This repository has been archived on 2024-08-21. You can view files and clone it, but cannot push or open issues or pull requests.
Marsell Kukuljevic 8672439358 Changed how paths are handled by server.js, to more closely match the Angular
dev environment. New paths:

/api/login: redirects to SSO
/api: all calls (other than above) are sent to cloudapi
/: static content served from static/

All API calls to cloudapi now pass through server.js's HTTP /api, not /.

The static/static path is now gone, since it was causing too much trouble.
static/ is now a symlink directly to app/dist, which is where a fresh Angular
build appears when app/ is built.
2021-04-10 21:50:50 +02:00

189 lines
5.6 KiB
Executable File

'use strict';
// Copyright 2021 Spearhead Systems S.R.L.
const mod_restify = require('restify');
const mod_cueball = require('cueball');
const mod_crypto = require('crypto');
const mod_fs = require('fs');
const mod_sdcauth = require('smartdc-auth');
// Globals that are assigned to by main(). They are used by proxy() and login().
let CONFIG = {};
let PRIVATE_KEY = '';
let CLOUDAPI = {};
let SIGNER = {};
const LOGIN_PATH = '/api/login';
const API_PATH = '/api'; // all calls here go to cloudapi
const API_RE = new RegExp('^' + API_PATH + '/');
const STATIC_RE = new RegExp('^/');
// Take any HTTP request that has a token, sign that request with an
// HTTP-Signature header, and pass it along to cloudapi. Return any response
// from cloudapi to our client caller. Effectively this function is a proxy
// that solely signs the request as it passes through.
function proxy(req, res, cb) {
console.log('### proxy', req.url)
// return data from cloudapi to the client caller
function proxyReturn(err, _, res2, data) {
if (err && !res2) {
return cb();
// bypass the convenient send() method to avoid a serialization step
res.writeHead(res2.statusCode, res2.headers);
return cb();
// check the X-Auth-Token is present
if (req.header('X-Auth-Token') == undefined) {
res.send({'Error': 'X-Auth-Token header missing'});
return cb();
// strip off /api from path before forwarding to cloudapi
let url = req.url.substr(API_PATH.length);
// sign the request before forwarding to cloudapi
let headers = req.headers;
var rs = mod_sdcauth.requestSigner({ sign: SIGNER }); = rs.writeDateHeader();
rs.writeTarget(req.method, url);
rs.sign(function signedCb(err, authz) {
if (err) {
return (cb(err));
headers.authorization = authz;
const opts = {
path: url,
headers: headers
// make the call to cloudapi
switch (req.method) {
case 'GET': CLOUDAPI.get(opts, proxyReturn); break;
case 'DELETE': CLOUDAPI.del(opts, proxyReturn); break;
case 'HEAD': CLOUDAPI.head(opts, proxyReturn); break;
case 'POST':, req.body, proxyReturn); break;
case 'PUT': CLOUDAPI.put(opts, req.body, proxyReturn); break;
// Redirect to SSO with (signed) details that the SSO will need to generate a
// secure token. Once the user successfully logs in, the token is returned
// through an SSO redirect to token() below.
function login(req, res, cb) {
console.log('### login');
const query = {
permissions: '{"cloudapi":["/my/*"]}',
returnto: CONFIG.urls.local,
now: new Date().toUTCString(),
keyid: '/' + CONFIG.key.user + '/keys/' +,
nonce: mod_crypto.randomBytes(15).toString('base64')
// the query args MUST be sorted for SSO to validate
const querystr = Object.keys(query).sort().map(function encode(key) {
return key + '=' + encodeURIComponent(query[key]);
let url = CONFIG.urls.sso + '/login?' + querystr;
const signer = mod_crypto.createSign('sha256');
const signature = signer.sign(PRIVATE_KEY, 'base64');
url += '&sig=' + encodeURIComponent(signature);
res.json({ url });
// Start up HTTP server and pool of cloudapi clients.
// Read from config file, establish crypto singer needed for requests to
// cloudapi, prepare pool of HTTP clients for communication to cloudapi, and
// start up HTTP server.
function main() {
// load config and private key
const configStr = mod_fs.readFileSync(process.argv[2]);
CONFIG = JSON.parse(configStr);
PRIVATE_KEY = mod_fs.readFileSync(CONFIG.key.path);
// signer is used for signing requests made to cloudapi with HTTP-Signature
SIGNER = mod_sdcauth.privateKeySigner({
user: CONFIG.key.user
// enable pool of clients to cloudapi
CLOUDAPI = mod_restify.createStringClient({
url: CONFIG.urls.cloudapi,
agent: new mod_cueball.HttpsAgent({
spares: 0,
maximum: 4,
recovery: {
default: {
timeout: 2000,
retries: 2,
delay: 250,
maxDelay: 1000
CLOUDAPI_HOST = CONFIG.urls.cloudapi.split('/')[2];
// prepare HTTP server
const options = {
key: mod_fs.readFileSync(CONFIG.server.key),
cert: mod_fs.readFileSync(CONFIG.server.cert)
const server = mod_restify.createServer(options);
// login path is /api/login
server.get(LOGIN_PATH, login);
// all cloudapi calls are proxied through /api
server.get(API_RE, proxy);
server.put(API_RE, proxy);
server.del(API_RE, proxy);, proxy);
server.head(API_RE, proxy);
// where to serve static content from
server.get(STATIC_RE, mod_restify.plugins.serveStatic({
directory: 'static',
default: 'index.html'
// enable HTTP server
server.listen(CONFIG.server.port, function listening() {
console.log('%s listening at %s',, server.url);