Spaces:
Sleeping
Sleeping
| const express = require('express'); | |
| const multer = require('multer'); | |
| const cors = require('cors'); | |
| const { decodeFromImageBuffer } = require('./decoder'); // Import our logic | |
| const app = express(); | |
| const PORT = process.env.PORT || 7860; | |
| // --- 1. SECURE CORS CONFIGURATION --- | |
| // Define the list of allowed client origins from an environment variable. | |
| // This allows you to change the allowed origins without changing the code. | |
| // The variable should be a comma-separated list of URLs. | |
| const allowedOrigins = process.env.ALLOWED_ORIGINS ? process.env.ALLOWED_ORIGINS.split(',') : []; | |
| const corsOptions = { | |
| origin: (origin, callback) => { | |
| // 'origin' will be undefined for server-to-server requests or curl. | |
| // Allow requests with no origin OR if the origin is in our whitelist. | |
| if (!origin || allowedOrigins.indexOf(origin) !== -1) { | |
| callback(null, true); | |
| } else { | |
| // If the origin is not in the whitelist, reject the request. | |
| callback(new Error(`Not allowed by CORS. Origin: ${origin}`)); | |
| } | |
| }, | |
| methods: ['GET', 'POST'], // Allow only specific methods | |
| }; | |
| // Use the configured CORS middleware | |
| app.use(cors(corsOptions)); | |
| // --- 2. HEALTH CHECK ENDPOINT --- | |
| app.get('/', (req, res) => { | |
| res.status(200).json({ | |
| status: 'ok', | |
| message: 'Secure Decoder API is running.', | |
| // Also report which origins are allowed, for easy debugging. | |
| allowed_origins: allowedOrigins.length > 0 ? allowedOrigins : "None configured (check ALLOWED_ORIGINS secret)." | |
| }); | |
| }); | |
| const upload = multer({ | |
| storage: multer.memoryStorage(), | |
| limits: { fileSize: 5 * 1024 * 1024 }, // 5MB limit | |
| }); | |
| // --- 3. DECODE API ENDPOINT --- | |
| app.post('/api/decode', upload.single('authImage'), async (req, res) => { | |
| console.log(`Received a request to /api/decode from origin: ${req.get('origin') || 'unknown'}`); | |
| const privateKey = process.env.PLUGIN_PRIVATE_KEY; | |
| if (!privateKey) { | |
| console.error("FATAL: PLUGIN_PRIVATE_KEY secret is not set in the Space settings."); | |
| return res.status(500).json({ error: 'Server is not configured with a private key.' }); | |
| } | |
| if (!req.file) { | |
| console.log("Request failed: No image file provided."); | |
| return res.status(400).json({ error: 'No image file provided. Please upload a file with the key "authImage".' }); | |
| } | |
| try { | |
| const credentials = await decodeFromImageBuffer(req.file.buffer, privateKey); | |
| console.log("Successfully decoded data."); | |
| res.json({ success: true, data: credentials }); | |
| } catch (error) { | |
| console.error("Decryption failed:", error.message); | |
| res.status(400).json({ success: false, error: `Decryption failed: ${error.message}` }); | |
| } | |
| }); | |
| app.listen(PORT, () => { | |
| console.log(`Secure decoder API listening on port ${PORT}`); | |
| if (allowedOrigins.length > 0) { | |
| console.log(`CORS whitelist enabled for the following origins: ${allowedOrigins.join(', ')}`); | |
| } else { | |
| console.warn("WARNING: No CORS origins are whitelisted. Set the ALLOWED_ORIGINS secret. All cross-origin requests will be blocked."); | |
| } | |
| if (!process.env.PLUGIN_PRIVATE_KEY) { | |
| console.warn("WARNING: PLUGIN_PRIVATE_KEY environment variable is not set. The /api/decode endpoint will fail."); | |
| } else { | |
| console.log("PLUGIN_PRIVATE_KEY secret has been loaded successfully."); | |
| } | |
| }); |