balikci/backend/src/app.js

require('dotenv').config({ path: require('path').join(__dirname, '../.env') });
const express = require('express');
const session = require('express-session');
const helmet = require('helmet');
const cors = require('cors');
const logger = require('./config/logger');
const sessionConfig = require('./config/session');
const { testConnection } = require('./config/database');
const errorHandler = require('./middlewares/errorHandler');
const { apiLimiter } = require('./middlewares/rateLimiter');

const app = express();
const PORT = process.env.PORT || 3000;

// Trust proxy (for Nginx Proxy Manager / reverse proxy)
// This allows Express to correctly handle X-Forwarded-* headers
app.set('trust proxy', true);

// Security middleware with relaxed CSP for SPA
app.use(
  helmet({
    contentSecurityPolicy: {
      directives: {
        defaultSrc: ["'self'"],
        scriptSrc: [
          "'self'",
          "'unsafe-inline'", // Required for Vite HMR and some inline scripts
          "'unsafe-eval'", // Required for Vite dev mode
        ],
        styleSrc: [
          "'self'",
          "'unsafe-inline'", // Required for inline styles
        ],
        imgSrc: ["'self'", "data:", "https:"],
        fontSrc: ["'self'", "data:", "https:"],
        connectSrc: ["'self'", "https:", "http:", "ws:", "wss:"], // Allow API calls
        frameSrc: ["'none'"],
        objectSrc: ["'none'"],
        // upgradeInsecureRequests removed - causes issues with reverse proxy
      },
    },
    crossOriginEmbedderPolicy: false, // Disable for better compatibility
  })
);

// Dynamic CORS configuration
// Development: Allow ALL origins (no restrictions)
// Production: Whitelist specific domains
const isDevelopment = process.env.NODE_ENV !== 'production';

const getAllowedOrigins = () => {
  const origins = [
    process.env.FRONTEND_URL || 'http://localhost:4173', // Production default
    'http://localhost:5173', // Vite dev server
    'http://localhost:4173', // Vite preview / serve
    'http://127.0.0.1:5173',
    'http://127.0.0.1:4173',
  ];
  
  // Add public IP if available
  if (process.env.DOMAIN_URL) {
    const publicDomain = process.env.DOMAIN_URL.replace(':3000', ':4173');
    origins.push(publicDomain);
  }
  
  return origins;
};

let corsOptions = {
  origin: (origin, callback) => {
    // Development mode: Allow ALL origins
    if (isDevelopment) {
      callback(null, true);
      return;
    }

    // Production mode: Check whitelist
    const allowedOrigins = getAllowedOrigins();
    // Allow requests with no origin (like mobile apps or curl requests)
    if (!origin || allowedOrigins.includes(origin)) {
      callback(null, true);
    } else {
      logger.warn(`CORS blocked origin: ${origin} (not in whitelist)`);
      // For now, allow anyway (you can change to callback(new Error('Not allowed by CORS')) for strict mode)
      callback(null, true);
    }
  },
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Authorization'],
};

app.use((req, res, next) => {
  cors(corsOptions)(req, res, next);
});

// Function to update CORS from database
const updateCorsFromSettings = async () => {
  try {
    const { Settings } = require('./models');
    const corsEnabledSetting = await Settings.findOne({ where: { key: 'cors_enabled' } });
    const frontendUrlSetting = await Settings.findOne({ where: { key: 'frontend_url' } });
    
    if (corsEnabledSetting && corsEnabledSetting.value === 'true' && frontendUrlSetting) {
      logger.info(`CORS settings loaded from database: ${frontendUrlSetting.value}`);
    }
    
    if (isDevelopment) {
      logger.info('🔓 CORS: Development mode - ALL origins allowed');
    } else {
      logger.info(`🔒 CORS: Production mode - Whitelist: ${getAllowedOrigins().join(', ')}`);
    }
  } catch (error) {
    logger.warn('Could not load CORS settings from database, using defaults');
  }
};

// Update CORS on startup (with delay to ensure DB is ready)
setTimeout(updateCorsFromSettings, 2000);

