Update server.js

server.js

@@ -2,402 +2,194 @@ const express = require('express');
 const fetch = require('node-fetch');
 const cors = require('cors');
 const rateLimit = require('express-rate-limit');
-const helmet = require('helmet');
 require('dotenv').config();
 
 const app = express();
 
-// --- 1. SECURITY HEADERS (Helmet) ---
-app.use(helmet({
-    contentSecurityPolicy: false, // Allow embed from any site
-    crossOriginEmbedderPolicy: false
-}));
-
-// --- 2. SECURITY: TRUST PROXY ---
 app.set('trust proxy', 1);
+app.use(express.json({ limit: '1mb' }));
 
-// --- 3. BODY SIZE LIMITS ---
-app.use(express.json({ limit: '1mb' })); // Prevent large payloads
-
-// --- 4. SECURITY: RATE LIMITING (Fixed IP extraction) ---
-const limiter = rateLimit({
-    windowMs: 15 * 60 * 1000,
-    max: 100,
-    standardHeaders: true,
-    legacyHeaders: false,
-    message: { error: "Too many requests, please try again later." },
-    keyGenerator: (req) => {
-        // Strip port from IP to prevent bypass
-        const ip = req.ip || req.connection.remoteAddress || 'unknown';
-        return ip.replace(/:\d+[^:]*$/, '');
-    }
-});
-app.use(limiter);
-
-// --- 5. SECURITY: STRICT CORS (Fixed) ---
 const allowedOrigins = process.env.ALLOWED_ORIGINS 
     ? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
     : [];
 
 app.use(cors({
     origin: function (origin, callback) {
-        // Allow requests with no origin (mobile apps, Postman, etc.)
-        if (!origin) {
-            return allowedOrigins.length === 0 ? callback(null, true) : callback(new Error('Not allowed by CORS'));
-        }
-        
-        // In open mode, allow all
-        if (allowedOrigins.length === 0) {
-            return callback(null, true);
-        }
-        
-        // EXACT match only (prevent bypass)
+        if (!origin || allowedOrigins.length === 0) return callback(null, true);
         if (allowedOrigins.includes(origin)) {
             callback(null, true);
         } else {
-            console.log(`[Security] Blocked origin: ${origin}`);
             callback(new Error('Not allowed by CORS'));
         }
-    },
-    credentials: true
+    }
 }));
 
-// JSON error handler for CORS failures
 app.use((err, req, res, next) => {
     if (err.message === 'Not allowed by CORS') {
-        return res.status(403).json({
-            error: 'Access denied',
-            message: 'This chatbot can only be used on authorized websites.'
-        });
+        return res.status(403).json({ error: 'Access denied' });
     }
     next(err);
 });
 
-// --- 6. REQUEST LOGGING (With sanitization) ---
-app.use((req, res, next) => {
-    const ip = (req.ip || req.connection.remoteAddress || 'unknown').replace(/:\d+[^:]*$/, '');
-    const origin = (req.headers.origin || 'unknown').substring(0, 100); // Prevent log injection
-    console.log(`[${new Date().toISOString()}] ${ip} -> ${req.method} ${req.path} from ${origin}`);
-    next();
-});
-
-// --- 7. DAILY USAGE CAPS (Fixed memory leak) ---
-const dailyUsage = new Map();
-let lastResetDate = new Date().toDateString();
-
-// Check and reset daily if date changed (handles timezone issues)
-function checkDailyReset() {
-    const today = new Date().toDateString();
-    if (today !== lastResetDate) {
-        dailyUsage.clear();
-        lastResetDate = today;
-        console.log('[System] Daily usage counters reset');
-    }
-}
-
-// Check every hour instead of 24-hour timer
-setInterval(checkDailyReset, 60 * 60 * 1000);
-
-app.use((req, res, next) => {
-    if (req.method === 'POST' && (req.path.includes('/prediction/') || req.path.includes('/vector/upsert/'))) {
-        checkDailyReset(); // Check on every request too
-        
-        const ip = (req.ip || 'unknown').replace(/:\d+[^:]*$/, '');
-        const count = dailyUsage.get(ip) || 0;
-        
-        if (count >= 200) {
-            return res.status(429).json({
-                error: 'Daily limit reached',
-                message: 'You have reached your daily usage limit. Try again tomorrow.'
-            });
-        }
-        
-        dailyUsage.set(ip, count + 1);
-    }
-    next();
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 100,
+    message: { error: "Too many requests" }
 });
+app.use(limiter);
 
