toannt/uldp-degree-mangement-system
1
0
Fork 0
forked from UKSOURCE/cms.hailearning.edu.vn
Code Pull Requests Activity
Files
fb64059193c201f88a04b397ed74917bb0896a9d
uldp-degree-mangement-system/server.js

187 lines
5.7 KiB
JavaScript
Raw Blame History

const express = require("express");
const dotenv = require("dotenv");
const path = require("path");
const cookieParser = require("cookie-parser");
const session = require("express-session");
const MongoStore = require("connect-mongo");
const flash = require("connect-flash");
const expressLayouts = require("express-ejs-layouts");
const fs = require("fs");
// Load environment variables
dotenv.config();
const connectDB = require("./config/database");
// Connect to MongoDB
connectDB();
// Initialize express app
const app = express();
// Set view engine
app.set("view engine", "ejs");
app.set("views", path.join(__dirname, "views"));
// Set up express-ejs-layouts
app.use(expressLayouts);
app.set("layout", "layouts/main");
app.set("layout extractScripts", true);
app.set("layout extractStyles", true);
// Middlewares
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(cookieParser());
app.use(
"/assets",
(req, res, next) => {
// Cho phép mọi domain truy cập tài nguyên tĩnh
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET");
next();
},
express.static(path.join(__dirname, "assets")),
);
// Map /assets/img to public/img to support frontend paths
app.use("/assets/img", express.static(path.join(__dirname, "public", "img")));
// Serve public folder at root (for /js, /img, etc.)
app.use(express.static(path.join(__dirname, "public")));
// Serve uploads folder
// REMOVED: public static serve for uploads — degree documents are protected
// app.use("/uploads", express.static(...)) ← intentionally disabled
// Serve other public files
app.use(express.static(path.join(__dirname, "public")));
// Session configuration (using MongoDB store to avoid logout khi server restart)
app.use(
session({
secret: process.env.SESSION_SECRET || "secret",
resave: false,
saveUninitialized: false,
store: MongoStore.create({
mongoUrl: process.env.MONGODB_URI,
collectionName: "sessions",
ttl: 60 * 60 * 24, // 24 hours (in seconds)
}),
cookie: {
maxAge: 1000 * 60 * 60 * 24, // 24 hours
httpOnly: true,
sameSite: "lax",
},
}),
);
// Flash messages
app.use(flash());
// Global variables
app.use((req, res, next) => {
// Lấy flash messages
const success_msg = req.flash("success_msg");
const error_msg = req.flash("error_msg");
const error = req.flash("error");
// Lưu vào res.locals để sử dụng trong views
res.locals.success_msg = success_msg.length > 0 ? success_msg[0] : null;
res.locals.error_msg = error_msg.length > 0 ? error_msg[0] : null;
res.locals.error = error.length > 0 ? error[0] : null;
// Tạo object flashMessages để sử dụng trong client-side JavaScript
res.locals.flashMessagesJSON = JSON.stringify({
success_msg: res.locals.success_msg,
error_msg: res.locals.error_msg,
error: res.locals.error,
});
res.locals.user = req.session.user || null;
res.locals.currentPath = req.path;
next();
});
// Kiểm tra và tạo thư mục data nếu chưa tồn tại
const dataDir = path.join(__dirname, "data");
if (!fs.existsSync(dataDir)) {
fs.mkdirSync(dataDir);
}
// Frontend URL configuration
const FRONTEND_URL = process.env.FRONTEND_URL;
// Add frontend URL to res.locals for all requests
app.use((req, res, next) => {
res.locals.frontendUrl = FRONTEND_URL;
res.locals.currentPath = req.path;
next();
});
// Simple CORS middleware for API endpoints
app.use((req, res, next) => {
const origin = req.headers.origin;
const allowedOrigin = FRONTEND_URL || "*";
if (allowedOrigin === "*" || origin === allowedOrigin) {
res.setHeader("Access-Control-Allow-Origin", allowedOrigin === "*" ? "*" : origin);
res.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key");
res.setHeader("Access-Control-Allow-Credentials", "true");
}
// Handle preflight
if (req.method === "OPTIONS") {
return res.sendStatus(204);
}
next();
});
// Protected file serving — degree/certificate documents via signed URLs
const { verifySignedUrl } = require('./utils/signedUrl');
app.get("/secure-files/:filename", (req, res) => {
const filename = path.basename(req.params.filename);
const { token, expires } = req.query;
const result = verifySignedUrl(filename, token, expires);
if (!result.valid) {
return res.status(401).json({ error: result.reason || 'Unauthorized' });
}
const filePath = path.join(__dirname, "private", "uploads", "degree", filename);
if (!fs.existsSync(filePath)) {
return res.status(404).json({ error: "File not found" });
}
res.setHeader("Access-Control-Allow-Origin", FRONTEND_URL || "*");
res.setHeader("Cache-Control", "private, no-store"); // prevent caching of sensitive docs
res.sendFile(filePath);
});
// Routes
const authRoutes = require("./routes/auth");
const adminRoutes = require("./routes/admin");
const indexRoutes = require("./routes/index");
app.use("/auth", authRoutes);
app.use("/admin", adminRoutes);
app.use("/", indexRoutes);
// 404 handler
app.use((req, res) => {
res.status(404);
if (req.accepts("html"))
return res.render("page/404", { layout: false });
if (req.accepts("json")) return res.json({ error: "Not found" });
res.type("txt").send("Not found");
});
// Start server
const PORT = process.env.PORT || 3001;
const HOST = process.env.HOST || "localhost";
app.listen(PORT, HOST, () => {
console.log(`🚀 SERVER:[ http://${HOST}:${PORT} ]`);
});
View Git Blame Copy Permalink