neocities/app.rb

require './environment.rb'
require './app_helpers.rb'

use Rack::Session::Cookie, key:          'neocities',
                           path:         '/',
                           expire_after: 31556926, # one year in seconds
                           secret:       Base64.strict_decode64($config['session_secret']),
                           httponly: true,
                           same_site: :lax,
                           secure: ENV['RACK_ENV'] == 'production'

use Rack::TempfileReaper

helpers do
  def site_change_file_display_class(filename)
    return 'html' if filename.match(Site::HTML_REGEX)
    return 'image' if filename.match(Site::IMAGE_REGEX)
    'misc'
  end

  def csrf_token_input_html
    %{<input name="csrf_token" type="hidden" value="#{csrf_token}">}
  end

  def hcaptcha_input
    %{
      <script src="https://hcaptcha.com/1/api.js" async defer></script>
      <div id="captcha_input" class="h-captcha" data-sitekey="#{$config['hcaptcha_site_key']}"></div>
    }
  end
end

set :protection, :frame_options => "DENY"

GEOCITIES_NEIGHBORHOODS = %w{
  area51
  athens
  augusta
  baja
  bourbonstreet
  capecanaveral
  capitolhill
  collegepark
  colosseum
  enchantedforest
  hollywood
  motorcity
  napavalley
  nashville
  petsburgh
  pipeline
  rainforest
  researchtriangle
  siliconvalley
  soho
  sunsetstrip
  timessquare
  televisioncity
  tokyo
  vienna
  westhollywood
  yosemite
}.freeze

def redirect_to_internet_archive_for_geocities_sites
  match = request.path.match /^\/(\w+)\/.+$/i
  if match && GEOCITIES_NEIGHBORHOODS.include?(match.captures.first.downcase)
    redirect "https://wayback.archive.org/http://geocities.com/#{request.path}"
  end
end

WHITELISTED_POST_PATHS = ['/create_validate_all', '/create_validate', '/create'].freeze

before do
  if request.path.match /^\/api\//i
    @api = true
    content_type :json
  elsif request.path.match /^\/webhooks\//
    # Skips the CSRF/validation check for stripe web hooks
  elsif current_site && current_site.email_not_validated? && !(request.path =~ /^\/site\/.+\/confirm_email|^\/settings\/change_email|^\/welcome|^\/supporter|^\/signout/)
    redirect "/site/#{current_site.username}/confirm_email"
  elsif current_site && current_site.phone_verification_needed? && !(request.path =~ /^\/site\/.+\/confirm_email|^\/settings\/change_email|^\/site\/.+\/confirm_phone|^\/welcome|^\/supporter|^\/signout/)
    redirect  "/site/#{current_site.username}/confirm_phone"
  elsif current_site && current_site.tutorial_required && !(request.path =~ /^\/site\/.+\/confirm_email|^\/settings\/change_email|^\/site\/.+\/confirm_phone|^\/welcome|^\/supporter|^\/tutorial\/.+/)
    redirect '/tutorial/html/1'
  else
    content_type :html, 'charset' => 'utf-8'
    redirect '/' if request.post? && !WHITELISTED_POST_PATHS.include?(request.path_info) && !csrf_safe?
  end

  if params[:page]
    params[:page] = params[:page].to_s
    unless params[:page] =~ /^\d+$/ && params[:page].to_i > 0
      params[:page] = '1'
    end
  end

  if params[:tag]
    begin
      params.delete 'tag' if params[:tag].nil? || !params[:tag].is_a?(String) || params[:tag].strip.empty? || params[:tag].match?(Tag::INVALID_TAG_REGEX)
    rescue Encoding::CompatibilityError, ArgumentError
      params.delete 'tag'
    end
  end
end

after do
  if @api || (!signed_in? && request.path == '/')
    request.session_options[:skip] = true
  else
    # Set issue timestamp on session cookie if it doesn't exist yet
    session['i'] = Time.now.to_i if session && !session['i'] && session['id']
  end

