akkoma/lib/pleroma/web/endpoint.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Endpoint do
  use Phoenix.Endpoint, otp_app: :pleroma

  require Pleroma.Constants

  alias Pleroma.Config

  socket("/socket", Pleroma.Web.UserSocket)
  socket("/live", Phoenix.LiveView.Socket)

  plug(Plug.Telemetry, event_prefix: [:phoenix, :endpoint])

  plug(Pleroma.Web.Plugs.SetLocalePlug)
  plug(CORSPlug)
  plug(Pleroma.Web.Plugs.HTTPSecurityPlug)
  plug(Pleroma.Web.Plugs.UploadedMedia)

  @static_cache_control "public, no-cache"

  # InstanceStatic needs to be before Plug.Static to be able to override shipped-static files
  # If you're adding new paths to `only:` you'll need to configure them in InstanceStatic as well
  # Cache-control headers are duplicated in case we turn off etags in the future
  plug(
    Pleroma.Web.Plugs.InstanceStatic,
    at: "/",
    from: :pleroma,
    only: ["emoji", "images"],
    gzip: true,
    cache_control_for_etags: "public, max-age=1209600",
    headers: %{
      "cache-control" => "public, max-age=1209600"
    }
  )

  plug(Pleroma.Web.Plugs.InstanceStatic,
    at: "/",
    gzip: true,
    cache_control_for_etags: @static_cache_control,
    headers: %{
      "cache-control" => @static_cache_control
    }
  )

  # Careful! No `only` restriction here, as we don't know what frontends contain.
  plug(Pleroma.Web.Plugs.FrontendStatic,
    at: "/",
    frontend_type: :primary,
    gzip: true,
    cache_control_for_etags: @static_cache_control,
    headers: %{
      "cache-control" => @static_cache_control
    }
  )

  plug(Plug.Static.IndexHtml, at: "/pleroma/admin/")

  plug(Pleroma.Web.Plugs.FrontendStatic,
    at: "/pleroma/admin",
    frontend_type: :admin,
    gzip: true,
    cache_control_for_etags: @static_cache_control,
    headers: %{
      "cache-control" => @static_cache_control
    }
  )

  plug(Plug.Static.IndexHtml, at: "/pleroma/fedife/")

  plug(Pleroma.Web.Plugs.FrontendStatic,
    at: "/pleroma/fedife",
    frontend_type: :fedife,
    gzip: true,
    cache_control_for_etags: @static_cache_control,
    headers: %{
      "cache-control" => @static_cache_control
    }
  )

  # Serve at "/" the static files from "priv/static" directory.
  #
  # You should set gzip to true if you are running phoenix.digest
  # when deploying your static files in production.
  plug(
    Plug.Static,
    at: "/",
    from: :pleroma,
    only: Pleroma.Constants.static_only_files(),
    # credo:disable-for-previous-line Credo.Check.Readability.MaxLineLength
    gzip: true,
    cache_control_for_etags: @static_cache_control,
    headers: %{
      "cache-control" => @static_cache_control
    }
  )

  plug(Plug.Static,
    at: "/pleroma/admin/",
    from: {:pleroma, "priv/static/adminfe/"}
  )

  # Code reloading can be explicitly enabled under the
  # :code_reloader configuration of your endpoint.
  if code_reloading? do
    plug(Phoenix.CodeReloader)
  end

  plug(Pleroma.Web.Plugs.TrailingFormatPlug)
  plug(Plug.RequestId)
  plug(Plug.Logger, log: :debug)

  plug(Plug.Parsers,
    parsers: [
      :urlencoded,
      {:multipart, length: {Config, :get, [[:instance, :upload_limit]]}},
      :json
    ],
    pass: ["*/*"],
    json_decoder: Jason,
    length: Config.get([:instance, :upload_limit]),
    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
  )

  plug(Plug.MethodOverride)
  plug(Plug.Head)

  secure_cookies = Config.get([__MODULE__, :secure_cookie_flag])

  cookie_name =
    if secure_cookies,
      do: "__Host-pleroma_key",
      else: "pleroma_key"

  extra =
    Config.get([__MODULE__, :extra_cookie_attrs])
    |> Enum.join(";")

