Update server.js

server.js

@@ -7,6 +7,39 @@ require('dotenv').config();
 
 const app = express();
 
+// --- PRODUCTION MODE ---
+const PRODUCTION_MODE = process.env.PRODUCTION_MODE === 'true';
+
+function log(message, level = 'info') {
+    if (PRODUCTION_MODE && level === 'debug') return;
+    console.log(message);
+}
+
+function logSensitive(message) {
+    if (!PRODUCTION_MODE) console.log(message);
+}
+
+// Mask sensitive data
+function maskIP(ip) {
+    if (PRODUCTION_MODE) {
+        const parts = ip.split('.');
+        return parts.length === 4 ? `${parts[0]}.${parts[1]}.***.**` : 'masked';
+    }
+    return ip;
+}
+
+function maskOrigin(origin) {
+    if (PRODUCTION_MODE && origin && origin !== 'no-origin') {
+        try {
+            const url = new URL(origin);
+            return `${url.protocol}//${url.hostname.substring(0, 3)}***`;
+        } catch {
+            return 'masked';
+        }
+    }
+    return origin;
+}
+
 app.use(helmet({
     contentSecurityPolicy: false,
     crossOriginEmbedderPolicy: false
@@ -24,16 +57,14 @@ function authenticateRequest(req) {
     const origin = req.headers.origin;
     const apiKey = req.headers['x-api-key'];
     
-    // CASE 1: Browser request (has Origin)
     if (origin) {
         if (allowedOrigins.length === 0) return { valid: true, source: 'open-mode' };
         return { 
             valid: allowedOrigins.includes(origin), 
-            source: origin 
+            source: PRODUCTION_MODE ? 'authorized-origin' : origin 
         };
     }
     
-    // CASE 2: Backend request (no Origin) - MUST have API key
     if (apiKey) {
         if (API_KEYS.length === 0) return { valid: true, source: 'no-keys-configured' };
         return { 
@@ -42,11 +73,10 @@ function authenticateRequest(req) {
         };
     }
     
-    // CASE 3: No Origin, No API Key - BLOCKED
     return { valid: false, source: 'unauthorized' };
 }
 
-// --- CORS (For browsers) ---
+// --- CORS ---
 const allowedOrigins = process.env.ALLOWED_ORIGINS 
     ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
     : [];
@@ -60,7 +90,7 @@ app.use(cors({
         if (allowedOrigins.includes(origin)) {
             callback(null, true);
         } else {
-            console.log(`[Security] Blocked origin: ${origin}`);
+            log(`[Security] Blocked origin: ${maskOrigin(origin)}`);
             callback(new Error('Not allowed by CORS'));
         }
     },
@@ -83,14 +113,14 @@ app.use((req, res, next) => {
     const auth = authenticateRequest(req);
     
     if (!auth.valid) {
-        console.log(`[Security] Blocked unauthorized request from ${req.ip} (${auth.source})`);
+        log(`[Security] Blocked unauthorized request from ${maskIP(req.ip)}`);
         return res.status(401).json({ 
             error: 'Unauthorized',
             message: 'Valid origin or API key required' 
         });
     }
     
-    console.log(`[Auth] Request authorized from: ${auth.source}`);
+    log(`[Auth] Request authorized from: ${auth.source}`);
     next();
 });
 
@@ -106,12 +136,14 @@ const limiter = rateLimit({
 });
 app.use(limiter);
 
-// --- REQUEST LOGGING ---
+// --- REQUEST LOGGING (SAFE) ---
 app.use((req, res, next) => {
-    const ip = (req.ip || 'unknown').replace(/:\d+[^:]*$/, '');
-    const origin = req.headers.origin || 'no-origin';
+    const ip = maskIP((req.ip || 'unknown').replace(/:\d+[^:]*$/, ''));
+    const origin = maskOrigin(req.headers.origin || 'no-origin');
     const apiKey = req.headers['x-api-key'] ? '***' : 'none';
-    console.log(`[${new Date().toISOString()}] ${ip} -> ${req.method} ${req.path} | Origin: ${origin} | Key: ${apiKey}`);
+    const path = PRODUCTION_MODE ? req.path.split('/').slice(0, 4).join('/') + '/***' : req.path;
+    
+    log(`[${new Date().toISOString()}] ${ip} -> ${req.method} ${path} | Origin: ${origin} | Key: ${apiKey}`);
     next();
 });
 
@@ -124,7 +156,7 @@ function checkDailyReset() {
     if (today !== lastResetDate) {
         dailyUsage.clear();
         lastResetDate = today;
-        console.log('[System] Daily usage counters reset');
+        log('[System] Daily usage counters reset');
     }
 }
 