  unless self.class.development?
    response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com}
  end
end

not_found do
  api_not_found if @api
  redirect_to_internet_archive_for_geocities_sites
  @title = 'Not Found'
  erb :'not_found'
end

error do
=begin
  EmailWorker.perform_async({
    from: 'web@neocities.org',
    to: 'errors@neocities.org',
    subject: "[Neocities Error] #{env['sinatra.error'].class}: #{env['sinatra.error'].message}",
    body: erb(:'templates/email/error', layout: false),
    no_footer: true
  })
=end

  if @api
    api_error 500, 'server_error', 'there has been an unknown server error, please try again later'
  end

  erb :'error'
end

Dir['./app/**/*.rb'].each {|f| require f}
Initial checkin of project. Creates sites and goes to dashboard 2013-05-24 00:47:50 -07:00			`require './environment.rb'`
refactor app.rb blob to partition routes into files 2014-12-03 08:29:01 -08:00			`require './app_helpers.rb'`
Initial checkin of project. Creates sites and goes to dashboard 2013-05-24 00:47:50 -07:00
Finish creation and signin flow 2013-05-25 17:09:48 -07:00			`use Rack::Session::Cookie, key: 'neocities',`
			`path: '/',`
			`expire_after: 31556926, # one year in seconds`
sessions: new secret, set issued time of session cookie for revoking 2025-01-31 20:03:41 -06:00			`secret: Base64.strict_decode64($config['session_secret']),`
fortify cookie security - samesite, secure, explicit httponly 2017-01-10 16:43:14 -06:00			`httponly: true,`
SameSite=Lax for cookies, DENY for X-Frame-Options 2017-01-25 04:52:20 +00:00			`same_site: :lax,`
fortify cookie security - samesite, secure, explicit httponly 2017-01-10 16:43:14 -06:00			`secure: ENV['RACK_ENV'] == 'production'`
Finish creation and signin flow 2013-05-25 17:09:48 -07:00
use TempfileReaper to hopefully clean up RackMultipart turds 2016-08-16 11:56:47 -07:00			`use Rack::TempfileReaper`
Add captcha for signup 2013-06-16 11:44:18 -07:00
site change and file recording, better share support 2014-06-04 18:05:29 -07:00			`helpers do`
			`def site_change_file_display_class(filename)`
			`return 'html' if filename.match(Site::HTML_REGEX)`
			`return 'image' if filename.match(Site::IMAGE_REGEX)`
			`'misc'`
			`end`
port settings to erb 2014-08-01 11:56:51 -07:00
			`def csrf_token_input_html`
			`%{<input name="csrf_token" type="hidden" value="#{csrf_token}">}`
			`end`
testing hcaptcha for contact form 2020-11-25 18:54:04 -06:00
fixes for hcaptcha, add to dmca form 2020-11-26 01:45:23 -06:00			`def hcaptcha_input`
			`%{`
			`<script src="https://hcaptcha.com/1/api.js" async defer></script>`
replace recaptch with hcaptcha 2021-12-03 12:04:00 -06:00			`<div id="captcha_input" class="h-captcha" data-sitekey="#{$config['hcaptcha_site_key']}"></div>`
fixes for hcaptcha, add to dmca form 2020-11-26 01:45:23 -06:00			`}`
			`end`
site change and file recording, better share support 2014-06-04 18:05:29 -07:00			`end`

SameSite=Lax for cookies, DENY for X-Frame-Options 2017-01-25 04:52:20 +00:00			`set :protection, :frame_options => "DENY"`
new strategy for surf mode 2015-03-26 11:53:41 -07:00
redirect to the Internet Archive for Geocities site paths before 404ing 2016-12-16 13:42:45 -06:00			`GEOCITIES_NEIGHBORHOODS = %w{`
			`area51`
			`athens`
			`augusta`
			`baja`
			`bourbonstreet`
			`capecanaveral`
			`capitolhill`
			`collegepark`
			`colosseum`
			`enchantedforest`
			`hollywood`
			`motorcity`
			`napavalley`
			`nashville`
			`petsburgh`
			`pipeline`
			`rainforest`
			`researchtriangle`
			`siliconvalley`
			`soho`
			`sunsetstrip`
			`timessquare`
			`televisioncity`
			`tokyo`
			`vienna`
you forgot west hollywood kyle 2022-07-18 18:51:31 +03:00			`westhollywood`
redirect to the Internet Archive for Geocities site paths before 404ing 2016-12-16 13:42:45 -06:00			`yosemite`
			`}.freeze`

