Spaces:

avneesh123
/

autodev-mark2-engine

Sleeping

App Files Files Community

avneesh123 commited on Apr 6

Commit

773a2ba

verified ·

1 Parent(s): 483e048

Update server.js

Browse files

Files changed (1) hide show

server.js +45 -34

server.js CHANGED Viewed

@@ -25,7 +25,6 @@ const ALLOWED_ORIGINS = [
 // ================= SECURE IFRAME LOCK =================
 app.use((req, res, next) => {
   res.removeHeader("X-Frame-Options");
-  // Hugging Face compatibility ke liye ancestors ko allow kar rahe hain
   res.setHeader(
     "Content-Security-Policy",
     "frame-ancestors 'self' https://*.hf.space http://localhost:* http://127.0.0.1:*"
@@ -38,7 +37,7 @@ let viteProcess = null;
 let isBooting = false;
 let buildRetryCount = 0;
 const MAX_RETRIES = 3;
-const bgProcesses = new Map();
 // ================= PERSISTENT LOCK FILES =================
 const FOUNDATION_LOCK = path.join(process.cwd(), ".foundation_lock");
@@ -46,9 +45,9 @@ const DEPS_LOCK       = path.join(process.cwd(), ".deps_lock");
 /* ================= BINARY FILE EXTENSIONS ================= */
 const BINARY_EXTS = [
-  ".png", ".jpg", ".jpeg", ".gif", ".webp", ".ico", ".svg",
-  ".pdf", ".zip", ".tar", ".gz",
-  ".ttf", ".woff", ".woff2", ".otf", ".eot",
   ".mp3", ".mp4", ".wav"
 ];
@@ -73,7 +72,7 @@ setInterval(async () => {
   if (idleMs > IDLE_TIMEOUT && viteProcess) {
     pushLog(`[IDLE] No activity for ${Math.round(idleMs / 60000)} min — stopping Vite to save resources`, "warning");
     await killVite();
-    bgProcesses.forEach((proc, id) => killBgProcess(id));
   }
 }, 60 * 1000);
@@ -155,12 +154,23 @@ app.get("/api/logs", (req, res) => {
   res.setHeader("Content-Type", "text/event-stream");
   res.setHeader("Cache-Control", "no-cache");
   res.setHeader("Connection", "keep-alive");
   const last = parseInt(req.query.last) || 50;
-  logs.slice(-last).forEach(l => {
-    res.write(`data: ${JSON.stringify(l)}\n\n`);
-  });
   clients.add(res);
-  req.on("close", () => clients.delete(res));
 });
 /* ================= MULTI-SERVER MANAGER ================= */
@@ -177,7 +187,6 @@ function startBgProcess(id, command, port = null) {
   });
   proc.stdout.on("data", d => pushLog(`[${id.toUpperCase()}] ${d.toString().trim()}`, "info"));
   proc.stderr.on("data", d => pushLog(`[${id.toUpperCase()} ERROR] ${d.toString().trim()}`, "error"));
   proc.on("close", code => {
     pushLog(`[SERVER] Process ${id} stopped (code: ${code})`, "system");
     bgProcesses.delete(id);
@@ -199,7 +208,6 @@ app.post("/api/process/start", (req, res) => {
   if (!verifyToken(req, res)) return;
   const { id, command, port } = req.body;
   if (!id || !command) return res.status(400).json({ error: "ID and command required" });
   const success = startBgProcess(id, command, port);
   res.json({ success, message: success ? "Process started" : "Process already running" });
 });
@@ -319,17 +327,24 @@ app.post("/api/update", async (req, res) => {
       for (const [p, contentObj] of Object.entries(files)) {
         const safePath = path.normalize(p).replace(/^(\.\.[\/\\])+/, "");
         const fp = path.join(PROJECT_DIR, safePath);
-        if (!fp.startsWith(PROJECT_DIR)) continue;
         await fs.ensureDir(path.dirname(fp));
-        const fileContent = typeof contentObj === 'string' ? contentObj : contentObj.content;
-        const isBase64 = contentObj.isBase64 || isBinaryFile(safePath);
-        if (isBase64) {
           await fs.writeFile(fp, Buffer.from(fileContent, "base64"));
         } else {
           await fs.writeFile(fp, fileContent, "utf-8");
         }
