import express from 'express'; import cors from 'cors'; import helmet from 'helmet'; import dotenv from 'dotenv'; import { fileURLToPath } from 'url'; import path from 'path'; import bodyParser from 'body-parser'; import bcrypt from 'bcrypt'; import jwt from 'jsonwebtoken'; // For token-based authentication import { initEncryption, encrypt, decrypt, verifyCanary, SENTINEL } from './shared/crypto/encryption.js'; import pool from './config/mysqlPool.js'; // adjust path if needed import sqlite3 from 'sqlite3'; const CANARY_SQL = ` CREATE TABLE IF NOT EXISTS encryption_canary ( id TINYINT NOT NULL PRIMARY KEY, value TEXT NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;`; const __filename = fileURLToPath(import.meta.url); const __dirname = path.dirname(__filename); const rootPath = path.resolve(__dirname, '..'); // Up one level const env = process.env.NODE_ENV?.trim() || 'development'; const envPath = path.resolve(rootPath, `.env.${env}`); dotenv.config({ path: envPath }); // Load .env file // Grab secrets and config from ENV const { JWT_SECRET, CORS_ALLOWED_ORIGINS, SERVER1_PORT = 5000 } = process.env; if (!JWT_SECRET) { console.error('FATAL: JWT_SECRET missing – aborting startup'); process.exit(1); // container exits, Docker marks it unhealthy } if (!CORS_ALLOWED_ORIGINS) { console.error('FATAL: CORS_ALLOWED_ORIGINS missing – aborting startup'); process.exit(1); } /* ─── unwrap / verify DEK before we serve requests ────────────── */ await initEncryption(); try { /* quick connectivity smoke‑test (optional) */ await pool.query('SELECT 1'); /* ① ensure table exists */ await pool.query(CANARY_SQL); /* ② insert sentinel on first run */ await pool.query( 'INSERT IGNORE INTO encryption_canary (id, value) VALUES (1, ?)', [encrypt(SENTINEL)] ); /* ③ read back & verify */ const [rows] = await pool.query( 'SELECT value FROM encryption_canary WHERE id = 1 LIMIT 1' ); const plaintext = decrypt(rows[0]?.value || ''); if (plaintext !== SENTINEL) { throw new Error('DEK mismatch with database sentinel'); } console.log('[ENCRYPT] DEK verified against canary – proceeding'); } catch (err) { console.error('FATAL:', err.message || err); process.exit(1); // container restarts → alert } /* ──────────────────────────────────────────────────────────────── Express app & middleware ---------------------------------------------------------------- */ const app = express(); const PORT = process.env.SERVER1_PORT || 5000; /* ─── Allowed origins for CORS (comma-separated in env) ──────── */ const allowedOrigins = process.env.CORS_ALLOWED_ORIGINS .split(',') .map(o => o.trim()) .filter(Boolean); app.disable('x-powered-by'); app.use(bodyParser.json()); app.use(express.json()); app.use( helmet({ contentSecurityPolicy: false, crossOriginEmbedderPolicy: false, }) ); function fprPathFromEnv() { const p = (process.env.DEK_PATH || '').trim(); return p ? path.join(path.dirname(p), 'dek.fpr') : null; } // 1) Liveness: process is up and event loop responsive app.get('/livez', (_req, res) => res.type('text').send('OK')); // 2) Readiness: crypto + canary are good app.get('/readyz', async (_req, res) => { try { await initEncryption(); // load/unlock DEK await verifyCanary(pool); // DB + decrypt sentinel return res.type('text').send('OK'); } catch (e) { console.error('[READYZ]', e.message); return res.status(500).type('text').send('FAIL'); } }); // 3) Health: detailed JSON (you can curl this to “see everything”) app.get('/healthz', async (_req, res) => { const out = { service: process.env.npm_package_name || 'server', version: process.env.IMG_TAG || null, uptime_s: Math.floor(process.uptime()), now: new Date().toISOString(), checks: { live: { ok: true }, // if we reached here, process is up crypto: { ok: false, fp: null }, db: { ok: false, ping_ms: null }, canary: { ok: false } } }; // crypto / DEK try { await initEncryption(); out.checks.crypto.ok = true; const p = fprPathFromEnv(); if (p) { try { out.checks.crypto.fp = (await readFile(p, 'utf8')).trim(); } catch { /* fp optional */ } } } catch (e) { out.checks.crypto.error = e.message; } // DB ping const t0 = Date.now(); try { await pool.query('SELECT 1'); out.checks.db.ok = true; out.checks.db.ping_ms = Date.now() - t0; } catch (e) { out.checks.db.error = e.message; } // canary try { await verifyCanary(pool); out.checks.canary.ok = true; } catch (e) { out.checks.canary.error = e.message; } const ready = out.checks.crypto.ok && out.checks.db.ok && out.checks.canary.ok; return res.status(ready ? 