheck); + app.use( + secureHeaders({ + contentSecurityPolicy: { + // We will not be returning HTML, so everything should be blocked + defaultSrc: ["'none'"], + scriptSrc: ["'none'"], + styleSrc: ["'none'"], + imgSrc: ["'none'"], + connectSrc: ["'none'"], + fontSrc: ["'none'"], + objectSrc: ["'none'"], + mediaSrc: ["'none'"], + frameSrc: ["'none'"], + frameAncestors: ["'none'"], + baseUri: ["'none'"], + formAction: ["'none'"], + childSrc: ["'none'"], + workerSrc: ["'none'"], + manifestSrc: ["'none'"], + }, + referrerPolicy: "no-referrer", + xFrameOptions: "DENY", + xContentTypeOptions: "nosniff", + crossOriginEmbedderPolicy: "require-corp", + crossOriginOpenerPolicy: "same-origin", + crossOriginResourcePolicy: "same-origin", + }), + ); + app.use( + prettyJSON({ + space: 4, + }), + ); + app.use( + cors({ + origin: "*", + allowHeaders: ["Content-Type", "Authorization"], + allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE"], + credentials: true, + }), + ); // Disabled as federation now checks for this // app.use(urlCheck); diff --git a/server/api/objects/:id/index.ts b/server/api/objects/:id/index.ts index c9f3ed0a..ab721d38 100644 --- a/server/api/objects/:id/index.ts +++ b/server/api/objects/:id/index.ts @@ -27,12 +27,6 @@ export const schemas = { param: z.object({ id: z.string().uuid(), }), - query: z.object({ - debug: z - .string() - .transform((v) => ["true", "1", "on"].includes(v.toLowerCase())) - .optional(), - }), }; export default apiRoute((app) => @@ -40,10 +34,8 @@ export default apiRoute((app) => meta.allowedMethods, meta.route, zValidator("param", schemas.param, handleZodError), - zValidator("query", schemas.query, handleZodError), async (context) => { const { id } = context.req.valid("param"); - const { debug } = context.req.valid("query"); let foundObject: Note | LikeType | null = null; let foundAuthor: User | null = null; @@ -88,12 +80,6 @@ export default apiRoute((app) => ); } - if (debug) { - return response(JSON.stringify(apiObject, null, 4), 200, { - "Content-Type": "application/json", - }); - } - const objectString = JSON.stringify(apiObject); // If base_url uses https and request uses http, rewrite request to use https diff --git a/server/api/users/:uuid/index.ts b/server/api/users/:uuid/index.ts index 3ad4119b..467a0943 100644 --- a/server/api/users/:uuid/index.ts +++ b/server/api/users/:uuid/index.ts @@ -21,12 +21,6 @@ export const schemas = { param: z.object({ uuid: z.string().uuid().or(z.literal("actor")), }), - query: z.object({ - debug: z - .string() - .transform((v) => ["true", "1", "on"].includes(v.toLowerCase())) - .optional(), - }), }; export default apiRoute((app) => @@ -34,10 +28,8 @@ export default apiRoute((app) => meta.allowedMethods, meta.route, zValidator("param", schemas.param, handleZodError), - zValidator("query", schemas.query, handleZodError), async (context) => { const { uuid } = context.req.valid("param"); - const { debug } = context.req.valid("query"); const user = uuid === "actor" @@ -55,12 +47,6 @@ export default apiRoute((app) => ); } - if (debug) { - return response(JSON.stringify(user.toVersia(), null, 4), 200, { - "Content-Type": "application/json", - }); - } - // Try to detect a web browser and redirect to the user's profile page if ( context.req.header("user-agent")?.includes("Mozilla") &&