         updatedFiles.push(safePath);
       }
       if (!foundationAlreadyWritten) {
@@ -354,13 +369,12 @@ app.post("/api/read", async (req, res) => {
   try {
     const safePath = path.normalize(filePath).replace(/^(\.\.[\/\\])+/, "");
     const fp = path.join(PROJECT_DIR, safePath);
     if (!fp.startsWith(PROJECT_DIR)) return res.status(403).json({ error: "Path traversal blocked" });
     if (!fs.existsSync(fp)) return res.status(404).json({ error: "File not found" });
     const isBinary = isBinaryFile(safePath);
-    const content = isBinary
-       ? await fs.readFile(fp, "base64")
-       : await fs.readFile(fp, "utf-8");
     res.json({ success: true, content, path: safePath, isBase64: isBinary });
   } catch (e) {
     res.status(500).json({ error: e.message });
@@ -416,7 +430,6 @@ app.post("/api/execute", (req, res) => {
   updateActivity(req);
   const { command, timeout = 30000 } = req.body;
   const isBlocked = BLOCKED_COMMANDS.some(cmd => command.includes(cmd));
   if (isBlocked) {
     pushLog(`[SECURITY] Blocked dangerous command: ${command}`, "error");
     return res.status(403).json({ error: "COMMAND_BLOCKED" });
@@ -462,9 +475,9 @@ app.post("/api/vite/stop", async (req, res) => {
 app.post("/api/reset", async (req, res) => {
   if (!verifyToken(req, res)) return;
   try {
-    pushLog("[SYSTEM] 🔄 Resetting project...", "warning");
     await killVite();
-    bgProcesses.forEach((proc, id) => killBgProcess(id));
     await fs.remove(PROJECT_DIR);
     fs.mkdirSync(PROJECT_DIR, { recursive: true });
     if (fs.existsSync(FOUNDATION_LOCK)) fs.removeSync(FOUNDATION_LOCK);
@@ -488,13 +501,10 @@ const PREVIEW_SECRET = "AUTODEV_PREVIEW_777";
 const ACCESS_DENIED_PAGE = `<!DOCTYPE html><html><head><title>Access Denied</title><style>body{background:#09090b;color:#fff;font-family:monospace;display:flex;align-items:center;justify-content:center;height:100vh;flex-direction:column;gap:16px;}.title{color:#ef4444;font-size:1.4rem;font-weight:bold;}</style></head><body><div class="title">ACCESS DENIED</div><div>This preview is protected</div></body></html>`;
 const BOOTING_PAGE = `<!DOCTYPE html><html><head><title>Booting...</title><style>body{background:#09090b;color:#facc15;font-family:monospace;display:flex;align-items:center;justify-content:center;height:100vh;}</style><script>setTimeout(()=>location.reload(), 2000)</script></head><body>⚡ AutoDev is booting up...</body></html>`;
-// Proxy Response Header Modification to break Iframe Locks
-proxy.on("proxyRes", (proxyRes, req, res) => {
-  delete proxyRes.headers["x-frame-options"];
-  delete proxyRes.headers["content-security-policy"];
-  res.setHeader("Content-Security-Policy", "frame-ancestors *");
-  res.setHeader("X-Frame-Options", "ALLOWALL");
-});
 proxy.on("error", (err, req, res) => {
   if (res && typeof res.writeHead === "function") {
@@ -514,6 +524,7 @@ app.use((req, res, next) => {
     const previewHeader = req.headers["x-autodev-preview"];
     const previewParam  = req.query["__autodev"];
     if (previewHeader !== PREVIEW_SECRET && previewParam !== PREVIEW_SECRET) {
       return res.status(403).send(ACCESS_DENIED_PAGE);
     }
   }
@@ -532,13 +543,13 @@ server.on("upgrade", (req, socket, head) => proxy.ws(req, socket, head));
 process.on("SIGTERM", async () => {
   pushLog("[SYSTEM] Shutting down...", "system");
   await killVite();
-  bgProcesses.forEach((proc, id) => killBgProcess(id));
   process.exit(0);
 });
 process.on("SIGINT", async () => {
   await killVite();
-  bgProcesses.forEach((proc, id) => killBgProcess(id));
   process.exit(0);
 });