200 : 503).json(out); }); // Enable CORS with dynamic origin checking app.use( cors({ origin: (origin, callback) => { if (!origin || allowedOrigins.includes(origin)) { callback(null, true); } else { console.error('Blocked by CORS:', origin); callback(new Error('Not allowed by CORS')); } }, methods: ['GET', 'POST', 'OPTIONS'], allowedHeaders: [ 'Authorization', 'Content-Type', 'Accept', 'Origin', 'X-Requested-With', ], credentials: true, }) ); // Handle preflight requests explicitly app.options('*', (req, res) => { res.setHeader('Access-Control-Allow-Origin', req.headers.origin || ''); res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS'); res.setHeader( 'Access-Control-Allow-Headers', 'Authorization, Content-Type, Accept, Origin, X-Requested-With' ); res.status(200).end(); }); // Add HTTP headers for security app.use((req, res, next) => { res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Frame-Options', 'DENY'); res.setHeader( 'Strict-Transport-Security', 'max-age=31536000; includeSubDomains' ); res.setHeader('Content-Security-Policy', "default-src 'self';"); res.removeHeader('X-Powered-By'); next(); }); // Force Content-Type to application/json on all responses app.use((req, res, next) => { res.setHeader('Content-Type', 'application/json'); next(); }); /* ------------------------------------------------------------------ USER REGISTRATION (MySQL) ------------------------------------------------------------------ */ /** * POST /api/register * Body: * username, password, firstname, lastname, email, zipcode, state, area, career_situation */ app.post('/api/register', async (req, res) => { const { username, password, firstname, lastname, email, zipcode, state, area, career_situation, phone_e164, sms_opt_in } = req.body; if (!username || !password || !firstname || !lastname || !email || !zipcode || !state || !area) { return res.status(400).json({ error: 'Missing required fields.' }); } if (sms_opt_in && !/^\+\d{8,15}$/.test(phone_e164 || '')) { return res.status(400).json({ error: 'Phone must be +E.164 format.' }); } try { const hashedPassword = await bcrypt.hash(password, 10); const profileQuery = ` INSERT INTO user_profile (username, firstname, lastname, email, zipcode, state, area, career_situation, phone_e164, sms_opt_in) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) `; const [resultProfile] = await pool.query(profileQuery, [ username, firstname, lastname, email, zipcode, state, area, career_situation, phone_e164 || null, sms_opt_in ? 1 : 0 ]); const newProfileId = resultProfile.insertId; const authQuery = ` INSERT INTO user_auth (user_id, username, hashed_password) VALUES (?, ?, ?) `; await pool.query(authQuery, [newProfileId, username, hashedPassword]); const token = jwt.sign({ id: newProfileId }, JWT_SECRET, { expiresIn: '2h' }); const userPayload = { username, firstname, lastname, email, zipcode, state, area, career_situation, phone_e164, sms_opt_in: !!sms_opt_in }; return res.status(201).json({ message: 'User registered successfully', profileId: newProfileId, token, user: userPayload }); } catch (err) { console.error('Error during registration:', err.message); return res.status(500).json({ error: 'Internal server error' }); } }); /* ------------------------------------------------------------------ SIGN-IN (MySQL) ------------------------------------------------------------------ */ /** * POST /api/signin * Body: { username, password } * Returns JWT signed with user_profile.id */ app.post('/api/signin', async (req, res) => { const { username, password } = req.body; if (!username || !password) { return res .status(400) .json({ error: 'Both username and password are required' }); } // SELECT only the columns you actually have: // 'ua.id' is user_auth's primary key, // 'ua.user_id' references user_profile.id, // and we alias user_profile.id as profileId for clarity. const query = ` SELECT ua.id AS authId, ua.user_id