neocities/app.rb

require './environment.rb'
require './app_helpers.rb'

use Rack::Session::Cookie, key:          'neocities',
                           path:         '/',
                           expire_after: 31556926, # one year in seconds
                           secret:       $config['session_secret'],
                           httponly: true,
                           same_site: :lax,
                           secure: ENV['RACK_ENV'] == 'production'

use Rack::TempfileReaper

helpers do
  def site_change_file_display_class(filename)
    return 'html' if filename.match(Site::HTML_REGEX)
    return 'image' if filename.match(Site::IMAGE_REGEX)
    'misc'
  end

  def csrf_token_input_html
    %{<input name="csrf_token" type="hidden" value="#{csrf_token}">}
  end

  def hcaptcha_input
    %{
      <script src="https://hcaptcha.com/1/api.js" async defer></script>
      <div class="h-captcha" data-sitekey="#{$config['hcaptcha_site_key']}"></div>
    }
  end
end

set :protection, :frame_options => "DENY"

GEOCITIES_NEIGHBORHOODS = %w{
  area51
  athens
  augusta
  baja
  bourbonstreet
  capecanaveral
  capitolhill
  collegepark
  colosseum
  enchantedforest
  hollywood
  motorcity
  napavalley
  nashville
  petsburgh
  pipeline
  rainforest
  researchtriangle
  siliconvalley
  soho
  sunsetstrip
  timessquare
  televisioncity
  tokyo
  vienna
  yosemite
}.freeze

def redirect_to_internet_archive_for_geocities_sites
  match = request.path.match /^\/(\w+)\/.+$/i
  if match && GEOCITIES_NEIGHBORHOODS.include?(match.captures.first.downcase)
    redirect "https://wayback.archive.org/http://geocities.com/#{request.path}"
  end
end

before do
  if request.path.match /^\/api\//i
    @api = true
    content_type :json
  elsif request.path.match /^\/webhooks\//
    # Skips the CSRF/validation check for stripe web hooks
  elsif email_not_validated? && !(request.path =~ /^\/site\/.+\/confirm_email|^\/settings\/change_email|^\/signout|^\/welcome|^\/supporter/)
    redirect "/site/#{current_site.username}/confirm_email"
  else
    content_type :html, 'charset' => 'utf-8'
    redirect '/' if request.post? && !csrf_safe?
  end
end

after do
  if @api
    request.session_options[:skip] = true
  end
end

#after do
  #response.headers['Content-Security-Policy'] = %{block-all-mixed-content; default-src 'self'; connect-src 'self' https://api.stripe.com; frame-src https://www.google.com/recaptcha/ https://js.stripe.com; script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: }
#end

not_found do
  api_not_found if @api
  redirect_to_internet_archive_for_geocities_sites
  @title = 'Not Found'
  erb :'not_found'
end

error do
  EmailWorker.perform_async({
    from: 'web@neocities.org',
    to: 'errors@neocities.org',
    subject: "[Neocities Error] #{env['sinatra.error'].class}: #{env['sinatra.error'].message}",
    body: erb(:'templates/email/error', layout: false),
    no_footer: true
  })

  if @api
    api_error 500, 'server_error', 'there has been an unknown server error, please try again later'
  end

  erb :'error'
end

Dir['./app/**/*.rb'].each {|f| require f}
Initial checkin of project. Creates sites and goes to dashboard 2013-05-24 00:47:50 -07:00			`require './environment.rb'`
refactor app.rb blob to partition routes into files 2014-12-03 08:29:01 -08:00			`require './app_helpers.rb'`
Initial checkin of project. Creates sites and goes to dashboard 2013-05-24 00:47:50 -07:00
Finish creation and signin flow 2013-05-25 17:09:48 -07:00			`use Rack::Session::Cookie, key: 'neocities',`
			`path: '/',`
			`expire_after: 31556926, # one year in seconds`
fortify cookie security - samesite, secure, explicit httponly 2017-01-10 16:43:14 -06:00			`secret: $config['session_secret'],`
			`httponly: true,`
SameSite=Lax for cookies, DENY for X-Frame-Options 2017-01-25 04:52:20 +00:00			`same_site: :lax,`
fortify cookie security - samesite, secure, explicit httponly 2017-01-10 16:43:14 -06:00			`secure: ENV['RACK_ENV'] == 'production'`
Finish creation and signin flow 2013-05-25 17:09:48 -07:00
use TempfileReaper to hopefully clean up RackMultipart turds 2016-08-16 11:56:47 -07:00			`use Rack::TempfileReaper`
Add captcha for signup 2013-06-16 11:44:18 -07:00
site change and file recording, better share support 2014-06-04 18:05:29 -07:00			`helpers do`
			`def site_change_file_display_class(filename)`
			`return 'html' if filename.match(Site::HTML_REGEX)`
			`return 'image' if filename.match(Site::IMAGE_REGEX)`
			`'misc'`
			`end`
port settings to erb 2014-08-01 11:56:51 -07:00
			`def csrf_token_input_html`
			`%{<input name="csrf_token" type="hidden" value="#{csrf_token}">}`
			`end`
testing hcaptcha for contact form 2020-11-25 18:54:04 -06:00
fixes for hcaptcha, add to dmca form 2020-11-26 01:45:23 -06:00			`def hcaptcha_input`
			`%{`
			`<script src="https://hcaptcha.com/1/api.js" async defer></script>`
			`<div class="h-captcha" data-sitekey="#{$config['hcaptcha_site_key']}"></div>`
			`}`
			`end`
site change and file recording, better share support 2014-06-04 18:05:29 -07:00			`end`

