'use strict'; require('dotenv').config({ path: '/etc/AGWOL/stomping/.env' }); const path = require('path'); const express = require('express'); const helmet = require('helmet'); const cors = require('cors'); const cookieParser = require('cookie-parser'); const { env } = require('./config/env'); const { connectMongo } = require('./config/mongo'); const { createRedis } = require('./config/redis'); const { router: authRoutes } = require('./routes/auth'); const indexRoutes = require('./routes/index'); const adminPagesRoutes = require('./routes/adminPages'); const adminFoldersRoutes = require('./routes/adminFolders'); const adminTagsRoutes = require('./routes/adminTags'); const adminStoriesRoutes = require('./routes/adminStories'); const adminChaptersRoutes = require('./routes/adminChapters'); const publicPagesRoutes = require('./routes/publicPages'); async function start() { await connectMongo(); createRedis(); const app = express(); // nginx is the only proxy hop — trust loopback only. app.set('trust proxy', 'loopback'); app.use(helmet({ // Stories/covers are image-by-URL (design-018 §4 — no upload pipeline in // v1), so images can come from any https host, not just our own. contentSecurityPolicy: { directives: { ...helmet.contentSecurityPolicy.getDefaultDirectives(), 'img-src': ["'self'", 'data:', 'https:'], }, }, })); app.use(cors({ origin: env.ALLOWED_ORIGINS, credentials: true })); app.use(cookieParser(env.COOKIE_SECRET)); app.use(express.json()); app.use(express.urlencoded({ extended: false })); app.set('view engine', 'ejs'); app.set('views', path.join(__dirname, 'views')); app.use(express.static(path.join(__dirname, 'public'))); app.use('/', authRoutes); app.use('/', adminPagesRoutes); app.use('/', adminFoldersRoutes); app.use('/', adminTagsRoutes); app.use('/', adminStoriesRoutes); app.use('/', adminChaptersRoutes); app.use('/', indexRoutes); app.use('/', publicPagesRoutes); app.listen(env.PORT, '127.0.0.1', () => { console.log(`stomping.me running on port ${env.PORT}`); }); } start().catch(err => { console.error('[startup] fatal:', err.message); process.exit(1); });