AS userProfileId, ua.hashed_password, up.firstname, up.lastname, up.email, up.zipcode, up.state, up.area, up.career_situation FROM user_auth ua LEFT JOIN user_profile up ON ua.user_id = up.id WHERE ua.username = ? `; try { const [results] = await pool.query(query, [username]); if (!results || results.length === 0) { return res.status(401).json({ error: 'Invalid username or password' }); } const row = results[0]; // Compare password with bcrypt const isMatch = await bcrypt.compare(password, row.hashed_password); if (!isMatch) { return res.status(401).json({ error: 'Invalid username or password' }); } // Return user info + token // 'authId' is user_auth's PK, but typically you won't need it on the client // 'row.userProfileId' is the actual user_profile.id const [profileRows] = await pool.query( 'SELECT firstname, lastname, email, zipcode, state, area, career_situation \ FROM user_profile WHERE id = ?', [row.userProfileId] ); const profile = profileRows[0]; // ← already decrypted const token = jwt.sign({ id: row.userProfileId }, JWT_SECRET, { expiresIn: '2h' }); res.status(200).json({ message: 'Login successful', token, id: row.userProfileId, user: profile }); } catch (err) { console.error('Error querying user_auth:', err.message); return res .status(500) .json({ error: 'Failed to query user authentication data' }); } }); /* ------------------------------------------------------------------ CHECK USERNAME (MySQL) ------------------------------------------------------------------ */ app.get('/api/check-username/:username', async (req, res) => { const { username } = req.params; try { const [results] = await pool.query(`SELECT username FROM user_auth WHERE username = ?`, [username]); res.status(200).json({ exists: results.length > 0 }); } catch (err) { console.error('Error checking username:', err.message); res.status(500).json({ error: 'Database error' }); } }); /* ------------------------------------------------------------------ UPSERT USER PROFILE (MySQL) ------------------------------------------------------------------ */ /** * POST /api/user-profile * Headers: { Authorization: Bearer } * Body: { userName, firstName, lastName, email, zipCode, state, area, ... } * * If user_profile row exists (id = token.id), update * else insert */ app.post('/api/user-profile', async (req, res) => { const token = req.headers.authorization?.split(' ')[1]; if (!token) { return res.status(401).json({ error: 'Authorization token is required' }); } let profileId; try { const decoded = jwt.verify(token, JWT_SECRET); profileId = decoded.id; } catch (error) { console.error('JWT verification failed:', error); return res.status(401).json({ error: 'Invalid or expired token' }); } const { userName, firstName, lastName, email, zipCode, state, area, careerSituation, interest_inventory_answers, riasec: riasec_scores, career_priorities, career_list, } = req.body; try { const [results] = await pool.query( `SELECT * FROM user_profile WHERE id = ?`, [profileId] ); const existingRow = results.length > 0 ? results[0] : null; if ( !existingRow && (!firstName || !lastName || !email || !zipCode || !state || !area) ) { return res.status(400).json({ error: 'All fields are required for initial profile creation.', }); } const finalAnswers = interest_inventory_answers !== undefined ? interest_inventory_answers : existingRow?.interest_inventory_answers || null; const finalCareerPriorities = career_priorities !== undefined ? career_priorities : existingRow?.career_priorities || null; const finalCareerList = career_list !== undefined ? career_list : existingRow?.career_list || null; const finalUserName = userName !