  # The session will be stored in the cookie and signed,
  # this means its contents can be read but not tampered with.
  # Set :encryption_salt if you would also like to encrypt it.
  plug(
    Plug.Session,
    store: :cookie,
    key: cookie_name,
    signing_salt: Config.get([__MODULE__, :signing_salt], "CqaoopA2"),
    http_only: true,
    secure: secure_cookies,
    extra: extra
  )

  plug(Pleroma.Web.Plugs.RemoteIp)

  defmodule Instrumenter do
    use Prometheus.PhoenixInstrumenter
  end

  defmodule PipelineInstrumenter do
    use Prometheus.PlugPipelineInstrumenter
  end

  defmodule MetricsExporter do
    use Prometheus.PlugExporter
  end

  defmodule MetricsExporterCaller do
    @behaviour Plug

    def init(opts), do: opts

    def call(conn, opts) do
      prometheus_config = Application.get_env(:prometheus, MetricsExporter, [])
      ip_whitelist = List.wrap(prometheus_config[:ip_whitelist])

      cond do
        !prometheus_config[:enabled] ->
          conn

        ip_whitelist != [] and
            !Enum.find(ip_whitelist, fn ip ->
              Pleroma.Helpers.InetHelper.parse_address(ip) == {:ok, conn.remote_ip}
            end) ->
          conn

        true ->
          MetricsExporter.call(conn, opts)
      end
    end
  end

  plug(PipelineInstrumenter)

  plug(MetricsExporterCaller)

  plug(Pleroma.Web.Router)

  @doc """
  Dynamically loads configuration from the system environment
  on startup.

  It receives the endpoint configuration from the config files
  and must return the updated configuration.
  """
  def load_from_system_env(config) do
    port = System.get_env("PORT") || raise "expected the PORT environment variable to be set"
    {:ok, Keyword.put(config, :http, [:inet6, port: port])}
  end

  def websocket_url do
    String.replace_leading(url(), "http", "ws")
  end
end
add license boilerplate to pleroma core 2018-12-23 20:04:54 +00:00			`# Pleroma: A lightweight social networking server`
Bump Copyright to 2021 grep -rl '# Copyright © .* Pleroma' * \| xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;' 2021-01-13 06:49:20 +00:00			`# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>`
add license boilerplate to pleroma core 2018-12-23 20:04:54 +00:00			`# SPDX-License-Identifier: AGPL-3.0-only`

Phoenix skeleton 2017-03-17 16:09:58 +00:00			`defmodule Pleroma.Web.Endpoint do`
			`use Phoenix.Endpoint, otp_app: :pleroma`

static-fe.css: Restore and move to /priv/static/static-fe 2020-05-01 19:15:43 +00:00			`require Pleroma.Constants`