 // ================= SECURE IFRAME LOCK =================
 app.use((req, res, next) => {
   res.removeHeader("X-Frame-Options");
   res.setHeader(
     "Content-Security-Policy",
     "frame-ancestors 'self' https://*.hf.space http://localhost:* http://127.0.0.1:*"
 let isBooting = false;
 let buildRetryCount = 0;
 const MAX_RETRIES = 3;
+const bgProcesses = new Map();
 // ================= PERSISTENT LOCK FILES =================
 const FOUNDATION_LOCK = path.join(process.cwd(), ".foundation_lock");
 /* ================= BINARY FILE EXTENSIONS ================= */
 const BINARY_EXTS = [
+  ".png", ".jpg", ".jpeg", ".gif", ".webp", ".ico", ".svg",
+  ".pdf", ".zip", ".tar", ".gz",
+  ".ttf", ".woff", ".woff2", ".otf", ".eot",
   ".mp3", ".mp4", ".wav"
 ];
   if (idleMs > IDLE_TIMEOUT && viteProcess) {
     pushLog(`[IDLE] No activity for ${Math.round(idleMs / 60000)} min — stopping Vite to save resources`, "warning");
     await killVite();
+    bgProcesses.forEach((_, id) => killBgProcess(id));
   }
 }, 60 * 1000);
   res.setHeader("Content-Type", "text/event-stream");
   res.setHeader("Cache-Control", "no-cache");
   res.setHeader("Connection", "keep-alive");
+  // BUG FIX #1: X-Accel-Buffering missing tha — HF/nginx ke peeche SSE buffer
+  // ho jaata tha, logs real-time nahi aate the client tak
+  res.setHeader("X-Accel-Buffering", "no");
   const last = parseInt(req.query.last) || 50;
+  logs.slice(-last).forEach(l => res.write(`data: ${JSON.stringify(l)}\n\n`));
+  // Heartbeat — 30s mein connection alive rakhne ke liye
+  const heartbeat = setInterval(() => {
+    try { res.write(`: heartbeat\n\n`); } catch { clearInterval(heartbeat); }
+  }, 30000);
   clients.add(res);
+  req.on("close", () => {
+    clients.delete(res);
+    clearInterval(heartbeat);
+  });
 });
 /* ================= MULTI-SERVER MANAGER ================= */
   });
   proc.stdout.on("data", d => pushLog(`[${id.toUpperCase()}] ${d.toString().trim()}`, "info"));
   proc.stderr.on("data", d => pushLog(`[${id.toUpperCase()} ERROR] ${d.toString().trim()}`, "error"));
   proc.on("close", code => {
     pushLog(`[SERVER] Process ${id} stopped (code: ${code})`, "system");
     bgProcesses.delete(id);
   if (!verifyToken(req, res)) return;
   const { id, command, port } = req.body;
   if (!id || !command) return res.status(400).json({ error: "ID and command required" });
   const success = startBgProcess(id, command, port);
   res.json({ success, message: success ? "Process started" : "Process already running" });
 });
       for (const [p, contentObj] of Object.entries(files)) {
         const safePath = path.normalize(p).replace(/^(\.\.[\/\\])+/, "");
         const fp = path.join(PROJECT_DIR, safePath);
+        if (!fp.startsWith(PROJECT_DIR)) {
+          pushLog(`[SECURITY] Blocked path traversal: ${p}`, "error");
+          continue;
+        }
         await fs.ensureDir(path.dirname(fp));
+        // BUG FIX #2: contentObj null/undefined hone par crash hota tha
+        // typeof check se pehle null guard lagao
+        const fileContent = contentObj == null
+          ? ""
+          : typeof contentObj === "string"
+            ? contentObj
+            : contentObj.content ?? "";
+        const isBase64 = contentObj?.isBase64 || isBinaryFile(safePath);
+        if (isBase64 && fileContent) {