			`def redirect_to_internet_archive_for_geocities_sites`
			`match = request.path.match /^\/(\w+)\/.+$/i`
			`if match && GEOCITIES_NEIGHBORHOODS.include?(match.captures.first.downcase)`
			`redirect "https://wayback.archive.org/http://geocities.com/#{request.path}"`
			`end`
			`end`

no csrf_token for create 2025-04-15 15:34:47 -05:00			`WHITELISTED_POST_PATHS = ['/create_validate_all', '/create_validate', '/create'].freeze`

a little re-arranging 2013-06-22 19:52:03 -07:00			`before do`
initial test for figuring out the stripe webhook 2014-04-27 17:27:53 -07:00			`if request.path.match /^\/api\//i`
tests for api upload, fixes 2014-04-10 22:36:02 -07:00			`@api = true`
beginnings of new API 2014-04-06 23:57:35 -04:00			`content_type :json`
an unfinished start on proper paypal recurring integration 2015-04-10 18:15:11 -07:00			`elsif request.path.match /^\/webhooks\//`
Set email validation grandfathering for May 16th. All new sites will need to validate email. 2016-05-14 23:15:13 -04:00			`# Skips the CSRF/validation check for stripe web hooks`
verification route path fixes 2024-04-08 15:39:04 -05:00			`elsif current_site && current_site.email_not_validated? && !(request.path =~ /^\/site\/.+\/confirm_email\|^\/settings\/change_email\|^\/welcome\|^\/supporter\|^\/signout/)`
Mandate email validation for free accounts. Be sure to set EMAIL_VALIDATION_CUTOFF_DATE before deploy 2016-05-13 16:48:29 -04:00			`redirect "/site/#{current_site.username}/confirm_email"`
verification route path fixes 2024-04-08 15:39:04 -05:00			`elsif current_site && current_site.phone_verification_needed? && !(request.path =~ /^\/site\/.+\/confirm_email\|^\/settings\/change_email\|^\/site\/.+\/confirm_phone\|^\/welcome\|^\/supporter\|^\/signout/)`
first pass at phone validation 2023-11-09 14:55:48 -06:00			`redirect "/site/#{current_site.username}/confirm_phone"`
tutorial subpages for tutorial match 2024-04-08 17:45:20 -05:00			`elsif current_site && current_site.tutorial_required && !(request.path =~ /^\/site\/.+\/confirm_email\|^\/settings\/change_email\|^\/site\/.+\/confirm_phone\|^\/welcome\|^\/supporter\|^\/tutorial\/.+/)`
cleanups for account validation 2024-04-08 15:12:56 -05:00			`redirect '/tutorial/html/1'`
hack HTTP AUTH into file upload so @substack can upload stuff 2014-03-27 23:32:29 -07:00			`else`
			`content_type :html, 'charset' => 'utf-8'`
no csrf_token for create 2025-04-15 15:34:47 -05:00			`redirect '/' if request.post? && !WHITELISTED_POST_PATHS.include?(request.path_info) && !csrf_safe?`
hack HTTP AUTH into file upload so @substack can upload stuff 2014-03-27 23:32:29 -07:00			`end`
scrub all attempts to do stupid things with page 2024-08-20 11:29:38 -05:00
			`if params[:page]`
			`params[:page] = params[:page].to_s`
			`unless params[:page] =~ /^\d+$/ && params[:page].to_i > 0`
			`params[:page] = '1'`
			`end`
			`end`
tag search for activities, more tags in browse cloud, link between activity and browse tags 2024-09-04 12:19:48 -05:00
			`if params[:tag]`
			`begin`
			`params.delete 'tag' if params[:tag].nil? \|\| !params[:tag].is_a?(String) \|\| params[:tag].strip.empty? \|\| params[:tag].match?(Tag::INVALID_TAG_REGEX)`
catch utf-8 encoding errors 2025-04-23 04:49:48 +00:00			`rescue Encoding::CompatibilityError, ArgumentError`
tag search for activities, more tags in browse cloud, link between activity and browse tags 2024-09-04 12:19:48 -05:00			`params.delete 'tag'`
			`end`
			`end`
hack HTTP AUTH into file upload so @substack can upload stuff 2014-03-27 23:32:29 -07:00			`end`

