diff --git a/src/server.js b/src/server.js index 99af1d31e..55db336d5 100644 --- a/src/server.js +++ b/src/server.js @@ -36,13 +36,18 @@ async function initializeExpressSync() { const wsServer = new ws.Server({ noServer: true }); // in noServer mode, we have to handle 'upgrade' and call handleUpgrade + const REQUEST_TIMEOUT = 60000; // timeout for all requests (see also setTimeout on the httpServer) + + // NOTE: routes that use multi-part have to be whitelisted in the reverse proxy + const FILE_SIZE_LIMIT = '256mb', // max file size that can be uploaded (see also client_max_body_size in nginx) + FILE_TIMEOUT = 60 * 1000; // increased timeout for file uploads (1 min) + const QUERY_LIMIT = '2mb', // max size for json queries (see also client_max_body_size in nginx) FIELD_LIMIT = 2 * 1024 * 1024; // max fields that can appear in multipart - const REQUEST_TIMEOUT = 60000; // timeout for all requests (see also setTimeout on the httpServer) - + const multipart = middleware.multipart({ maxFieldsSize: FIELD_LIMIT, limit: FILE_SIZE_LIMIT, timeout: FILE_TIMEOUT }); const json = middleware.json({ strict: true, limit: QUERY_LIMIT }, true); // forces json content-type - const jsonOptional = middleware.json({ strict: true, limit: QUERY_LIMIT }, false); + const jsonOrMultipart = [ middleware.json({ strict: true, limit: QUERY_LIMIT }, false), multipart ]; app.set('json spaces', 2); // pretty json app.enable('trust proxy'); // trust the X-Forwarded-* headers @@ -65,12 +70,6 @@ async function initializeExpressSync() { .use(notFoundHandler) .use(middleware.lastMile()); - // NOTE: routes that use multi-part have to be whitelisted in the reverse proxy - const FILE_SIZE_LIMIT = '256mb', // max file size that can be uploaded (see also client_max_body_size in nginx) - FILE_TIMEOUT = 60 * 1000; // increased timeout for file uploads (1 min) - - const multipart = middleware.multipart({ maxFieldsSize: FIELD_LIMIT, limit: FILE_SIZE_LIMIT, timeout: FILE_TIMEOUT }); - // authentication const password = routes.accesscontrol.passwordAuth; const token = routes.accesscontrol.tokenAuth; @@ -265,8 +264,8 @@ async function initializeExpressSync() { router.get ('/api/v1/appstore/apps/:appstoreId/versions/:versionId', token, authorizeAdmin, routes.appstore.getAppVersion); // app routes - router.post('/api/v1/apps/install', jsonOptional, token, multipart,authorizeAdmin, routes.apps.install); // DEPRECATED from 8.1 on in favor of route below - router.post('/api/v1/apps', jsonOptional, token, multipart,authorizeAdmin, routes.apps.install); + router.post('/api/v1/apps/install', jsonOrMultipart, token, authorizeAdmin, routes.apps.install); // DEPRECATED from 8.1 on in favor of route below + router.post('/api/v1/apps', jsonOrMultipart, token, authorizeAdmin, routes.apps.install); router.get ('/api/v1/apps', token, authorizeUser, routes.apps.listByUser); router.get ('/api/v1/apps/:id', token, routes.apps.load, authorizeOperator, routes.apps.getApp); router.get ('/api/v1/apps/:id/icon', routes.apps.load, routes.apps.getAppIcon); @@ -298,7 +297,7 @@ async function initializeExpressSync() { router.post('/api/v1/apps/:id/configure/upstream_uri', json, token, routes.apps.load, authorizeOperator, routes.apps.setUpstreamUri); router.post('/api/v1/apps/:id/repair', json, token, routes.apps.load, authorizeOperator, routes.apps.repair); router.post('/api/v1/apps/:id/check_update', json, token, routes.apps.load, authorizeOperator, routes.apps.checkUpdate); - router.post('/api/v1/apps/:id/update', jsonOptional, token, multipart, routes.apps.load, authorizeOperator, routes.apps.update); + router.post('/api/v1/apps/:id/update', jsonOrMultipart, token, routes.apps.load, authorizeOperator, routes.apps.update); router.post('/api/v1/apps/:id/restore', json, token, routes.apps.load, authorizeOperator, routes.apps.restore); router.post('/api/v1/apps/:id/import', json, token, routes.apps.load, authorizeOperator, routes.apps.importApp); router.post('/api/v1/apps/:id/export', json, token, routes.apps.load, authorizeOperator, routes.apps.exportApp);