2016-07-18 21:35:02 -04:00
"use strict";
2014-08-14 09:35:37 -07:00
var _ = require("lodash");
2016-06-12 02:44:28 +01:00
var pkg = require("../package.json");
2014-08-14 09:35:37 -07:00
var Client = require("./client");
var ClientManager = require("./clientManager");
2014-09-26 15:12:53 -07:00
var express = require("express");
2017-04-20 11:17:25 +01:00
var expressHandlebars = require("express-handlebars");
2014-08-14 09:35:37 -07:00
var fs = require("fs");
2017-04-20 11:17:25 +01:00
var path = require("path");
2014-08-14 09:35:37 -07:00
var io = require("socket.io");
2016-04-03 01:12:49 -04:00
var dns = require("dns");
2014-09-13 14:23:17 +02:00
var Helper = require("./helper");
2016-11-18 19:25:23 +02:00
var colors = require("colors/safe");
2017-06-11 22:33:04 +03:00
const net = require("net");
2016-12-17 11:51:33 +02:00
const Identification = require("./identification");
2017-06-22 22:09:55 +01:00
const themes = require("./plugins/themes");
2014-08-14 09:35:37 -07:00
2017-09-01 11:44:53 +02:00
// The order defined the priority: the first available plugin is used
// ALways keep local auth in the end, which should always be enabled.
const authPlugins = [
2017-08-28 12:18:31 +03:00
// A random number that will force clients to reload the page if it differs
const serverHash = Math.floor(Date.now() * Math.random());
2016-04-26 16:41:08 -04:00
var manager = null;
2014-08-14 09:35:37 -07:00
2016-06-08 12:26:24 +03:00
module.exports = function() {
2016-12-17 11:51:33 +02:00
log.info(`The Lounge ${colors.green(Helper.getVersion())} \
(node ${colors.green(process.versions.node)} on ${colors.green(process.platform)} ${process.arch})`);
log.info(`Configuration file: ${colors.green(Helper.CONFIG_PATH)}`);
2014-08-14 09:35:37 -07:00
2017-10-03 13:52:31 +03:00
if (!fs.existsSync("public/js/bundle.js")) {
2017-01-07 19:05:42 -05:00
log.error(`The client application was not built. Run ${colors.bold("NODE_ENV=production npm run build")} to resolve this.`);
2014-09-26 15:12:53 -07:00
var app = express()
2016-05-01 20:27:10 +03:00
2014-08-14 09:35:37 -07:00
2017-10-03 13:52:31 +03:00
2017-07-06 18:33:09 +03:00
.use("/storage/", express.static(Helper.getStoragePath(), {
redirect: false,
maxAge: 86400 * 1000,
2017-06-01 22:43:23 +03:00
.engine("html", expressHandlebars({
extname: ".html",
helpers: {
2017-04-08 15:34:31 +03:00
tojson: (c) => JSON.stringify(c)
2017-06-01 22:43:23 +03:00
2017-04-20 11:17:25 +01:00
.set("view engine", "html")
2017-10-03 13:52:31 +03:00
.set("views", path.join(__dirname, "..", "public"));
2014-11-01 22:06:01 +02:00
2017-06-22 22:09:55 +01:00
app.get("/themes/:theme.css", (req, res) => {
const themeName = req.params.theme;
const theme = themes.getFilename(themeName);
if (theme === undefined) {
return res.status(404).send("Not found");
return res.sendFile(theme);
2016-06-08 12:26:24 +03:00
var config = Helper.config;
2014-09-26 16:26:21 -07:00
var server = null;
2016-07-29 21:20:38 -04:00
if (config.public && (config.ldap || {}).enable) {
2016-08-10 02:14:09 -04:00
log.warn("Server is public and set to use LDAP. Set to private mode if trying to use LDAP authentication.");
2016-07-29 21:20:38 -04:00
2016-06-08 12:26:24 +03:00
if (!config.https.enable) {
2014-09-26 16:26:21 -07:00
server = require("http");
2016-12-17 11:51:33 +02:00
server = server.createServer(app);
2014-09-26 16:26:21 -07:00
} else {
2016-10-05 00:35:04 +02:00
const keyPath = Helper.expandHome(config.https.key);
const certPath = Helper.expandHome(config.https.certificate);
2017-04-10 18:49:58 +00:00
const caPath = Helper.expandHome(config.https.ca);
2017-04-14 00:05:28 +03:00
if (!keyPath.length || !fs.existsSync(keyPath)) {
2016-10-05 00:35:04 +02:00
log.error("Path to SSL key is invalid. Stopping server...");
2017-04-14 00:05:28 +03:00
if (!certPath.length || !fs.existsSync(certPath)) {
2016-10-05 00:35:04 +02:00