dont set cookie for api calls 2017-05-21 20:12:47 -07:00			`after do`
dont set cookie for index if not logged in 2025-04-23 09:59:08 -05:00			`if @api \|\| (!signed_in? && request.path == '/')`
dont set cookie for api calls 2017-05-21 20:12:47 -07:00			`request.session_options[:skip] = true`
sessions: new secret, set issued time of session cookie for revoking 2025-01-31 20:03:41 -06:00			`else`
			`# Set issue timestamp on session cookie if it doesn't exist yet`
			`session['i'] = Time.now.to_i if session && !session['i'] && session['id']`
dont set cookie for api calls 2017-05-21 20:12:47 -07:00			`end`

sessions: new secret, set issued time of session cookie for revoking 2025-01-31 20:03:41 -06:00			`unless self.class.development?`
			`response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://hcaptcha.com https://.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://.hcaptcha.com https://js.stripe.com}`
			`end`
add CSP, remove gravicons that are now blocked by it 2024-01-05 14:46:29 -06:00			`end`

not found page, contacts 2013-07-13 10:45:15 -04:00			`not_found do`
fix for api 404 2016-10-26 21:34:53 -05:00			`api_not_found if @api`
redirect to the Internet Archive for Geocities site paths before 404ing 2016-12-16 13:42:45 -06:00			`redirect_to_internet_archive_for_geocities_sites`
Not Found for title 2015-06-03 14:51:34 -07:00			`@title = 'Not Found'`
copy changes, fix links 2014-04-22 15:03:29 -07:00			`erb :'not_found'`
not found page, contacts 2013-07-13 10:45:15 -04:00			`end`

error reporting 2013-07-13 11:01:13 -04:00			`error do`
no error emails, using airbrake 2024-04-09 18:06:25 -05:00			`=begin`
error reporting 2013-07-13 11:01:13 -04:00			`EmailWorker.perform_async({`
			`from: 'web@neocities.org',`
			`to: 'errors@neocities.org',`
start of feed and profile integration 2014-04-29 00:03:48 -07:00			`subject: "[Neocities Error] #{env['sinatra.error'].class}: #{env['sinatra.error'].message}",`
fix error email 2015-05-10 09:17:32 +00:00			`body: erb(:'templates/email/error', layout: false),`
no unsubscribe footer for internal emails 2015-04-01 11:35:47 -07:00			`no_footer: true`
error reporting 2013-07-13 11:01:13 -04:00			`})`
no error emails, using airbrake 2024-04-09 18:06:25 -05:00			`=end`
error reporting 2013-07-13 11:01:13 -04:00
tests for api upload, fixes 2014-04-10 22:36:02 -07:00			`if @api`
fix pagination 2014-09-15 03:15:25 -07:00			`api_error 500, 'server_error', 'there has been an unknown server error, please try again later'`
tests for api upload, fixes 2014-04-10 22:36:02 -07:00			`end`

copy changes, fix links 2014-04-22 15:03:29 -07:00			`erb :'error'`
error reporting 2013-07-13 11:01:13 -04:00			`end`

better error reporting to help fix bugs 2015-02-21 14:08:27 -08:00			`Dir['./app/*/.rb'].each {\|f\| require f}`