|
import { |
|
ADMIN_API_SECRET, |
|
COOKIE_NAME, |
|
ENABLE_ASSISTANTS, |
|
EXPOSE_API, |
|
MESSAGES_BEFORE_LOGIN, |
|
PARQUET_EXPORT_SECRET, |
|
} from "$env/static/private"; |
|
import type { Handle } from "@sveltejs/kit"; |
|
import { |
|
PUBLIC_GOOGLE_ANALYTICS_ID, |
|
PUBLIC_ORIGIN, |
|
PUBLIC_APP_DISCLAIMER, |
|
} from "$env/static/public"; |
|
import { collections } from "$lib/server/database"; |
|
import { base } from "$app/paths"; |
|
import { findUser, refreshSessionCookie, requiresUser } from "$lib/server/auth"; |
|
import { ERROR_MESSAGES } from "$lib/stores/errors"; |
|
import { sha256 } from "$lib/utils/sha256"; |
|
import { addWeeks } from "date-fns"; |
|
import { checkAndRunMigrations } from "$lib/migrations/migrations"; |
|
import { building } from "$app/environment"; |
|
import { refreshAssistantsCounts } from "$lib/assistantStats/refresh-assistants-counts"; |
|
|
|
if (!building) { |
|
await checkAndRunMigrations(); |
|
if (ENABLE_ASSISTANTS) { |
|
refreshAssistantsCounts(); |
|
} |
|
} |
|
|
|
export const handle: Handle = async ({ event, resolve }) => { |
|
if (event.url.pathname.startsWith(`${base}/api/`) && EXPOSE_API !== "true") { |
|
return new Response("API is disabled", { status: 403 }); |
|
} |
|
|
|
function errorResponse(status: number, message: string) { |
|
const sendJson = |
|
event.request.headers.get("accept")?.includes("application/json") || |
|
event.request.headers.get("content-type")?.includes("application/json"); |
|
return new Response(sendJson ? JSON.stringify({ error: message }) : message, { |
|
status, |
|
headers: { |
|
"content-type": sendJson ? "application/json" : "text/plain", |
|
}, |
|
}); |
|
} |
|
|
|
if (event.url.pathname.startsWith(`${base}/admin/`) || event.url.pathname === `${base}/admin`) { |
|
const ADMIN_SECRET = ADMIN_API_SECRET || PARQUET_EXPORT_SECRET; |
|
|
|
if (!ADMIN_SECRET) { |
|
return errorResponse(500, "Admin API is not configured"); |
|
} |
|
|
|
if (event.request.headers.get("Authorization") !== `Bearer ${ADMIN_SECRET}`) { |
|
return errorResponse(401, "Unauthorized"); |
|
} |
|
} |
|
|
|
const token = event.cookies.get(COOKIE_NAME); |
|
|
|
let secretSessionId: string; |
|
let sessionId: string; |
|
|
|
if (token) { |
|
secretSessionId = token; |
|
sessionId = await sha256(token); |
|
|
|
const user = await findUser(sessionId); |
|
|
|
if (user) { |
|
event.locals.user = user; |
|
} |
|
} else { |
|
|
|
secretSessionId = crypto.randomUUID(); |
|
sessionId = await sha256(secretSessionId); |
|
|
|
if (await collections.sessions.findOne({ sessionId })) { |
|
return errorResponse(500, "Session ID collision"); |
|
} |
|
} |
|
|
|
event.locals.sessionId = sessionId; |
|
|
|
|
|
const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? ""; |
|
|
|
const nativeFormContentTypes = [ |
|
"multipart/form-data", |
|
"application/x-www-form-urlencoded", |
|
"text/plain", |
|
]; |
|
|
|
if (event.request.method === "POST") { |
|
refreshSessionCookie(event.cookies, event.locals.sessionId); |
|
|
|
if (nativeFormContentTypes.includes(requestContentType)) { |
|
const referer = event.request.headers.get("referer"); |
|
|
|
if (!referer) { |
|
return errorResponse(403, "Non-JSON form requests need to have a referer"); |
|
} |
|
|
|
const validOrigins = [ |
|
new URL(event.request.url).origin, |
|
...(PUBLIC_ORIGIN ? [new URL(PUBLIC_ORIGIN).origin] : []), |
|
]; |
|
|
|
if (!validOrigins.includes(new URL(referer).origin)) { |
|
return errorResponse(403, "Invalid referer for POST request"); |
|
} |
|
} |
|
} |
|
|
|
if (event.request.method === "POST") { |
|
|
|
refreshSessionCookie(event.cookies, secretSessionId); |
|
|
|
await collections.sessions.updateOne( |
|
{ sessionId }, |
|
{ $set: { updatedAt: new Date(), expiresAt: addWeeks(new Date(), 2) } } |
|
); |
|
} |
|
|
|
if ( |
|
!event.url.pathname.startsWith(`${base}/login`) && |
|
!event.url.pathname.startsWith(`${base}/admin`) && |
|
!["GET", "OPTIONS", "HEAD"].includes(event.request.method) |
|
) { |
|
if ( |
|
!event.locals.user && |
|
requiresUser && |
|
!((MESSAGES_BEFORE_LOGIN ? parseInt(MESSAGES_BEFORE_LOGIN) : 0) > 0) |
|
) { |
|
return errorResponse(401, ERROR_MESSAGES.authOnly); |
|
} |
|
|
|
|
|
|
|
|
|
if ( |
|
!requiresUser && |
|
!event.url.pathname.startsWith(`${base}/settings`) && |
|
!!PUBLIC_APP_DISCLAIMER |
|
) { |
|
const hasAcceptedEthicsModal = await collections.settings.countDocuments({ |
|
sessionId: event.locals.sessionId, |
|
ethicsModalAcceptedAt: { $exists: true }, |
|
}); |
|
|
|
if (!hasAcceptedEthicsModal) { |
|
return errorResponse(405, "You need to accept the welcome modal first"); |
|
} |
|
} |
|
} |
|
|
|
let replaced = false; |
|
|
|
const response = await resolve(event, { |
|
transformPageChunk: (chunk) => { |
|
|
|
if (replaced || !chunk.html.includes("%gaId%")) { |
|
return chunk.html; |
|
} |
|
replaced = true; |
|
|
|
return chunk.html.replace("%gaId%", PUBLIC_GOOGLE_ANALYTICS_ID); |
|
}, |
|
}); |
|
|
|
return response; |
|
}; |
|
|