@@ -147,7 +179,7 @@ app.use((req, res, next) => {
         dailyUsage.set(ip, count + 1);
         
         if (dailyUsage.size > 10000) {
-            console.warn('[System] Daily usage map too large, clearing oldest entries');
+            log('[System] Daily usage map too large, clearing oldest entries', 'debug');
             const entries = Array.from(dailyUsage.entries()).slice(0, 1000);
             entries.forEach(([key]) => dailyUsage.delete(key));
         }
@@ -172,7 +204,7 @@ app.use((req, res, next) => {
     const isBot = suspiciousBots.some(bot => userAgent.includes(bot));
     
     if (isBot) {
-        console.log(`[Security] Blocked bot: ${userAgent.substring(0, 50)} from ${req.ip}`);
+        log(`[Security] Blocked bot from ${maskIP(req.ip)}`);
         return res.status(403).json({
             error: 'Automated access detected',
             message: 'This service is for web browsers only.'
@@ -185,12 +217,12 @@ app.use((req, res, next) => {
 let INSTANCES = [];
 try {
     INSTANCES = JSON.parse(process.env.FLOWISE_INSTANCES || '[]');
-    console.log(`[System] Loaded ${INSTANCES.length} instances`);
+    log(`[System] Loaded ${INSTANCES.length} instances`);
     if (!Array.isArray(INSTANCES) || INSTANCES.length === 0) {
-        console.error('ERROR: FLOWISE_INSTANCES must be a non-empty array');
+        log('ERROR: FLOWISE_INSTANCES must be a non-empty array');
     }
 } catch (e) {
-    console.error("CRITICAL ERROR: Could not parse FLOWISE_INSTANCES JSON", e);
+    log("CRITICAL ERROR: Could not parse FLOWISE_INSTANCES JSON");
 }
 
 // --- CACHE WITH AUTO-CLEANUP ---
@@ -229,7 +261,7 @@ async function resolveChatflowId(instanceNum, botName) {
     }
     
     const instance = INSTANCES[instanceNum - 1];
-    console.log(`[System] Looking up '${botName}' in instance ${instanceNum}...`);
+    logSensitive(`[System] Looking up '${botName}' in instance ${instanceNum}...`);
     
     const headers = {};
     if (instance.key && instance.key.length > 0) {
@@ -260,35 +292,34 @@ async function resolveChatflowId(instanceNum, botName) {
         timestamp: Date.now()
     });
     
-    console.log(`[System] Found '${botName}' -> ${match.id}`);
+    logSensitive(`[System] Found '${botName}' -> ${match.id}`);
     
     return { id: match.id, instance };
 }
 
-// --- IMPROVED STREAMING HANDLER WITH TIMEOUT ---
+// --- STREAMING HANDLER ---
 async function handleStreamingResponse(flowiseResponse, clientRes) {
     clientRes.setHeader('Content-Type', 'text/event-stream');
     clientRes.setHeader('Cache-Control', 'no-cache');
     clientRes.setHeader('Connection', 'keep-alive');
     clientRes.setHeader('X-Accel-Buffering', 'no');
     
-    console.log('[Streaming] Forwarding SSE stream...');
+    log('[Streaming] Forwarding SSE stream...');
     
     let streamStarted = false;
     let dataReceived = false;
     let lastDataTime = Date.now();
     let totalBytes = 0;
     
-    // Check for stream timeout every 5 seconds
     const timeoutCheck = setInterval(() => {
         const timeSinceData = Date.now() - lastDataTime;
         
-        if (timeSinceData > 45000) {  // 45 seconds without data
-            console.error(`[Streaming] Timeout - no data for ${(timeSinceData/1000).toFixed(1)}s`);
+        if (timeSinceData > 45000) {
+            log(`[Streaming] Timeout - no data for ${(timeSinceData/1000).toFixed(1)}s`);
             clearInterval(timeoutCheck);
             
             if (!dataReceived) {
-                console.error('[Streaming] Stream completed with NO data received!');
+                log('[Streaming] Stream completed with NO data received!');
                 if (!streamStarted) {
                     clientRes.status(504).json({ 
                         error: 'Gateway timeout',
@@ -309,7 +340,7 @@ async function handleStreamingResponse(flowiseResponse, clientRes) {
         lastDataTime = Date.now();
         totalBytes += chunk.length;
         
-        console.log(`[Streaming] Received chunk: ${chunk.length} bytes (total: ${totalBytes})`);
+        logSensitive(`[Streaming] Received chunk: ${chunk.length} bytes (total: ${totalBytes})`);
         clientRes.write(chunk);
     });
     
