Update index.js

server/index.js

@@ -32,6 +32,7 @@ const CDN_BASE = `https://cdn.jsdelivr.net/gh/${GITHUB_REPO}`;
 let latestSHA = null;
 const ADMIN_TOKEN = process.env.ADMIN_TOKEN || 'supersecret';
 const TURNSTILE_SITE_KEY = process.env.TURNSTILE_SITE_KEY || '0x4AAAAAAC1ZXKIhZ9Kdz8j9';
+const MAX_TEXT_UPLOAD_BYTES = 100 * 1024;
 const LOCAL_UI_DIR = [
   process.env.UI_LOCAL_PATH,
   path.resolve(__dirname, '..', '..', 'InferencePort-Pages'),
@@ -45,7 +46,16 @@ const LOCAL_UI_DIR = [
 }) || null;
 
 // Rate limiter for admin endpoints (5 attempts per IP per minute)
-const verifyLimiter = rateLimit({ windowMs: 60*1000, max: 5, standardHeaders: true, legacyHeaders: false });
+const verifyLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 5,
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (req, res) => {
+    logAdminEvent(req, 'rate_limited');
+    res.status(429).json({ error: 'rate_limited' });
+  },
+});
 
 const DATA_DIR = "/data";
 const VERSION_FILE = path.join(DATA_DIR, 'version.json');
@@ -58,6 +68,27 @@ function getRequestIp(req) {
     || 'unknown';
 }
 
+function truncateForLog(value, max = 180) {
+  const text = String(value ?? '').replace(/\s+/g, ' ').trim();
+  if (!text) return '';
+  return text.length > max ? `${text.slice(0, max - 1)}…` : text;
+}
+
+function extensionFromName(name = '') {
+  const ext = path.extname(String(name || '')).toLowerCase();
+  return ext.startsWith('.') ? ext.slice(1) : ext;
+}
+
+function isTextLikeUpload(name = '', mimeType = '', kind = '') {
+  const normalizedKind = String(kind || '').toLowerCase();
+  const mime = String(mimeType || '').toLowerCase();
+  const ext = extensionFromName(name);
+  if (normalizedKind === 'text' || normalizedKind === 'rich_text') return true;
+  if (mime.startsWith('text/')) return true;
+  if (['application/json', 'application/javascript', 'application/xml'].includes(mime)) return true;
+  return ['txt', 'md', 'json', 'js', 'ts', 'css', 'py', 'html', 'htm', 'xml', 'csv', 'rtf'].includes(ext);
+}
+
 function getCookieMap(req) {
   const cookies = (req.headers.cookie || '')
     .split(';')
@@ -78,12 +109,36 @@ function hasAdminTurnstile(req) {
 
 function requireAdminTurnstile(req, res, next) {
   if (hasAdminTurnstile(req)) return next();
+  logAdminEvent(req, 'blocked_missing_turnstile');
   return res.status(403).json({ error: 'turnstile:required' });
 }
 
-function logAdminEvent(req, action, detail = '') {
-  const suffix = detail ? ` ${detail}` : '';
-  console.log(`[ADMIN] ${action} from ${getRequestIp(req)}${suffix}`);
+function logAdminEvent(req, action, detail = null) {
+  const parts = [
+    `[ADMIN ${new Date().toISOString()}]`,
+    `action=${action}`,
+    `ip=${getRequestIp(req)}`,
+    `method=${req.method}`,
+    `path=${truncateForLog(req.originalUrl || req.url, 220)}`,
+  ];
+  const userAgent = truncateForLog(req.headers['user-agent'] || 'unknown', 140);
+  if (userAgent) parts.push(`ua="${userAgent}"`);
+  if (typeof detail === 'string' && detail.trim()) {
+    parts.push(detail.trim());
+  } else if (detail && typeof detail === 'object') {
+    Object.entries(detail).forEach(([key, value]) => {
+      if (value === undefined || value === null || value === '') return;
+      parts.push(`${key}=${JSON.stringify(String(value))}`);
+    });
+  }
+  console.log(parts.join(' | '));
+}
+
+function respondTextUploadTooLarge(res) {
+  return res.status(413).json({
+    error: 'media:text_too_large',
+    message: 'Text files must be 100 KB or smaller.',
+  });
 }
 
 async function verifyTurnstileToken(token, remoteIp) {
@@ -236,10 +291,14 @@ app.post('/api/media/upload', express.raw({ type: () => true, limit: '100mb' }),
     const parentId = req.headers['x-parent-id'] ? String(req.headers['x-parent-id']) : null;
     const sessionId = req.headers['x-session-id'] ? String(req.headers['x-session-id']) : null;
     const kindHeader = req.headers['x-file-kind'] ? String(req.headers['x-file-kind']) : null;
+    const buffer = Buffer.isBuffer(req.body) ? req.body : Buffer.from(req.body || []);
+    if (isTextLikeUpload(name, mimeType, kindHeader) && buffer.byteLength > MAX_TEXT_UPLOAD_BYTES) {
+      return respondTextUploadTooLarge(res);
+    }
     const item = await mediaStore.storeBuffer(resolved.owner, {
       name,
       mimeType,
-      buffer: Buffer.isBuffer(req.body) ? req.body : Buffer.from(req.body || []),
+      buffer,
       parentId,
       sessionId,
       source: 'user_upload',
@@ -277,11 +336,16 @@ app.post('/api/media/documents', async (req, res) => {
   const resolved = await requireRequestOwner(req, res);
   if (!resolved) return;
   try {
+    const richText = !!req.body?.richText;
+    const content = String(req.body?.content || '');
+    if (Buffer.byteLength(content, 'utf8') > MAX_TEXT_UPLOAD_BYTES) {
+      return respondTextUploadTooLarge(res);
+    }
     const item = await mediaStore.createDocument(resolved.owner, {
       name: req.body?.name,
       parentId: req.body?.parentId || null,
-      richText: !!req.body?.richText,
-      content: req.body?.content || '',
+      richText,
+      content,
       source: 'user_upload',
       sessionId: req.body?.sessionId || null,
     });
@@ -366,8 +430,12 @@ app.put('/api/media/:id/text', async (req, res) => {
   const resolved = await requireRequestOwner(req, res);
   if (!resolved) return;
   try {
+    const buffer = Buffer.from(String(req.body?.content || ''), 'utf8');
+    if (buffer.byteLength > MAX_TEXT_UPLOAD_BYTES) {
+      return respondTextUploadTooLarge(res);
+    }
     const item = await mediaStore.updateContent(resolved.owner, req.params.id, {
-      buffer: Buffer.from(String(req.body?.content || ''), 'utf8'),
+      buffer,
       mimeType: req.body?.mimeType || null,
       kind: req.body?.richText ? 'rich_text' : null,
       name: req.body?.name || null,
@@ -438,6 +506,7 @@ if (!latestSHA) {
 