-// --- 8. BOT DETECTION (Improved) ---
 app.use((req, res, next) => {
-    if (!(req.path.includes('/prediction/') || req.path.includes('/vector/upsert/'))) {
-        return next();
-    }
-    
-    const userAgent = (req.headers['user-agent'] || '').toLowerCase();
-    const suspiciousBots = ['python-requests', 'curl/', 'wget/', 'scrapy', 'crawler'];
-    
-    // Check for bot patterns
-    const isBot = suspiciousBots.some(bot => userAgent.includes(bot));
-    
-    // Additional check: require Accept header (most bots forget this)
-    const hasAccept = req.headers['accept'];
-    
-    if (isBot || !hasAccept) {
-        console.log(`[Security] Blocked suspicious request: ${userAgent.substring(0, 50)} from ${req.ip}`);
-        return res.status(403).json({
-            error: 'Automated access detected',
-            message: 'This service is for web browsers only.'
-        });
-    }
+    const ip = (req.ip || 'unknown').replace(/:\d+[^:]*$/, '');
+    console.log(`[${new Date().toISOString()}] ${ip} -> ${req.method} ${req.path} from ${req.headers.origin || 'unknown'}`);
     next();
 });
 
-// --- 9. INSTANCES CONFIGURATION ---
 let INSTANCES = [];
 try {
     INSTANCES = JSON.parse(process.env.FLOWISE_INSTANCES || '[]');
-    if (!Array.isArray(INSTANCES) || INSTANCES.length === 0) {
-        console.error('ERROR: FLOWISE_INSTANCES must be a non-empty array');
-    }
+    console.log(`[System] Loaded ${INSTANCES.length} instances`);
 } catch (e) {
-    console.error("CRITICAL ERROR: Could not parse FLOWISE_INSTANCES JSON", e);
+    console.error("ERROR parsing FLOWISE_INSTANCES:", e);
 }
 
-console.log(`[System] Loaded ${INSTANCES.length} instances`);
-
-// Cache for chatflow lookups (with auto-cleanup)
 const flowCache = new Map();
 
-// Clean up old cache entries every 10 minutes
-setInterval(() => {
-    const now = Date.now();
-    for (const [key, value] of flowCache.entries()) {
-        if (now - value.timestamp > 10 * 60 * 1000) { // 10 minutes
-            flowCache.delete(key);
-        }
-    }
-}, 10 * 60 * 1000);
-
-// --- 10. HELPER: FETCH WITH TIMEOUT ---
-async function fetchWithTimeout(url, options, timeout = 10000) {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), timeout);
-    
-    try {
-        const response = await fetch(url, {
-            ...options,
-            signal: controller.signal
-        });
-        clearTimeout(timeoutId);
-        return response;
-    } catch (error) {
-        clearTimeout(timeoutId);
-        if (error.name === 'AbortError') {
-            throw new Error('Request timeout');
-        }
-        throw error;
-    }
-}
-
-// --- 11. HELPER: RESOLVE BOT TO CHATFLOW ID ---
 async function resolveChatflowId(instanceNum, botName) {
     const cacheKey = `${instanceNum}-${botName}`;
-    
-    // Check cache
     const cached = flowCache.get(cacheKey);
-    if (cached && Date.now() - cached.timestamp < 5 * 60 * 1000) {
-        return { id: cached.id, instance: cached.instance };
-    }
+    if (cached) return cached;
     
-    // Validate instance
-    if (isNaN(instanceNum) || instanceNum < 1 || instanceNum > INSTANCES.length) {
-        throw new Error(`Instance ${instanceNum} does not exist. Valid: 1-${INSTANCES.length}`);
+    if (instanceNum < 1 || instanceNum > INSTANCES.length) {
+        throw new Error(`Invalid instance: ${instanceNum}`);
     }
     
     const instance = INSTANCES[instanceNum - 1];
-    
     console.log(`[System] Looking up '${botName}' in instance ${instanceNum}...`);
     
     const headers = {};
-    if (instance.key && instance.key.length > 0) {
-        headers['Authorization'] = `Bearer ${instance.key}`;
-    }
-    
-    const listResponse = await fetchWithTimeout(`${instance.url}/api/v1/chatflows`, { headers }, 10000);
+    if (instance.key) headers['Authorization'] = `Bearer ${instance.key}`;
     
-    if (!listResponse.ok) {
-        throw new Error(`Instance ${instanceNum} returned status ${listResponse.status}`);
+    const response = await fetch(`${instance.url}/api/v1/chatflows`, { headers });
+    if (!response.ok) {
+        throw new Error(`Instance ${instanceNum} returned status ${response.status}. Instance may be paused.`);
     }
     
-    const flows = await listResponse.json();
+    const flows = await response.json();
+    const match = flows.find(f => f.name.toLowerCase().replace(/\s+/g, '-') === botName);
     