[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`alias Pleroma.Config`

Various runtime configuration fixes 2018-11-16 20:35:08 +00:00			`socket("/socket", Pleroma.Web.UserSocket)`
Add Phoenix LiveDashboard Co-authored-by: Egor Kislitsyn <egor@kislitsyn.com> 2021-12-15 21:17:11 +00:00			`socket("/live", Phoenix.LiveView.Socket)`
Format the code. 2018-03-30 13:01:53 +00:00
[#3059] Formatting fix. 2020-10-22 11:07:33 +00:00			`plug(Plug.Telemetry, event_prefix: [:phoenix, :endpoint])`
[#3059] Fixed Phoenix 1.5 telemetry processing. 2020-10-22 10:54:15 +00:00
SetLocalePlug module name 2020-06-24 06:24:29 +00:00			`plug(Pleroma.Web.Plugs.SetLocalePlug)`
endpoint: move CORSPlug in front of Plug.Static 2018-11-10 11:23:50 +00:00			`plug(CORSPlug)`
HTTPSecurityPlug module name and filename 2020-06-24 07:39:17 +00:00			`plug(Pleroma.Web.Plugs.HTTPSecurityPlug)`
UploadedMedia module name 2020-06-24 06:03:48 +00:00			`plug(Pleroma.Web.Plugs.UploadedMedia)`
Format the code. 2018-03-30 13:01:53 +00:00
Revert "Set better Cache-Control header for static content" On furher investigation it seems like all that did was cause unintuitive behavior. The emoji request flood that was the reason for introducing it isn't really that big of a deal either, since Plug.Static only needs to read file modification time and size to determine the ETag. Closes #1613 2020-03-11 14:58:25 +00:00			`@static_cache_control "public, no-cache"`
Move the Cache Control header test to its own file We can consolidate our cache control header tests here 2019-05-24 20:33:55 +00:00
Instance/Static runtime plug This allows to set-up an arbitrary directory which overrides most of the static files: index.html static/ emoji/ packs/ sounds/ images/ instance/ favicon.png. If the files are not present in the directory, the bundled ones in priv/static will be used. 2018-12-17 21:50:59 +00:00			`# InstanceStatic needs to be before Plug.Static to be able to override shipped-static files`
			# If you're adding new paths to `only:` you'll need to configure them in InstanceStatic as well
Move the Cache Control header test to its own file We can consolidate our cache control header tests here 2019-05-24 20:33:55 +00:00			`# Cache-control headers are duplicated in case we turn off etags in the future`
like this 2021-01-29 12:24:22 +00:00			`plug(`
			`Pleroma.Web.Plugs.InstanceStatic,`
			`at: "/",`
			`from: :pleroma,`
			`only: ["emoji", "images"],`
			`gzip: true,`
			`cache_control_for_etags: "public, max-age=1209600",`
			`headers: %{`
			`"cache-control" => "public, max-age=1209600"`
			`}`
			`)`

InstanceStatic module name 2020-06-24 07:03:10 +00:00			`plug(Pleroma.Web.Plugs.InstanceStatic,`
Move the Cache Control header test to its own file We can consolidate our cache control header tests here 2019-05-24 20:33:55 +00:00			`at: "/",`
			`gzip: true,`
			`cache_control_for_etags: @static_cache_control,`
			`headers: %{`
			`"cache-control" => @static_cache_control`
			`}`
			`)`
Instance/Static runtime plug This allows to set-up an arbitrary directory which overrides most of the static files: index.html static/ emoji/ packs/ sounds/ images/ instance/ favicon.png. If the files are not present in the directory, the bundled ones in priv/static will be used. 2018-12-17 21:50:59 +00:00
FrontendStatic: Add plug to serve frontends based on configuration. 2020-07-28 15:35:16 +00:00			# Careful! No `only` restriction here, as we don't know what frontends contain.
fixes after rebase 2020-09-02 07:29:36 +00:00			`plug(Pleroma.Web.Plugs.FrontendStatic,`
FrontendStatic: Add plug to serve frontends based on configuration. 2020-07-28 15:35:16 +00:00			`at: "/",`
			`frontend_type: :primary,`
			`gzip: true,`
			`cache_control_for_etags: @static_cache_control,`
			`headers: %{`
			`"cache-control" => @static_cache_control`
			`}`
			`)`

Endpoint: Serve a dynamically configured admin interface 2020-07-29 11:03:04 +00:00			`plug(Plug.Static.IndexHtml, at: "/pleroma/admin/")`

fixes after rebase 2020-09-02 07:29:36 +00:00			`plug(Pleroma.Web.Plugs.FrontendStatic,`
Endpoint: Serve a dynamically configured admin interface 2020-07-29 11:03:04 +00:00			`at: "/pleroma/admin",`
			`frontend_type: :admin,`
			`gzip: true,`
			`cache_control_for_etags: @static_cache_control,`
			`headers: %{`
			`"cache-control" => @static_cache_control`
			`}`
			`)`

Merge branch 'develop' of https://git.pleroma.social/pleroma/pleroma into develop 2020-12-29 13:16:14 +00:00			`plug(Plug.Static.IndexHtml, at: "/pleroma/fedife/")`

			`plug(Pleroma.Web.Plugs.FrontendStatic,`
			`at: "/pleroma/fedife",`
			`frontend_type: :fedife,`
			`gzip: true,`
			`cache_control_for_etags: @static_cache_control,`
			`headers: %{`
			`"cache-control" => @static_cache_control`
			`}`
			`)`