log.error("Path to SSL certificate is invalid. Stopping server...");
2017-04-14 00:05:28 +03:00
2017-04-10 18:49:58 +00:00
if (caPath.length && !fs.existsSync(caPath)) {
log.error("Path to SSL ca bundle is invalid. Stopping server...");
2017-04-14 00:05:28 +03:00
server = require("spdy");
2014-09-26 16:26:21 -07:00
server = server.createServer({
2016-10-05 00:35:04 +02:00
key: fs.readFileSync(keyPath),
2017-04-10 18:49:58 +00:00
cert: fs.readFileSync(certPath),
ca: caPath ? fs.readFileSync(caPath) : undefined
2016-12-17 11:51:33 +02:00
}, app);
2014-09-26 16:26:21 -07:00
2017-08-31 21:56:20 +03:00
let listenParams;
if (typeof config.host === "string" && config.host.startsWith("unix:")) {
listenParams = config.host.replace(/^unix:/, "");
} else {
listenParams = {
port: config.port,
host: config.host,
2017-09-03 15:13:56 +03:00
server.on("error", (err) => log.error(`${err}`));
2017-08-31 21:56:20 +03:00
server.listen(listenParams, () => {
if (typeof listenParams === "string") {
log.info("Available on socket " + colors.green(listenParams));
} else {
const protocol = config.https.enable ? "https" : "http";
const address = server.address();
"Available at " +
colors.green(`${protocol}://${address.address}:${address.port}/`) +
` in ${colors.bold(config.public ? "public" : "private")} mode`
2017-08-23 01:19:50 -04:00
const sockets = io(server, {
serveClient: false,
transports: config.transports
sockets.on("connect", (socket) => {
if (config.public) {
performAuthentication.call(socket, {});
} else {
2017-08-28 12:18:31 +03:00
socket.emit("auth", {
serverHash: serverHash,
success: true,
2017-08-23 01:19:50 -04:00
socket.on("auth", performAuthentication);
2014-08-14 09:35:37 -07:00
2017-08-23 01:19:50 -04:00
manager = new ClientManager();
2016-12-07 00:50:11 -05:00
2017-08-23 01:19:50 -04:00
new Identification((identHandler) => {
manager.init(identHandler, sockets);
2017-08-30 20:26:45 +03:00
// Handle ctrl+c and kill gracefully
let suicideTimeout = null;
const exitGracefully = function() {
if (suicideTimeout !== null) {
// Forcefully exit after 3 seconds
suicideTimeout = setTimeout(() => process.exit(1), 3000);
// Close all client and IRC connections
manager.clients.forEach((client) => client.quit());
// Close http server
server.close(() => {
process.on("SIGINT", exitGracefully);
process.on("SIGTERM", exitGracefully);
2016-12-17 11:51:33 +02:00
2017-10-06 12:53:08 +03:00
return server;
2014-08-14 09:35:37 -07:00
2017-10-12 10:57:25 +03:00
function getClientIp(socket) {
let ip = socket.handshake.address;
2016-07-30 20:54:09 -04:00
2017-06-11 22:33:04 +03:00
if (Helper.config.reverseProxy) {
2017-10-12 10:57:25 +03:00
const forwarded = (socket.request.headers["x-forwarded-for"] || "").split(/\s*,\s*/).filter(Boolean);
2017-06-11 22:33:04 +03:00
if (forwarded.length && net.isIP(forwarded[0])) {
ip = forwarded[0];
2016-04-03 01:12:49 -04:00
2016-07-30 20:54:09 -04:00
return ip.replace(/^::ffff:/, "");
2016-04-03 01:12:49 -04:00
2016-05-01 20:27:10 +03:00
function allRequests(req, res, next) {
res.setHeader("X-Content-Type-Options", "nosniff");
return next();
2014-08-14 09:35:37 -07:00
function index(req, res, next) {
2016-05-01 12:41:17 +03:00
if (req.url.split("?")[0] !== "/") {
return next();
2017-04-20 11:17:25 +01:00
var data = _.merge(
data.gitCommit = Helper.getGitCommit();
2017-06-22 22:09:55 +01:00
data.themes = themes.getAll();
2017-07-06 18:33:09 +03:00
const policies = [
"default-src *",
"connect-src 'self' ws: wss:",
"style-src * 'unsafe-inline'",
"script-src 'self'",
"child-src 'self'",
"object-src 'none'",
"form-action 'none'",
// If prefetch is enabled, but storage is not, we have to allow mixed content
if (Helper.config.prefetchStorage || !Helper.config.prefetch) {
policies.push("img-src 'self'");
res.setHeader("Content-Security-Policy", policies.join("; "));
2017-04-20 11:17:25 +01:00
res.setHeader("Referrer-Policy", "no-referrer");