-    if (!Array.isArray(flows)) {
-        throw new Error(`Instance ${instanceNum} returned invalid response`);
-    }
-    
-    const matchedFlow = flows.find(f => f.name && f.name.toLowerCase().replace(/\s+/g, '-') === botName);
-    
-    if (!matchedFlow || !matchedFlow.id) {
-        throw new Error(`Bot '${botName}' not found in instance ${instanceNum}`);
-    }
+    if (!match) throw new Error(`Bot '${botName}' not found in instance ${instanceNum}`);
     
-    const chatflowId = matchedFlow.id;
+    const result = { id: match.id, instance };
+    flowCache.set(cacheKey, result);
     
-    // Cache with timestamp
-    flowCache.set(cacheKey, {
-        id: chatflowId,
-        instance: instance,
-        timestamp: Date.now()
-    });
-    
-    console.log(`[System] Found '${botName}' -> ${chatflowId}`);
+    console.log(`[System] Found '${botName}' -> ${match.id}`);
+    return result;
+}
+
+// IMPROVED: Safe JSON parsing
+async function safeJsonParse(response, url) {
+    const text = await response.text();
     
-    return { id: chatflowId, instance };
+    try {
+        return JSON.parse(text);
+    } catch (e) {
+        console.error(`[Error] Non-JSON response from ${url}`);
+        console.error(`[Error] Response starts with: ${text.substring(0, 200)}`);
+        
+        // Return a user-friendly error
+        throw new Error('The Flowise instance returned an invalid response. It may be paused or experiencing errors.');
+    }
 }
 
-// --- 12. ROUTE 1: CHATBOT CONFIG ---
-app.get('/api/v1/public-chatbotConfig/:instanceNum/:botName', async (req, res) => {
+app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
     try {
         const instanceNum = parseInt(req.params.instanceNum);
-        const botName = req.params.botName.toLowerCase().substring(0, 100); // Limit length
+        const botName = req.params.botName.toLowerCase();
+        
+        if (req.body.question && req.body.question.length > 2000) {
+            return res.status(400).json({ error: 'Message too long (max 2000 characters)' });
+        }
         
         const { id, instance } = await resolveChatflowId(instanceNum, botName);
         
-        const headers = {};
-        if (instance.key && instance.key.length > 0) {
-            headers['Authorization'] = `Bearer ${instance.key}`;
-        }
+        const headers = { 'Content-Type': 'application/json' };
+        if (instance.key) headers['Authorization'] = `Bearer ${instance.key}`;
+        
+        const response = await fetch(`${instance.url}/api/v1/prediction/${id}`, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify(req.body)
+        });
         
-        const configResponse = await fetchWithTimeout(
-            `${instance.url}/api/v1/public-chatbotConfig/${id}`,
-            { headers },
-            10000
-        );
+        // Check if response is OK before parsing
+        if (!response.ok) {
+            const errorText = await response.text();
+            console.error(`[Error] Instance returned ${response.status}: ${errorText.substring(0, 200)}`);
+            return res.status(response.status).json({ 
+                error: 'Flowise instance error',
+                message: 'The chatbot instance may be paused or misconfigured. Please check the Flowise instance logs.'
+            });
+        }
         
-        const data = await configResponse.json();
-        res.status(configResponse.status).json(data);
+        const data = await safeJsonParse(response, instance.url);
+        res.status(200).json(data);
         
     } catch (error) {
-        console.error('[Error] Config fetch failed:', error.message);
-        res.status(404).json({ error: error.message });
+        console.error('[Error]', error.message);
+        res.status(500).json({ 
+            error: 'Request failed',
+            message: error.message 
+        });
     }
 });
 
-// --- 13. ROUTE 2: STREAMING CHECK ---
-app.get('/api/v1/chatflows-streaming/:instanceNum/:botName', async (req, res) => {
+app.get('/api/v1/public-chatbotConfig/:instanceNum/:botName', async (req, res) => {
     try {
         const instanceNum = parseInt(req.params.instanceNum);
-        const botName = req.params.botName.toLowerCase().substring(0, 100);
-        
+        const botName = req.params.botName.toLowerCase();
         const { id, instance } = await resolveChatflowId(instanceNum, botName);
         
         const headers = {};
-        if (instance.key && instance.key.length > 0) {
-            headers['Authorization'] = `Bearer ${instance.key}`;
-        }
+        if (instance.key) headers['Authorization'] = `Bearer ${instance.key}`;
         
-        const streamResponse = await fetchWithTimeout(
-            `${instance.url}/api/v1/chatflows-streaming/${id}`,
-            { headers },
-            10000
-        );
+        const response = await fetch(`${instance.url}/api/v1/public-chatbotConfig/${id}`, { headers });
         
