Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
04a21927b2d4f43808fd7046ee9c561257adc252
CDN-APP-INSIDER/CLAUDE.md
Dinawo 2df1b28962
All checks were successful
continuous-integration/drone/push Build is passing
Details
Update v1.2.0-beta - Dynamic context menu & permissions 
 New Features:
- Dynamic permission-based context menus for files and folders
- Support for collaborative folder access control
- Upload to specific folders including shared folders
- Changelog modal for version updates
- Improved dark mode synchronization

🐛 Bug Fixes:
- Fixed context menu displaying incorrect options
- Fixed CSS !important override preventing dynamic menu behavior
- Fixed folder collaboration permission checks
- Fixed breadcrumb navigation with empty segments
- Fixed "Premature close" error loop in attachments
- Fixed missing user variable in admin routes
- Fixed avatar loading COEP policy issues

🔒 Security:
- Added security middleware (CSRF, rate limiting, input validation)
- Fixed collaboration folder access validation
- Improved shared folder permission handling

🎨 UI/UX Improvements:
- Removed Actions column from folder view
- Context menu now properly hides/shows based on permissions
- Better visual feedback for collaborative folders
- Improved upload flow with inline modals

🧹 Code Quality:
- Added collaboration data to folder routes
- Refactored context menu logic for better maintainability
- Added debug logging for troubleshooting
- Improved file upload handling with chunking support
2025-10-25 23:55:51 +02:00