res.render("index", data);
2014-08-14 09:35:37 -07:00
2017-08-28 23:14:01 +03:00
function initializeClient(socket, client, token, lastMessage) {
2017-08-13 21:37:12 +03:00
2016-09-25 09:52:16 +03:00
2017-10-17 12:45:18 +03:00
client.clientAttach(socket.id, token);
2017-08-13 21:37:12 +03:00
socket.on("disconnect", function() {
2016-11-19 22:34:05 +02:00
2017-08-13 21:37:12 +03:00
function(data) {
2016-09-25 09:41:10 +03:00
2017-08-13 21:37:12 +03:00
function(data) {
function(data) {
// prevent people from overriding webirc settings
data.ip = null;
data.hostname = null;
if (!Helper.config.public && !Helper.config.ldap.enable) {
2014-08-14 09:35:37 -07:00
2017-08-13 21:37:12 +03:00
2014-08-14 09:35:37 -07:00
function(data) {
2017-08-13 21:37:12 +03:00
var old = data.old_password;
var p1 = data.new_password;
var p2 = data.verify_password;
if (typeof p1 === "undefined" || p1 === "") {
socket.emit("change-password", {
error: "Please enter a new password"
if (p1 !== p2) {
socket.emit("change-password", {
error: "Both new password fields must match"
2016-06-01 00:28:31 +03:00
2017-08-13 21:37:12 +03:00
.compare(old || "", client.config.password)
.then((matching) => {
if (!matching) {
socket.emit("change-password", {
error: "The current password field does not match your account password"
const hash = Helper.password.hash(p1);
2017-03-23 08:47:51 +01:00
2017-08-13 21:37:12 +03:00
client.setPassword(hash, (success) => {
const obj = {};
2017-03-23 08:47:51 +01:00
2017-08-13 21:37:12 +03:00
if (success) {
obj.success = "Successfully updated your password";
} else {
obj.error = "Failed to update your password";
2017-03-23 08:47:51 +01:00
2017-08-13 21:37:12 +03:00
socket.emit("change-password", obj);
2017-03-23 08:47:51 +01:00
2017-08-13 21:37:12 +03:00
}).catch((error) => {
log.error(`Error while checking users password. Error: ${error}`);
2016-02-16 21:29:44 -05:00
2017-08-13 21:37:12 +03:00
2017-07-24 02:01:25 -04:00
2017-08-13 21:37:12 +03:00
function(data) {
client.open(socket.id, data);
2017-07-24 02:01:25 -04:00
2017-08-13 21:37:12 +03:00
function(data) {
2017-07-24 02:01:25 -04:00
2017-08-13 21:37:12 +03:00
function(data) {
socket.on("msg:preview:toggle", function(data) {
const networkAndChan = client.find(data.target);
if (!networkAndChan) {
const message = networkAndChan.chan.findMessage(data.msgId);
if (!message) {
const preview = message.findPreview(data.link);
if (preview) {
preview.shown = data.shown;
2017-07-24 02:01:25 -04:00
2017-07-10 22:47:03 +03:00
socket.on("push:register", (subscription) => {
if (!client.isRegistered() || !client.config.sessions[token]) {
const registration = client.registerPushSubscription(client.config.sessions[token], subscription);
if (registration) {
client.manager.webPush.pushSingle(client, registration, {
type: "notification",
timestamp: Date.now(),
title: "The Lounge",
body: "🚀 Push notifications have been enabled"
socket.on("push:unregister", () => {
if (!client.isRegistered()) {
2017-08-15 12:44:29 +03:00
const sendSessionList = () => {
const sessions = _.map(client.config.sessions, (session, sessionToken) => ({
current: sessionToken === token,
active: _.find(client.attachedClients, (u) => u.token === sessionToken) !== undefined,
lastUse: session.lastUse,
ip: session.ip,
agent: session.agent,
token: sessionToken, // TODO: Ideally don't expose actual tokens to the client
socket.emit("sessions:list", sessions);
socket.on("sessions:get", sendSessionList);
socket.on("sign-out", (tokenToSignOut) => {
// If no token provided, sign same client out
if (!tokenToSignOut) {
tokenToSignOut = token;
if (!(tokenToSignOut in client.config.sessions)) {
delete client.config.sessions[tokenToSignOut];
2017-07-24 02:01:25 -04:00
2017-08-13 21:37:12 +03:00
client.manager.updateUser(client.name, {
sessions: client.config.sessions
2017-07-24 02:01:25 -04:00
2017-08-15 12:44:29 +03:00