// Export for use in settings controller
app.updateCorsSettings = updateCorsFromSettings;

// Body parsing middleware
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

// Serve static files (landing page)
app.use(express.static('src/public'));

// Serve frontend build files (if exists, for production)
const path = require('path');
const frontendDistPath = path.join(__dirname, '../../frontend/dist');
const fs = require('fs');
if (fs.existsSync(frontendDistPath)) {
  // Serve static files with proper headers for SPA
  // Use middleware to set headers with access to request object
  app.use((req, res, next) => {
    // Set CORS headers for assets if needed
    const origin = req.headers.origin;
    if (origin) {
      res.setHeader('Access-Control-Allow-Origin', origin);
      res.setHeader('Access-Control-Allow-Credentials', 'true');
    }
    next();
  });
  
  app.use(express.static(frontendDistPath, {
    maxAge: '1y', // Cache static assets
    etag: true,
    lastModified: true,
    setHeaders: (res, filePath) => {
      // Set proper content type for JS/CSS files
      if (filePath.endsWith('.js')) {
        res.setHeader('Content-Type', 'application/javascript; charset=utf-8');
      } else if (filePath.endsWith('.css')) {
        res.setHeader('Content-Type', 'text/css; charset=utf-8');
      }
      // Security headers for assets
      res.setHeader('X-Content-Type-Options', 'nosniff');
    },
  }));
}

// Session middleware
app.use(session(sessionConfig));

// Rate limiting
app.use('/api', apiLimiter);

// Request logging
app.use((req, res, next) => {
  logger.info(`${req.method} ${req.path}`, {
    ip: req.ip,
    userAgent: req.get('user-agent'),
  });
  next();
});

// Health check
app.get('/health', (req, res) => {
  res.json({
    success: true,
    message: 'Server is running',
    timestamp: new Date().toISOString(),
  });
});

// API Routes
app.use('/api/auth', require('./routes/auth.routes'));
app.use('/api/companies', require('./routes/company.routes'));
app.use('/api/tokens', require('./routes/token.routes'));
app.use('/api/templates', require('./routes/template.routes'));
app.use('/api/settings', require('./routes/settings.routes'));
app.use('/api/ollama', require('./routes/ollama.routes'));
app.use('/api/stats', require('./routes/stats.routes'));

// Public tracking route (no rate limit on this specific route)
app.use('/t', require('./routes/tracking.routes'));

// SPA fallback: serve index.html for all non-API routes (must be after all routes)
if (fs.existsSync(frontendDistPath)) {
  app.get('*', (req, res, next) => {
    // Skip API routes and tracking routes
    if (req.path.startsWith('/api') || req.path.startsWith('/t/') || req.path.startsWith('/health')) {
      return res.status(404).json({
        success: false,
        error: 'Endpoint not found',
      });
    }
    // Serve frontend SPA
    res.sendFile(path.join(frontendDistPath, 'index.html'));
  });
} else {
  // 404 handler (if frontend not built)
  app.use((req, res) => {
    res.status(404).json({
      success: false,
      error: 'Endpoint not found',
    });
  });
}

// Error handler (must be last)
app.use(errorHandler);

// Start server
const startServer = async () => {
  try {
    // Test database connection
    await testConnection();
    
    // Start listening on all interfaces (0.0.0.0)
    app.listen(PORT, '0.0.0.0', () => {
      logger.info(`🚀 Server is running on port ${PORT}`);
      logger.info(`📊 Environment: ${process.env.NODE_ENV || 'development'}`);
      logger.info(`🔗 Health check: http://0.0.0.0:${PORT}/health`);
      console.log(`\n✨ Oltalama Backend Server Started!`);
      console.log(`🌐 API: http://0.0.0.0:${PORT}/api`);
      console.log(`🎯 Tracking: http://0.0.0.0:${PORT}/t/:token\n`);
    });
  } catch (error) {
    logger.error('Failed to start server:', error);
    process.exit(1);
  }
};

startServer();

module.exports = app;