235 lines
8.5 KiB
Markdown
Raw Blame History

# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Project Overview
CDN-APP-INSIDER is a self-hosted Content Delivery Network (CDN) application for secure file transfer and management. The application supports multiple authentication methods (Discord, LDAP/ActiveDirectory), file collaboration, and real-time WebSocket updates.
**Version**: 1.2.0-beta
**Author**: Dinawo - Group Myaxrin Labs
**Main Contributor**: WaYy
## Development Commands
### Running the Application
```bash
npm start # Production mode
npm run nodemon # Development mode with auto-reload
```
### Installation
The application is typically installed via:
```bash
curl -s https://apollon.dinawo.fr/getcdn/install/latest | bash
```
After installation, access the dashboard at: `https://your-ip:3000/dpanel/dashboard`
**Prerequisites**: A CDN-Access group must exist in your LDAP directory.
## Architecture Overview
### Core Components
**server.js** - Application entry point that:
- Initializes Express app with session management and Passport authentication
- Configures authentication strategies based on `data/setup.json` (Discord, LDAP)
- Sets up WebSocket server for real-time updates
- Starts cron jobs for file cleanup and system reporting
- Protects sensitive JSON files in `/data/` directory
- Listens on port 3000 (configurable via `PORT` env variable)
**routes/routes.js** - Central routing hub that imports and mounts all route modules with middleware chains
### Authentication System
The application uses Passport.js with multiple strategies:
- **Discord OAuth** (`models/Passport-Discord.js`)
- **LDAP/ActiveDirectory** (`models/Passport-ActiveDirectory.js`)
- **Google OAuth** (`models/Passport-Google.js`)
Authentication strategies are conditionally loaded based on `data/setup.json` configuration.
**authMiddleware.js** - Core authentication middleware that:
- Validates session authentication via `req.isAuthenticated()`
- Loads user data from `data/user.json`
- Attaches user object to `req.session.user`, `res.locals.user`, and `req.userData`
- Redirects unauthenticated users to `/auth/login`
### Logging System (`config/logs.js`)
Winston-based logging with:
- Daily rotating file logs (14-day retention, 20MB max size)
- Multiple specialized loggers: server, client, error, auth, suspicious, API, filesystem, database
- Configurable via `data/setup.json` with:
- `logs.enabled`: 'on' or 'off'
- `logs.level`: 'info', 'warn', 'error', etc.
- `logs.includeOnly`: Array of paths to exclusively log
- `logs.excludePaths`: Array of paths to exclude from logging
- `logs.levels`: Array of enabled log levels
Logs are stored in `/logs/` directory with format: `log-YYYY-MM-DD.log`
### Security & Ban System (`models/banModel.js`)
Progressive ban system that:
- Tracks suspicious requests per IP in `data/banUser.json`
- Implements escalating ban levels: 10min, 30min, 60min, permanent
- Triggers after 5 suspicious requests within 60 seconds
- Excludes localhost and specific endpoints (ActiveDirectory, favicon)
- All suspicious activity is logged via `suspiciousLogger`
**discordWebhookSuspisiousAlertMiddleware.js** - Sends Discord webhook alerts for suspicious API requests
### WebSocket System (`models/websocketManager.js`)
Real-time communication for:
- File collaboration status (who's viewing/editing)
- Broadcasting file updates to all connected clients
- Connection management keyed by userId and fileId
- Sends `fileStatus` messages with active users array
Access via: `req.app.get('wsManager')` in routes
### File Management
**File Storage**: All uploaded files are stored in `/cdn-files/` directory
**File Metadata**: Tracked in `data/file_info.json` with:
- File path, name, size, upload date
- Expiry date for automatic cleanup
- Owner information and permissions
**File Cleanup Service** (`services/fileCleanupService.js`):
- Extends BaseService class
- Runs on cron schedule (default: hourly at `0 * * * *`)
- Removes expired files based on `expiryDate`
- Removes orphaned entries for missing files
- Updates `data/file_info.json` after cleanup
**Report Service** (`services/reportService.js`):
- Generates system reports in `/report/` directory
- Runs on configurable cron schedule
### Data Files
Located in `/data/` directory (protected from direct HTTP access):
- **user.json** - User accounts and roles
- **setup.json** - Application configuration (auth providers, logging, etc.)
- **file_info.json** - File metadata registry
- **banUser.json** - IP ban tracking
- **collaboration.json** - File collaboration settings
## Route Structure
### Public Routes
- `/` - Landing page
- `/auth/login` - Login page
- `/auth/logout` - Logout handler
- `/auth/activedirectory` - AD/LDAP authentication callback
- `/auth/discord` - Discord OAuth callback
- `/attachments` - File serving endpoint
- `/build-metadata` - Build information
### Dashboard Routes (`/dpanel/dashboard`)
- `/dpanel/dashboard` - Main dashboard (requires auth)
- `/dpanel/dashboard/folder` - Folder view
- `/dpanel/dashboard/profil` - User profile
- `/dpanel/upload` - File upload interface
### Admin Routes (`/dpanel/dashboard/admin`)
Require admin role:
- `/dpanel/dashboard/admin` - Admin panel
- `/dpanel/dashboard/admin/users` - User management
- `/dpanel/dashboard/admin/settingsetup` - System settings
- `/dpanel/dashboard/admin/stats-logs` - Statistics and logs
- `/dpanel/dashboard/admin/Privacy-Security` - Security settings
### API Routes (`/api/dpanel`)
All API routes use:
1. `discordWebhookSuspisiousAlertMiddleware` - Alerts on suspicious activity
2. `logApiRequest` - Logs API calls with timing
Key endpoints:
- POST `/api/dpanel/upload` - File upload
- POST `/api/dpanel/dashboard/newfolder` - Create folder
- PUT `/api/dpanel/dashboard/rename` - Rename file
- PUT `/api/dpanel/folders/rename` - Rename folder
- DELETE `/api/dpanel/dashboard/delete` - Delete file
- DELETE `/api/dpanel/dashboard/deletefolder` - Delete folder
- POST `/api/dpanel/dashboard/movefile` - Move file
- POST `/api/dpanel/collaboration` - Manage file collaboration
- GET `/api/dpanel/users/search` - Search users
- GET/POST `/api/dpanel/sharedfolders` - Shared folder operations
- POST `/api/dpanel/generate-token` - Generate API token
- POST `/api/dpanel/revoke-token` - Revoke API token
### API Documentation
Swagger UI available at: `/api/docs`
## Middleware Chain
Standard middleware chain for protected routes:
```
authMiddleware → discordWebhookSuspisiousAlertMiddleware → logApiRequest → route handler
```
## Frontend
- **View Engine**: EJS templates in `/views/`
- **Static Assets**: `/public/` directory
- **CSS**: Custom dashboard styles in `/public/css/dashboard.styles.css`
- **JavaScript**: Client-side logic in `/public/js/dashboard.js`
- **Styling**: TailwindCSS + DaisyUI components
## Key Dependencies
- **express** - Web framework
- **passport** - Authentication
- **socket.io** & **ws** - WebSocket support
- **winston** - Logging
- **node-cron** - Scheduled tasks
- **multer** & **express-fileupload** - File uploads
- **pg** & **mysql2** - Database support
- **bcrypt** - Password hashing
- **jsonwebtoken** - JWT tokens
## Important Notes
### Security Considerations
- All `/data/*.json` files are protected from direct HTTP access
- Session secrets are generated using `crypto.randomBytes(64)`
- Cookies are secure in production (`NODE_ENV=production`)
- Rate limiting via `express-rate-limit`
- Progressive ban system for suspicious activity
### File Paths
- Always use `path.join(__dirname, ...)` for file paths
- Normalize paths with `path.normalize()` and replace backslashes
- File paths in metadata use forward slashes
### Session Management
- User data is stored in both session and attached to `req.userData`
- Session maxAge: 24 hours
- Sessions persist across server restarts via session storage
### Error Handling
- Global error handlers catch uncaught exceptions and unhandled rejections
- Errors are logged via `ErrorLogger` from config/logs
- API errors return JSON with `{ error, message }` structure
- HTML requests receive rendered error pages
### WebSocket Events
- `join` - User joins file view (params: userId, fileId)
- `leave` - User leaves file view (params: fileId)
- `fileStatus` - Broadcast of active users on a file
## Testing & Debugging
- Winston logs are colorized in console for easier debugging
- Request logging includes IP, User-Agent, method, URL, and timing
- API requests log response status and duration
- Suspicious activity is highlighted with orange prefix
- Error logs include full stack traces
Reference in New Issue View Git Blame Copy Permalink