Johann150
624157f03e
ActivityPub requests on routes which do not support activitypub are now replying with HTTP status code 406 "Not Acceptable". ActivityPub clients are required by the W3C TR to set the `Accept` header. If this accept header is detected on an unexpected route, the whole request will be aborted with the status code above. This is an additional measure for clients who might not be aware of having to check the content-type header of the reply. Ref: https://github.com/w3c/activitypub/issues/432 Changelog: Security
42 lines
1.1 KiB
TypeScript
42 lines
1.1 KiB
TypeScript
/**
|
|
* File Server
|
|
*/
|
|
|
|
import * as fs from 'node:fs';
|
|
import { fileURLToPath } from 'node:url';
|
|
import { dirname } from 'node:path';
|
|
import Koa from 'koa';
|
|
import cors from '@koa/cors';
|
|
import Router from '@koa/router';
|
|
import { denyActivityPub } from '@/server/activitypub.js';
|
|
import { sendDriveFile } from './send-drive-file.js';
|
|
|
|
const _filename = fileURLToPath(import.meta.url);
|
|
const _dirname = dirname(_filename);
|
|
|
|
// Init app
|
|
const app = new Koa();
|
|
app.use(cors());
|
|
app.use(denyActivityPub());
|
|
app.use(async (ctx, next) => {
|
|
ctx.set('Content-Security-Policy', "default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'");
|
|
await next();
|
|
});
|
|
|
|
// Init router
|
|
const router = new Router();
|
|
|
|
router.get('/app-default.jpg', ctx => {
|
|
const file = fs.createReadStream(`${_dirname}/assets/dummy.png`);
|
|
ctx.body = file;
|
|
ctx.set('Content-Type', 'image/jpeg');
|
|
ctx.set('Cache-Control', 'max-age=31536000, immutable');
|
|
});
|
|
|
|
router.get('/:key', sendDriveFile);
|
|
router.get('/:key/(.*)', sendDriveFile);
|
|
|
|
// Register router
|
|
app.use(router.routes());
|
|
|
|
export default app;
|