-        const data = await streamResponse.json();
-        res.status(streamResponse.status).json(data);
+        if (!response.ok) {
+            return res.status(response.status).json({ error: 'Config not available' });
+        }
         
+        const data = await safeJsonParse(response, instance.url);
+        res.status(200).json(data);
     } catch (error) {
-        console.error('[Error] Streaming check failed:', error.message);
+        console.error('[Error Config]', error.message);
         res.status(404).json({ error: error.message });
     }
 });
 
-// --- 14. ROUTE 3: PREDICTION (SEND MESSAGE) ---
-app.post('/api/v1/prediction/:instanceNum/:botName', async (req, res) => {
+app.get('/api/v1/chatflows-streaming/:instanceNum/:botName', async (req, res) => {
     try {
         const instanceNum = parseInt(req.params.instanceNum);
-        const botName = req.params.botName.toLowerCase().substring(0, 100);
-        
-        // Validate question exists and is a string
-        if (!req.body.question || typeof req.body.question !== 'string') {
-            return res.status(400).json({
-                error: 'Invalid request',
-                message: 'Question must be a non-empty string.'
-            });
-        }
-        
-        // MESSAGE LENGTH LIMIT
-        if (req.body.question.length > 2000) {
-            return res.status(400).json({
-                error: 'Message too long',
-                message: 'Please keep messages under 2000 characters.'
-            });
-        }
-        
+        const botName = req.params.botName.toLowerCase();
         const { id, instance } = await resolveChatflowId(instanceNum, botName);
         
-        const forwardHeaders = {
-            'Content-Type': 'application/json',
-            'HTTP-Referer': req.headers.origin || 'https://huggingface.co',
-            'X-Title': 'FederatedProxy'
-        };
-        
-        if (instance.key && instance.key.length > 0) {
-            forwardHeaders['Authorization'] = `Bearer ${instance.key}`;
-        }
+        const headers = {};
+        if (instance.key) headers['Authorization'] = `Bearer ${instance.key}`;
         
-        const flowiseResponse = await fetchWithTimeout(
-            `${instance.url}/api/v1/prediction/${id}`,
-            {
-                method: 'POST',
-                headers: forwardHeaders,
-                body: JSON.stringify(req.body)
-            },
-            30000 // 30 second timeout for AI responses
-        );
+        const response = await fetch(`${instance.url}/api/v1/chatflows-streaming/${id}`, { headers });
         
-        const data = await flowiseResponse.json();
-        res.status(flowiseResponse.status).json(data);
+        if (!response.ok) {
+            return res.status(response.status).json({ isStreaming: false });
+        }
         
+        const data = await safeJsonParse(response, instance.url);
+        res.status(200).json(data);
     } catch (error) {
-        console.error('[Error] Prediction failed:', error.message);
-        res.status(500).json({
-            error: 'Proxy forwarding failed',
-            message: error.message
-        });
+        console.error('[Error Streaming]', error.message);
+        res.status(200).json({ isStreaming: false }); // Default to non-streaming
     }
 });
 
-// --- 15. HEALTH CHECK ---
 app.get('/', (req, res) => res.send('Federated Proxy Active'));
+app.get('/health', (req, res) => res.json({ status: 'ok', instances: INSTANCES.length }));
 
-app.get('/health', (req, res) => {
-    res.json({
-        status: 'healthy',
-        instances: INSTANCES.length,
-        cached_bots: flowCache.size,
-        daily_active_ips: dailyUsage.size,
-        uptime: process.uptime()
-    });
-});
-
-// --- 16. 404 HANDLER ---
-app.use((req, res) => {
-    res.status(404).json({ error: 'Route not found' });
-});
-
-// --- 17. GLOBAL ERROR HANDLER ---
-app.use((err, req, res, next) => {
-    console.error('[Error] Unhandled error:', err);
-    res.status(500).json({ error: 'Internal server error' });
-});
-
-// --- 18. GRACEFUL SHUTDOWN ---
-const server = app.listen(7860, '0.0.0.0', () => {
-    console.log('Federated Proxy running on port 7860');
-});
-
-process.on('SIGTERM', () => {
-    console.log('[System] SIGTERM received, shutting down gracefully...');
-    server.close(() => {
-        console.log('[System] Server closed');
-        process.exit(0);
-    });
-});
-
-process.on('SIGINT', () => {
-    console.log('[System] SIGINT received, shutting down gracefully...');
-    server.close(() => {
-        console.log('[System] Server closed');
-        process.exit(0);
-    });
-});
+app.listen(7860, '0.0.0.0', () => console.log('Federated Proxy running on port 7860'));