== undefined ? userName : existingRow?.username || null; const finalRiasec = riasec_scores ? JSON.stringify(riasec_scores) : existingRow?.riasec_scores || null; if (existingRow) { const updateQuery = ` UPDATE user_profile SET username = ?, firstname = ?, lastname = ?, email = ?, zipcode = ?, state = ?, area = ?, career_situation = ?, interest_inventory_answers = ?, riasec_scores = ?, career_priorities = ?, career_list = ? WHERE id = ? `; const params = [ finalUserName, firstName || existingRow.firstname, lastName || existingRow.lastname, email || existingRow.email, zipCode || existingRow.zipcode, state || existingRow.state, area || existingRow.area, careerSituation || existingRow.career_situation, finalAnswers, finalRiasec, finalCareerPriorities, finalCareerList, profileId, ]; await pool.query(updateQuery, params); return res .status(200) .json({ message: 'User profile updated successfully' }); } else { const insertQuery = ` INSERT INTO user_profile (id, username, firstname, lastname, email, zipcode, state, area, career_situation, interest_inventory_answers, riasec_scores, career_priorities, career_list) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) `; const params = [ profileId, finalUserName, firstName, lastName, email, zipCode, state, area, careerSituation || null, finalAnswers, finalRiasec, finalCareerPriorities, finalCareerList, ]; await pool.query(insertQuery, params); return res .status(201) .json({ message: 'User profile created successfully', id: profileId }); } } catch (err) { console.error('Error upserting user profile:', err.message); return res.status(500).json({ error: 'Internal server error' }); } }); /* ------------------------------------------------------------------ FETCH USER PROFILE (MySQL) ------------------------------------------------------------------ */ app.get('/api/user-profile', async (req, res) => { const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(401).json({ error: 'Authorization token is required' }); let profileId; try { const decoded = jwt.verify(token, JWT_SECRET); profileId = decoded.id; } catch (error) { return res.status(401).json({ error: 'Invalid or expired token' }); } try { const [results] = await pool.query('SELECT * FROM user_profile WHERE id = ?', [profileId]); if (!results || results.length === 0) { return res.status(404).json({ error: 'User profile not found' }); } res.status(200).json(results[0]); } catch (err) { console.error('Error fetching user profile:', err.message); res.status(500).json({ error: 'Internal server error' }); } }); /* ------------------------------------------------------------------ SALARY_INFO REMAINS IN SQLITE ------------------------------------------------------------------ */ app.get('/api/areas', (req, res) => { const { state } = req.query; if (!state) { return res.status(400).json({ error: 'State parameter is required' }); } // Use env when present (Docker), fall back for local dev const salaryDbPath = process.env.SALARY_DB_PATH // ← preferred || process.env.SALARY_DB // ← legacy || '/app/salary_info.db'; // final fallback const salaryDb = new sqlite3.Database( salaryDbPath, sqlite3.OPEN_READONLY, (err) => { if (err) { console.error('DB connect error:', err.message); return res .status(500) .json({ error: 'Failed to connect to database' }); } } ); const query = `SELECT DISTINCT AREA_TITLE FROM salary_data WHERE PRIM_STATE = ?`; salaryDb.all(query, [state], (err, rows) => { if (err) { console.error('Query error:', err.message); return res .status(500) .json({ error: 'Failed to fetch areas' }); } res.json({ areas: rows.map(r => r.AREA_TITLE) }); }); salaryDb.close(); }); /* ------------------------------------------------------------------ PREMIUM UPGRADE ENDPOINT ------------------------------------------------------------------ */ app.post('/api/activate-premium', async (req, res) => { const token = req.headers.authorization?.split(' ')[1]; if (!token) return res.status(401).json({ error: 'Authorization token is required' }); let profileId; try { const decoded = jwt.verify(token, JWT_SECRET); profileId = decoded.id; } catch (error) { return res.status(401).json({ error: 'Invalid or expired token' }); } try { await pool.query(` UPDATE user_profile SET is_premium = 1, is_pro_premium = 1 WHERE id = ? `, [profileId]); res.status(200).json({ message: 'Premium activated successfully' }); } catch (err) { console.error('Error updating premium status:', err.message); res.status(500).json({ error: 'Failed to activate premium' }); } }); /* ------------------------------------------------------------------ START SERVER ------------------------------------------------------------------ */ app.listen(PORT, () => { console.log(`Server running on http://localhost:${PORT}`); });