babolivier
/
smam


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
							var pug         = require('pug');
var nodemailer  = require('nodemailer');
var crypto      = require('crypto');
var settings    = require('./settings');

// Web server
var bodyParser  = require('body-parser');
var cors        = require('cors');
var express     = require('express');
var app = express();

// Logging
var printit = require('printit');
var log = printit({
    prefix: 'SMAM',
    date: true
});


// nodemailer initial configuration
var transporter = nodemailer.createTransport(settings.mailserver);


// Verification tokens
var tokens = {};


// Serve static (JS + HTML) files
app.use(express.static('front'));
// Body parsing
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
// Allow cross-origin requests.
var corsOptions = {
  origin: settings.formOrigin,
  optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204
};
app.use(cors(corsOptions));
// Taking care of preflight requests
app.options('*', cors(corsOptions));


// A request on /register generates a token and store it, along the user's
// address, on the tokens object
app.get('/register', function(req, res, next) {
    // Get IP from express
    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
    if(tokens[ip] === undefined) {
        tokens[ip] = [];
    }
    // Generate token
    crypto.randomBytes(10, (err, buf) => { 
        let token = buf.toString('hex');
        // Store and send the token
        tokens[ip].push({
            token: token,
            // A token expires after 12h
            expire: new Date().getTime() + 12 * 3600 * 1000
        });
        res.status(200).send(token);
    });
});


// A request on /send with user input = mail to be sent
app.post('/send', function(req, res, next) {
    // Response will be JSON
    res.header('Access-Control-Allow-Headers', 'Content-Type');
    
    if(!checkBody(req.body)) {
        return res.status(400).send();
    }
    
    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
    
    if(!checkToken(ip, req.body.token)) {
        return res.status(403).send();
    }
    
    // Count the failures
    let status = {
        failed: 0,
        total: settings.recipients.length
    };
    
    // params will be used as:
    // - values for html generation from the pug template
    // - parameters for sending the mail(s)
    let params = {
        subject: req.body.subj,
        from: req.body.name + '<' + settings.mailserver.auth.user + '>',
        replyTo: req.body.name + ' <' + req.body.addr + '>',
        html: req.body.text
    };
    
    // Replacing the mail's content with HTML from the pug template
    // Commenting the line below will bypass the generation and only user the
    // text entered by the user
    params.html = pug.renderFile('template.pug', params);
    
    log.info('Sending message from ' + params.replyTo);
    
    // Send the email to all users
    sendMails(params, function(err, infos) {
        if(err) {
            log.error(err);
        }
        logStatus(infos);
    }, function() {
        if(status.failed === status.total) {
            res.status(500).send();
        } else {
            res.status(200).send();
        }
    })
});


// Use either the default port or the one chosen by the user (PORT env variable)
var port = process.env.PORT || 1970;
// Same for the host (using the HOST env variable)
var host = process.env.HOST || '0.0.0.0';
// Start the server
app.listen(port, host, function() {
    log.info('Server started on ' + host + ':' + port);
});


// Run the clean every hour
var tokensChecks = setTimeout(cleanTokens, 3600 * 1000);


// Send mails to the recipients specified in the JSON settings file
// content: object containing mail params
//  {
//      subject: String
//      from: String (following RFC 1036 (https://tools.ietf.org/html/rfc1036#section-2.1.1))
//      html: String
//  }
// update(next, infos): Called each time a mail is sent with the infos provided
//                      by nodemailer
// done(): Called once each mail has been sent
function sendMails(params, update, done) {
    let mails = settings.recipients.map((recipient) => {
        // Promise for each recipient to send each mail asynchronously
        return new Promise((sent) => {
            params.to = recipient;
            // Send the email
            transporter.sendMail(params, (err, infos) => {
                if(err) {
                    return update(err, recipient);
                }
                update(null, infos);
                // Promise callback
                sent();
            });
        });
    });
    // Run all the promises (= send all the mails)
    Promise.all(mails).then(done);
}


// Produces log from the infos provided by nodemailer
// infos: infos provided by nodemailer
// return: nothing
function logStatus(infos) {
    if(infos.accepted.length !== 0) {
        log.info('Message sent to ' + infos.accepted[0]);
    }
    if(infos.rejected.length !== 0) {
        status.failed++;
        log.info('Message failed to send to ' + infos.rejected[0]);
    }
}


// Checks if the request's sender has been registered (and unregister it if not)
// ip: sender's IP address
// token: token used by the sender
// return: true if the user was registered, false else
function checkToken(ip, token) {
    let verified = false;
    
    // Check if there's at least one token for this IP
    if(tokens[ip] !== undefined) {
        if(tokens[ip].length !== 0) {
            // There's at least one element for this IP, let's check the tokens
            for(var i = 0; i < tokens[ip].length; i++) {
                if(!tokens[ip][i].token.localeCompare(token)) {
                    // We found the right token
                    verified = true;
                    // Removing the token
                    tokens[ip].pop(tokens[ip][i]);
                    break;
                }
            }
        } 
    }
    
    if(!verified) {
        log.warn(ip + ' just tried to send a message with an invalid token');
    }
    
    return verified;
}


// Checks if all the required fields are in the request body
// body: body taken from express's request object
// return: true if the body is valid, false else
function checkBody(body) {
    let valid = false;
    
    if(body.token !== undefined && body.subj !== undefined 
        && body.name !== undefined && body.addr !== undefined 
        && body.text !== undefined) {
        valid = true;
    }
    
    return valid;
}


// Checks the tokens object to see if no token has expired
// return: nothing
function cleanTokens() {
    // Get current time for comparison
    let now = new Date().getTime();
    
    for(let ip in tokens) { // Check for each IP in the object
        for(let token of tokens[ip]) { // Check for each token of an IP
            if(token.expire < now) { // Token has expired
                tokens[ip].pop(token);
            }
        }
        if(tokens[ip].length === 0) { // No more element for this IP
            delete tokens[ip];
        }
    }
    
    log.info('Cleared expired tokens');
}