 // --- Admin endpoints ---
 app.get('/admin.html', async (req, res) => {
+  logAdminEvent(req, 'page_view');
   if (serveLocalUiFile('/admin.html', res)) return;
   if (!latestSHA) return res.status(500).send('Server not ready');
 
@@ -457,6 +526,7 @@ app.get('/admin.html', async (req, res) => {
 });
 
 app.get('/admin/config', (req, res) => {
+  logAdminEvent(req, 'config_view', { verified: hasAdminTurnstile(req) });
   res.json({
     siteKey: TURNSTILE_SITE_KEY || null,
     verified: hasAdminTurnstile(req),
@@ -467,11 +537,18 @@ app.post('/admin/turnstile', async (req, res) => {
   try {
     const token = req.body?.token;
     const result = await verifyTurnstileToken(token, getRequestIp(req));
-    if (!result?.success) return res.status(403).json({ error: 'Verification failed' });
+    if (!result?.success) {
+      logAdminEvent(req, 'turnstile_failed', {
+        errorCodes: Array.isArray(result?.['error-codes']) ? result['error-codes'].join(',') : '',
+      });
+      return res.status(403).json({ error: 'Verification failed' });
+    }
     res.cookie('admin_turnstile', '1', { maxAge: 2 * 3600 * 1000, path: '/', sameSite: 'lax' });
+    logAdminEvent(req, 'turnstile_verified');
     return res.json({ success: true });
   } catch (err) {
     console.error('admin turnstile verify', err);
+    logAdminEvent(req, 'turnstile_error', { message: err.message || 'unknown' });
     return res.status(500).json({ error: err.message || 'Server error' });
   }
 });
@@ -479,32 +556,48 @@ app.post('/admin/turnstile', async (req, res) => {
 app.get('/admin/verify', requireAdminTurnstile, verifyLimiter, (req,res)=>{
   const token = req.query.token;
   const success = token===ADMIN_TOKEN;
-  if (success) logAdminEvent(req, 'login');
+  logAdminEvent(req, success ? 'login_success' : 'login_failed', {
+    turnstile: hasAdminTurnstile(req),
+    tokenProvided: !!token,
+  });
   res.json({success});
 });
 
 app.get('/admin/refresh', requireAdminTurnstile, verifyLimiter, async (req, res) => {
   const token = req.query.token;
-  if (token !== ADMIN_TOKEN) return res.status(403).send('Forbidden');
+  if (token !== ADMIN_TOKEN) {
+    logAdminEvent(req, 'refresh_denied', { reason: 'bad_token' });
+    return res.status(403).send('Forbidden');
+  }
 
   const sha = req.query.sha?.trim();
   if (sha) {
-    if (!/^[0-9a-f]{7,40}$/.test(sha)) return res.status(400).send('Invalid SHA');
+    if (!/^[0-9a-f]{7,40}$/.test(sha)) {
+      logAdminEvent(req, 'set_sha_invalid', { requestedSha: sha });
+      return res.status(400).send('Invalid SHA');
+    }
     latestSHA = sha;
     saveStoredSHA(latestSHA);
-    logAdminEvent(req, 'set_sha', `to ${latestSHA}`);
+    logAdminEvent(req, 'set_sha', { requestedSha: latestSHA });
     console.log(`[${PUBLIC_URL}] Manual SHA set by admin: ${latestSHA}`);
     return res.send(`Version set to commit ${latestSHA}`);
   }
 
   await fetchLatestSHA();
-  logAdminEvent(req, 'refresh_latest', `to ${latestSHA}`);
+  logAdminEvent(req, 'refresh_latest', { resolvedSha: latestSHA });
   res.send(`Latest version refreshed: ${latestSHA}`);
 });
 
 app.get('/admin/status', requireAdminTurnstile, verifyLimiter, async (req, res) => {
   const token = req.query.token;
-  if (token !== ADMIN_TOKEN) return res.status(403).json({ error: 'Forbidden' });
+  if (token !== ADMIN_TOKEN) {
+    logAdminEvent(req, 'status_denied', { reason: 'bad_token' });
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  logAdminEvent(req, 'status_view', {
+    currentSha: latestSHA,
+    servingMode: LOCAL_UI_DIR ? 'local-ui' : 'cdn',
+  });
   res.json({
     publicUrl: PUBLIC_URL,
     currentSha: latestSHA,