@@ -317,9 +348,9 @@ async function handleStreamingResponse(flowiseResponse, clientRes) {
         clearInterval(timeoutCheck);
         
         if (dataReceived) {
-            console.log(`[Streaming] Stream completed successfully - ${totalBytes} bytes total`);
+            log(`[Streaming] Stream completed - ${totalBytes} bytes`);
         } else {
-            console.warn('[Streaming] Stream completed but NO data was received!');
+            log('[Streaming] Stream completed but NO data received!');
         }
         
         clientRes.end();
@@ -327,7 +358,7 @@ async function handleStreamingResponse(flowiseResponse, clientRes) {
     
     flowiseResponse.body.on('error', (err) => {
         clearInterval(timeoutCheck);
-        console.error('[Streaming Error]', err.message);
+        log('[Streaming Error]');
         
         if (streamStarted && dataReceived) {
             clientRes.write(`\n\nevent: error\ndata: {"error": "Stream interrupted"}\n\n`);
@@ -338,7 +369,7 @@ async function handleStreamingResponse(flowiseResponse, clientRes) {
     });
 }
 
-// --- ROUTE 1: PREDICTION (WITH IMPROVED TIMEOUT) ---
+// --- PREDICTION ROUTE ---
 app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
     try {
         const instanceNum = parseInt(req.params.instanceNum);
@@ -365,9 +396,8 @@ app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
             headers['Authorization'] = `Bearer ${instance.key}`;
         }
         
-        // TIMING: Track how long Flowise takes
         const startTime = Date.now();
-        console.log(`[Timing] Calling Flowise at ${new Date().toISOString()}`);
+        logSensitive(`[Timing] Calling Flowise at ${new Date().toISOString()}`);
         
         const response = await fetchWithTimeout(
             `${instance.url}/api/v1/prediction/${id}`,
@@ -376,15 +406,15 @@ app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
                 headers,
                 body: JSON.stringify(req.body)
             },
-            60000  // ← INCREASED TO 60 SECONDS
+            60000
         );
         
         const duration = Date.now() - startTime;
-        console.log(`[Timing] Flowise responded in ${duration}ms (${(duration/1000).toFixed(1)}s)`);
+        log(`[Timing] Response received in ${(duration/1000).toFixed(1)}s`);
         
         if (!response.ok) {
             const errorText = await response.text();
-            console.error(`[Error] Instance returned ${response.status}: ${errorText.substring(0, 200)}`);
+            logSensitive(`[Error] Instance returned ${response.status}: ${errorText.substring(0, 100)}`);
             return res.status(response.status).json({
                 error: 'Flowise instance error',
                 message: 'The chatbot instance returned an error.'
@@ -394,23 +424,23 @@ app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
         const contentType = response.headers.get('content-type') || '';
         
         if (contentType.includes('text/event-stream')) {
-            console.log('[Streaming] Detected SSE response');
+            log('[Streaming] Detected SSE response');
             return handleStreamingResponse(response, res);
         }
         
-        console.log('[Non-streaming] Parsing JSON response');
+        log('[Non-streaming] Parsing JSON response');
         const text = await response.text();
         
         try {
             const data = JSON.parse(text);
             res.status(200).json(data);
         } catch (e) {
-            console.error('[Error] Invalid JSON:', text.substring(0, 200));
+            log('[Error] Invalid JSON response');
             res.status(500).json({ error: 'Invalid response from Flowise' });
         }
         
     } catch (error) {
-        console.error('[Error]', error.message);
+        log(`[Error] ${error.message}`);
         res.status(500).json({
             error: 'Request failed',
             message: error.message
@@ -418,7 +448,7 @@ app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
     }
 });
 
-// --- ROUTE 2: CHATBOT CONFIG ---
+// --- CONFIG ROUTE ---
 app.get('/api/v1/public-chatbotConfig/:instanceNum/:botName', async (req, res) => {
     try {
         const instanceNum = parseInt(req.params.instanceNum);
@@ -445,12 +475,12 @@ app.get('/api/v1/public-chatbotConfig/:instanceNum/:botName', async (req, res) =
         res.status(200).json(data);
         
     } catch (error) {
-        console.error('[Error Config]', error.message);
+        log('[Error] Config request failed');
         res.status(404).json({ error: error.message });
     }
 });
 
-// --- ROUTE 3: STREAMING CHECK ---
+// --- STREAMING CHECK ROUTE ---
 app.get('/api/v1/chatflows-streaming/:instanceNum/:botName', async (req, res) => {
     try {
         const instanceNum = parseInt(req.params.instanceNum);
@@ -477,46 +507,30 @@ app.get('/api/v1/chatflows-streaming/:instanceNum/:botName', async (req, res) =>
         res.status(200).json(data);
         