SameSite=Lax for cookies, DENY for X-Frame-Options 2017-01-25 04:52:20 +00:00			`set :protection, :frame_options => "DENY"`
new strategy for surf mode 2015-03-26 11:53:41 -07:00
redirect to the Internet Archive for Geocities site paths before 404ing 2016-12-16 13:42:45 -06:00			`GEOCITIES_NEIGHBORHOODS = %w{`
			`area51`
			`athens`
			`augusta`
			`baja`
			`bourbonstreet`
			`capecanaveral`
			`capitolhill`
			`collegepark`
			`colosseum`
			`enchantedforest`
			`hollywood`
			`motorcity`
			`napavalley`
			`nashville`
			`petsburgh`
			`pipeline`
			`rainforest`
			`researchtriangle`
			`siliconvalley`
			`soho`
			`sunsetstrip`
			`timessquare`
			`televisioncity`
			`tokyo`
			`vienna`
			`yosemite`
			`}.freeze`

			`def redirect_to_internet_archive_for_geocities_sites`
			`match = request.path.match /^\/(\w+)\/.+$/i`
			`if match && GEOCITIES_NEIGHBORHOODS.include?(match.captures.first.downcase)`
			`redirect "https://wayback.archive.org/http://geocities.com/#{request.path}"`
			`end`
			`end`

a little re-arranging 2013-06-22 19:52:03 -07:00			`before do`
initial test for figuring out the stripe webhook 2014-04-27 17:27:53 -07:00			`if request.path.match /^\/api\//i`
tests for api upload, fixes 2014-04-10 22:36:02 -07:00			`@api = true`
beginnings of new API 2014-04-06 23:57:35 -04:00			`content_type :json`
an unfinished start on proper paypal recurring integration 2015-04-10 18:15:11 -07:00			`elsif request.path.match /^\/webhooks\//`
Set email validation grandfathering for May 16th. All new sites will need to validate email. 2016-05-14 23:15:13 -04:00			`# Skips the CSRF/validation check for stripe web hooks`
major refactor of supporter structure 2016-10-18 12:47:58 -05:00			`elsif email_not_validated? && !(request.path =~ /^\/site\/.+\/confirm_email\|^\/settings\/change_email\|^\/signout\|^\/welcome\|^\/supporter/)`
Mandate email validation for free accounts. Be sure to set EMAIL_VALIDATION_CUTOFF_DATE before deploy 2016-05-13 16:48:29 -04:00			`redirect "/site/#{current_site.username}/confirm_email"`
hack HTTP AUTH into file upload so @substack can upload stuff 2014-03-27 23:32:29 -07:00			`else`
			`content_type :html, 'charset' => 'utf-8'`
			`redirect '/' if request.post? && !csrf_safe?`
			`end`
			`end`

dont set cookie for api calls 2017-05-21 20:12:47 -07:00			`after do`
			`if @api`
			`request.session_options[:skip] = true`
			`end`
			`end`

Initial CSP header idea - enable tipping site-wide 2017-02-11 15:38:03 -08:00			`#after do`
			`#response.headers['Content-Security-Policy'] = %{block-all-mixed-content; default-src 'self'; connect-src 'self' https://api.stripe.com; frame-src https://www.google.com/recaptcha/ https://js.stripe.com; script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://js.stripe.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: }`
			`#end`

not found page, contacts 2013-07-13 10:45:15 -04:00			`not_found do`
fix for api 404 2016-10-26 21:34:53 -05:00			`api_not_found if @api`
redirect to the Internet Archive for Geocities site paths before 404ing 2016-12-16 13:42:45 -06:00			`redirect_to_internet_archive_for_geocities_sites`
Not Found for title 2015-06-03 14:51:34 -07:00			`@title = 'Not Found'`
copy changes, fix links 2014-04-22 15:03:29 -07:00			`erb :'not_found'`
not found page, contacts 2013-07-13 10:45:15 -04:00			`end`

error reporting 2013-07-13 11:01:13 -04:00			`error do`
			`EmailWorker.perform_async({`
			`from: 'web@neocities.org',`
			`to: 'errors@neocities.org',`
start of feed and profile integration 2014-04-29 00:03:48 -07:00			`subject: "[Neocities Error] #{env['sinatra.error'].class}: #{env['sinatra.error'].message}",`
fix error email 2015-05-10 09:17:32 +00:00			`body: erb(:'templates/email/error', layout: false),`
no unsubscribe footer for internal emails 2015-04-01 11:35:47 -07:00			`no_footer: true`
error reporting 2013-07-13 11:01:13 -04:00			`})`

tests for api upload, fixes 2014-04-10 22:36:02 -07:00			`if @api`
fix pagination 2014-09-15 03:15:25 -07:00			`api_error 500, 'server_error', 'there has been an unknown server error, please try again later'`
tests for api upload, fixes 2014-04-10 22:36:02 -07:00			`end`

copy changes, fix links 2014-04-22 15:03:29 -07:00			`erb :'error'`
error reporting 2013-07-13 11:01:13 -04:00			`end`

better error reporting to help fix bugs 2015-02-21 14:08:27 -08:00			`Dir['./app/*/.rb'].each {\|f\| require f}`