Add SetLocalePlug 2019-07-09 11:30:15 +00:00			`# Serve at "/" the static files from "priv/static" directory.`
			`#`
			`# You should set gzip to true if you are running phoenix.digest`
			`# when deploying your static files in production.`
Format the code. 2018-03-30 13:01:53 +00:00			`plug(`
			`Plug.Static,`
			`at: "/",`
			`from: :pleroma,`
static-fe.css: Restore and move to /priv/static/static-fe 2020-05-01 19:15:43 +00:00			`only: Pleroma.Constants.static_only_files(),`
[Credo] fix Credo.Check.Readability.MaxLineLength 2019-03-05 04:37:33 +00:00			`# credo:disable-for-previous-line Credo.Check.Readability.MaxLineLength`
Move the Cache Control header test to its own file We can consolidate our cache control header tests here 2019-05-24 20:33:55 +00:00			`gzip: true,`
			`cache_control_for_etags: @static_cache_control,`
			`headers: %{`
			`"cache-control" => @static_cache_control`
			`}`
Format the code. 2018-03-30 13:01:53 +00:00			`)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00
Initial bundle of basic AdminFE Due to CSP headers we only allow connecting to self. If you want to host AdminFE on a separate domain without CSP headers you will be able to connect to any public Pleroma host. 2019-05-11 01:34:17 +00:00			`plug(Plug.Static,`
			`at: "/pleroma/admin/",`
			`from: {:pleroma, "priv/static/adminfe/"}`
			`)`

Phoenix skeleton 2017-03-17 16:09:58 +00:00			`# Code reloading can be explicitly enabled under the`
			`# :code_reloader configuration of your endpoint.`
			`if code_reloading? do`
Format the code. 2018-03-30 13:01:53 +00:00			`plug(Phoenix.CodeReloader)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00			`end`

TrailingFormatPlug module name 2020-06-24 06:05:23 +00:00			`plug(Pleroma.Web.Plugs.TrailingFormatPlug)`
Format the code. 2018-03-30 13:01:53 +00:00			`plug(Plug.RequestId)`
Set Plug.Logger to log at `:debug` level 2019-12-09 12:12:24 +00:00			`plug(Plug.Logger, log: :debug)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00
Actually fix upload limit on OTP releases Closes #1109 2020-02-07 16:21:55 +00:00			`plug(Plug.Parsers,`
			`parsers: [`
			`:urlencoded,`
[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`{:multipart, length: {Config, :get, [[:instance, :upload_limit]]}},`
Actually fix upload limit on OTP releases Closes #1109 2020-02-07 16:21:55 +00:00			`:json`
			`],`
			`pass: ["/"],`
			`json_decoder: Jason,`
[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`length: Config.get([:instance, :upload_limit]),`
Actually fix upload limit on OTP releases Closes #1109 2020-02-07 16:21:55 +00:00			`body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}`
			`)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00
Format the code. 2018-03-30 13:01:53 +00:00			`plug(Plug.MethodOverride)`
			`plug(Plug.Head)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00
[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`secure_cookies = Config.get([__MODULE__, :secure_cookie_flag])`
Sign in via Twitter (WIP). 2019-03-11 17:37:26 +00:00
Add __Host- prefix when secure flag is enabled 2018-11-12 23:32:38 +00:00			`cookie_name =`
Sign in via Twitter (WIP). 2019-03-11 17:37:26 +00:00			`if secure_cookies,`
Add __Host- prefix when secure flag is enabled 2018-11-12 23:32:38 +00:00			`do: "__Host-pleroma_key",`
			`else: "pleroma_key"`