_.map(client.attachedClients, (attachedClient, socketId) => {
if (attachedClient.token !== tokenToSignOut) {
const socketToRemove = manager.sockets.of("/").connected[socketId];
// Do not send updated session list if user simply logs out
if (tokenToSignOut !== token) {
2017-08-13 21:37:12 +03:00
const sendInitEvent = (tokenToSend) => {
2017-08-28 23:14:01 +03:00
let networks = client.networks;
if (lastMessage > -1) {
// We need a deep cloned object because we are going to remove unneeded messages
networks = _.cloneDeep(networks);
networks.forEach((network) => {
network.channels.forEach((channel) => {
channel.messages = channel.messages.filter((m) => m.id > lastMessage);
2017-08-13 21:37:12 +03:00
socket.emit("init", {
2017-07-10 22:47:03 +03:00
applicationServerKey: manager.webPush.vapidKeys.publicKey,
pushSubscription: client.config.sessions[token],
2017-08-13 21:37:12 +03:00
active: client.lastActiveChannel,
2017-08-28 23:14:01 +03:00
networks: networks,
2017-08-13 21:37:12 +03:00
token: tokenToSend
2017-08-26 12:37:56 -04:00
if (!Helper.config.public && token === null) {
2017-08-13 21:37:12 +03:00
client.generateToken((newToken) => {
2017-10-17 12:45:18 +03:00
client.attachedClients[socket.id].token = token = newToken;
2017-08-13 21:37:12 +03:00
2017-10-12 10:57:25 +03:00
client.updateSession(token, getClientIp(socket), socket.request);
2017-06-21 10:58:29 +03:00
2017-08-13 21:37:12 +03:00
2014-08-14 09:35:37 -07:00
2017-08-13 21:37:12 +03:00
} else {
2014-08-14 09:35:37 -07:00
2017-08-13 21:37:12 +03:00
function performAuthentication(data) {
2017-06-21 10:58:29 +03:00
const socket = this;
let client;
2017-08-28 23:14:01 +03:00
const finalInit = () => initializeClient(socket, client, data.token || null, data.lastMessage || -1);
2017-08-13 21:37:12 +03:00
2017-06-21 10:58:29 +03:00
const initClient = () => {
2017-10-12 10:57:25 +03:00
client.ip = getClientIp(socket);
2017-08-13 21:37:12 +03:00
// If webirc is enabled perform reverse dns lookup
if (Helper.config.webirc === null) {
return finalInit();
2017-06-21 10:58:29 +03:00
2017-08-13 21:37:12 +03:00
reverseDnsLookup(client.ip, (hostname) => {
client.hostname = hostname;
2017-06-21 10:58:29 +03:00
2016-06-08 12:26:24 +03:00
if (Helper.config.public) {
2016-07-29 21:20:38 -04:00
client = new Client(manager);
2014-08-14 09:35:37 -07:00
2017-06-21 10:58:29 +03:00
2014-08-14 09:35:37 -07:00
socket.on("disconnect", function() {
manager.clients = _.without(manager.clients, client);
2017-06-21 10:58:29 +03:00
const authCallback = (success) => {
// Authorization failed
if (!success) {
socket.emit("auth", {success: false});
2016-04-03 01:12:49 -04:00
2016-07-29 21:20:38 -04:00
2017-06-21 10:58:29 +03:00
// If authorization succeeded but there is no loaded user,
// load it and find the user again (this happens with LDAP)
if (!client) {
2017-10-15 19:05:19 +03:00
client = manager.loadUser(data.user);
2016-07-29 21:20:38 -04:00
2017-06-21 10:58:29 +03:00
2016-07-29 21:20:38 -04:00
2017-06-21 10:58:29 +03:00
client = manager.findClient(data.user);
// We have found an existing user and client has provided a token
if (client && data.token && typeof client.config.sessions[data.token] !== "undefined") {
2017-10-12 10:57:25 +03:00
client.updateSession(data.token, getClientIp(socket), socket.request);
2017-06-21 10:58:29 +03:00
// Perform password checking
2017-09-01 11:44:53 +02:00
let auth = () => {
log.error("None of the auth plugins is enabled");
for (let i = 0; i < authPlugins.length; ++i) {
if (authPlugins[i].isEnabled()) {
auth = authPlugins[i].auth;
2014-08-14 09:35:37 -07:00
2017-08-29 18:05:06 +02:00
auth(manager, client, data.user, data.password, authCallback);
2014-08-14 09:35:37 -07:00
2017-08-13 21:37:12 +03:00
function reverseDnsLookup(ip, callback) {
dns.reverse(ip, (err, hostnames) => {
if (!err && hostnames.length) {
return callback(hostnames[0]);