     } catch (error) {
-        console.error('[Error Streaming]', error.message);
+        log('[Error] Streaming check failed', 'debug');
         res.status(200).json({ isStreaming: false });
     }
 });
 
-// --- TEST ENDPOINT: Stream Test ---
-app.get('/test-stream', (req, res) => {
-    res.setHeader('Content-Type', 'text/event-stream');
-    res.setHeader('Cache-Control', 'no-cache');
-    res.setHeader('Connection', 'keep-alive');
-    
-    let count = 0;
-    const interval = setInterval(() => {
-        count++;
-        res.write(`data: {"message": "Test chunk ${count}", "timestamp": "${new Date().toISOString()}"}\n\n`);
-        
-        if (count >= 5) {
-            clearInterval(interval);
-            res.write('data: {"message": "Test complete"}\n\n');
-            res.end();
-        }
-    }, 500);
-});
-
-// --- TEST ENDPOINT: Delay Test ---
-app.post('/test-delay', async (req, res) => {
-    const start = Date.now();
-    const delaySeconds = req.body.delay || 35;
-    
-    console.log(`[Test] Starting ${delaySeconds}s delay test...`);
-    await new Promise(resolve => setTimeout(resolve, delaySeconds * 1000));
-    
-    const duration = Date.now() - start;
-    res.json({
-        message: 'Test completed',
-        duration_ms: duration,
-        duration_sec: (duration/1000).toFixed(1),
-        requested_delay: delaySeconds
+// --- TEST ENDPOINTS (DISABLED IN PRODUCTION) ---
+if (!PRODUCTION_MODE) {
+    app.get('/test-stream', (req, res) => {
+        res.setHeader('Content-Type', 'text/event-stream');
+        res.setHeader('Cache-Control', 'no-cache');
+        res.setHeader('Connection', 'keep-alive');
+        
+        let count = 0;
+        const interval = setInterval(() => {
+            count++;
+            res.write(`data: {"message": "Test ${count}"}\n\n`);
+            
+            if (count >= 5) {
+                clearInterval(interval);
+                res.end();
+            }
+        }, 500);
     });
-});
+}
 
 // --- HEALTH CHECK ---
 app.get('/', (req, res) => res.send('Federated Proxy Active'));
@@ -528,7 +542,7 @@ app.get('/health', (req, res) => {
         cached_bots: flowCache.size,
         daily_active_ips: dailyUsage.size,
         uptime: process.uptime(),
-        memory: process.memoryUsage()
+        production_mode: PRODUCTION_MODE
     });
 });
 
@@ -539,32 +553,33 @@ app.use((req, res) => {
 
 // --- GLOBAL ERROR HANDLER ---
 app.use((err, req, res, next) => {
-    console.error('[Error] Unhandled error:', err);
+    log('[Error] Unhandled error');
     res.status(500).json({ error: 'Internal server error' });
 });
 
-// --- GRACEFUL SHUTDOWN ---
+// --- SERVER START ---
 const server = app.listen(7860, '0.0.0.0', () => {
-    console.log('===== Federated Proxy Started =====');
-    console.log('Port: 7860');
-    console.log(`Instances: ${INSTANCES.length}`);
-    console.log(`Allowed Origins: ${allowedOrigins.length || 'Open mode'}`);
-    console.log(`API Keys: ${API_KEYS.length || 'None'}`);
-    console.log('====================================');
+    log('===== Federated Proxy Started =====');
+    log(`Port: 7860`);
+    log(`Mode: ${PRODUCTION_MODE ? 'PRODUCTION' : 'DEVELOPMENT'}`);
+    log(`Instances: ${INSTANCES.length}`);
+    log(`Allowed Origins: ${allowedOrigins.length || 'Open'}`);
+    log(`API Keys: ${API_KEYS.length || 'None'}`);
+    log('====================================');
 });
 
 process.on('SIGTERM', () => {
-    console.log('[System] SIGTERM received, shutting down gracefully...');
+    log('[System] Shutting down gracefully...');
     server.close(() => {
-        console.log('[System] Server closed');
+        log('[System] Server closed');
         process.exit(0);
     });
 });
 
 process.on('SIGINT', () => {
-    console.log('[System] SIGINT received, shutting down gracefully...');
+    log('[System] Shutting down gracefully...');
     server.close(() => {
-        console.log('[System] Server closed');
+        log('[System] Server closed');
         process.exit(0);
     });
 });