make Pleroma.Endpoint use extra_cookie_attrs in config 2019-04-15 04:33:46 +00:00			`extra =`
[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`Config.get([__MODULE__, :extra_cookie_attrs])`
make Pleroma.Endpoint use extra_cookie_attrs in config 2019-04-15 04:33:46 +00:00			`\|> Enum.join(";")`
[#923] OAuth: prototype of sign in / sign up with Twitter. 2019-03-15 14:08:03 +00:00
Phoenix skeleton 2017-03-17 16:09:58 +00:00			`# The session will be stored in the cookie and signed,`
			`# this means its contents can be read but not tampered with.`
			`# Set :encryption_salt if you would also like to encrypt it.`
Format the code. 2018-03-30 13:01:53 +00:00			`plug(`
			`Plug.Session,`
Phoenix skeleton 2017-03-17 16:09:58 +00:00			`store: :cookie,`
Add __Host- prefix when secure flag is enabled 2018-11-12 23:32:38 +00:00			`key: cookie_name,`
[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`signing_salt: Config.get([__MODULE__, :signing_salt], "CqaoopA2"),`
Explicitly set 'http_only' to true 2018-08-28 20:34:31 +00:00			`http_only: true,`
Sign in via Twitter (WIP). 2019-03-11 17:37:26 +00:00			`secure: secure_cookies,`
make Pleroma.Endpoint use extra_cookie_attrs in config 2019-04-15 04:33:46 +00:00			`extra: extra`
Format the code. 2018-03-30 13:01:53 +00:00			`)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00
RemoteIp module name 2020-06-24 06:30:32 +00:00			`plug(Pleroma.Web.Plugs.RemoteIp)`
Set up telemetry and prometheus 2019-01-30 15:32:30 +00:00
			`defmodule Instrumenter do`
			`use Prometheus.PhoenixInstrumenter`
			`end`

			`defmodule PipelineInstrumenter do`
			`use Prometheus.PlugPipelineInstrumenter`
			`end`

			`defmodule MetricsExporter do`
			`use Prometheus.PlugExporter`
			`end`

[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00			`defmodule MetricsExporterCaller do`
			`@behaviour Plug`

			`def init(opts), do: opts`

			`def call(conn, opts) do`
			`prometheus_config = Application.get_env(:prometheus, MetricsExporter, [])`
			`ip_whitelist = List.wrap(prometheus_config[:ip_whitelist])`

			`cond do`
			`!prometheus_config[:enabled] ->`
			`conn`

			`ip_whitelist != [] and`
			`!Enum.find(ip_whitelist, fn ip ->`
			`Pleroma.Helpers.InetHelper.parse_address(ip) == {:ok, conn.remote_ip}`
			`end) ->`
			`conn`

			`true ->`
			`MetricsExporter.call(conn, opts)`
			`end`
			`end`
			`end`

Set up telemetry and prometheus 2019-01-30 15:32:30 +00:00			`plug(PipelineInstrumenter)`
[#1668] Restricted access to app metrics endpoint by default. Added ability to configure IP whitelist for this endpoint. Added tests and documentation. 2020-10-18 18:22:21 +00:00
			`plug(MetricsExporterCaller)`
Set up telemetry and prometheus 2019-01-30 15:32:30 +00:00
Format the code. 2018-03-30 13:01:53 +00:00			`plug(Pleroma.Web.Router)`
Phoenix skeleton 2017-03-17 16:09:58 +00:00
			`@doc """`
			`Dynamically loads configuration from the system environment`
			`on startup.`

			`It receives the endpoint configuration from the config files`
			`and must return the updated configuration.`
			`"""`
			`def load_from_system_env(config) do`
			`port = System.get_env("PORT") \|\| raise "expected the PORT environment variable to be set"`
			`{:ok, Keyword.put(config, :http, [:inet6, port: port])}`
			`end`
Use String.replace_leading instead of String.replace for getting websocket streaming api url. Extract the login responsible for obtaining websocket URL into the corresponding Endpoint function. 2019-02-01 18:56:18 +00:00
			`def websocket_url do`
Use url() instead of static_url in Endpoint.websocket_url() 2019-02-01 19:35:19 +00:00			`String.replace_leading(url(), "http", "ws")`
Use String.replace_leading instead of String.replace for getting websocket streaming api url. Extract the login responsible for obtaining websocket URL into the corresponding Endpoint function. 2019-02-01 18:56:18 +00:00			`end`
Phoenix skeleton 2017-03-17 16:09:58 +00:00			`end`