           await fs.writeFile(fp, Buffer.from(fileContent, "base64"));
         } else {
           await fs.writeFile(fp, fileContent, "utf-8");
         }
         updatedFiles.push(safePath);
       }
       if (!foundationAlreadyWritten) {
   try {
     const safePath = path.normalize(filePath).replace(/^(\.\.[\/\\])+/, "");
     const fp = path.join(PROJECT_DIR, safePath);
     if (!fp.startsWith(PROJECT_DIR)) return res.status(403).json({ error: "Path traversal blocked" });
     if (!fs.existsSync(fp)) return res.status(404).json({ error: "File not found" });
     const isBinary = isBinaryFile(safePath);
+    const content = isBinary
+      ? await fs.readFile(fp, "base64")
+      : await fs.readFile(fp, "utf-8");
     res.json({ success: true, content, path: safePath, isBase64: isBinary });
   } catch (e) {
     res.status(500).json({ error: e.message });
   updateActivity(req);
   const { command, timeout = 30000 } = req.body;
   const isBlocked = BLOCKED_COMMANDS.some(cmd => command.includes(cmd));
   if (isBlocked) {
     pushLog(`[SECURITY] Blocked dangerous command: ${command}`, "error");
     return res.status(403).json({ error: "COMMAND_BLOCKED" });
 app.post("/api/reset", async (req, res) => {
   if (!verifyToken(req, res)) return;
   try {
+    pushLog("[SYSTEM] Resetting project...", "warning");
     await killVite();
+    bgProcesses.forEach((_, id) => killBgProcess(id));
     await fs.remove(PROJECT_DIR);
     fs.mkdirSync(PROJECT_DIR, { recursive: true });
     if (fs.existsSync(FOUNDATION_LOCK)) fs.removeSync(FOUNDATION_LOCK);
 const ACCESS_DENIED_PAGE = `<!DOCTYPE html><html><head><title>Access Denied</title><style>body{background:#09090b;color:#fff;font-family:monospace;display:flex;align-items:center;justify-content:center;height:100vh;flex-direction:column;gap:16px;}.title{color:#ef4444;font-size:1.4rem;font-weight:bold;}</style></head><body><div class="title">ACCESS DENIED</div><div>This preview is protected</div></body></html>`;
 const BOOTING_PAGE = `<!DOCTYPE html><html><head><title>Booting...</title><style>body{background:#09090b;color:#facc15;font-family:monospace;display:flex;align-items:center;justify-content:center;height:100vh;}</style><script>setTimeout(()=>location.reload(), 2000)</script></head><body>⚡ AutoDev is booting up...</body></html>`;
+// BUG FIX #3: proxyRes handler WRONG tha — http-proxy already headers forward
+// kar chuka hota hai jab proxyRes fire hota hai, toh wahan set karna useless tha.
+// Sahi fix: upar wala app.use iframe middleware engine responses cover karta hai.
+// proxyRes handler hata diya.
 proxy.on("error", (err, req, res) => {
   if (res && typeof res.writeHead === "function") {
     const previewHeader = req.headers["x-autodev-preview"];
     const previewParam  = req.query["__autodev"];
     if (previewHeader !== PREVIEW_SECRET && previewParam !== PREVIEW_SECRET) {
+      pushLog(`[SECURITY] Preview blocked — direct access attempt`, "warning");
       return res.status(403).send(ACCESS_DENIED_PAGE);
     }
   }
 process.on("SIGTERM", async () => {
   pushLog("[SYSTEM] Shutting down...", "system");
   await killVite();
+  bgProcesses.forEach((_, id) => killBgProcess(id));
   process.exit(0);
 });
 process.on("SIGINT", async () => {
   await killVite();
+  bgProcesses.forEach((_, id) => killBgProcess(id));
   process.exit(0);
 });