josh
79adc365d8
Dockerfile — creates a non-root app user and runs the process under it server/routes.js — tailscale_ip validated against IPv4 regex (empty string still allowed) index.html — sql.js CDN script tag already removed earlier in this session
44 lines
1.1 KiB
JavaScript
44 lines
1.1 KiB
JavaScript
import express from 'express';
|
|
import helmet from 'helmet';
|
|
import { fileURLToPath } from 'url';
|
|
import { dirname, join } from 'path';
|
|
import { router } from './routes.js';
|
|
|
|
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
const PORT = process.env.PORT ?? 3000;
|
|
|
|
export const app = express();
|
|
|
|
app.use(helmet({
|
|
contentSecurityPolicy: {
|
|
directives: {
|
|
...helmet.contentSecurityPolicy.getDefaultDirectives(),
|
|
'style-src': ["'self'", 'https://fonts.googleapis.com'],
|
|
'font-src': ["'self'", 'https://fonts.gstatic.com'],
|
|
},
|
|
},
|
|
}));
|
|
app.use(express.json());
|
|
|
|
// API
|
|
app.use('/api', router);
|
|
|
|
// Static files
|
|
app.use(express.static(join(__dirname, '..')));
|
|
|
|
// SPA fallback — all non-API, non-asset routes serve index.html
|
|
app.get('*', (req, res) => {
|
|
res.sendFile(join(__dirname, '../index.html'));
|
|
});
|
|
|
|
// Error handler
|
|
app.use((err, _req, res, _next) => {
|
|
console.error(err);
|
|
res.status(500).json({ error: 'internal server error' });
|
|
});
|
|
|
|
// Boot — only when run directly, not when imported by tests
|
|
if (process.argv[1] === fileURLToPath(import.meta.url)) {
|
|
app.listen(PORT, () => console.log(`catalyst on :${PORT}`));
|
|
}
|