@studious-lms/server 1.4.0 → 1.4.2

package/src/index.ts

@@ -13,6 +13,7 @@ import { bucket } from './lib/googleCloudStorage.js';
 import { prisma } from './lib/prisma.js';
 import { pusher } from './lib/pusher.js';
 import { connectRedis, disconnectRedis } from './lib/redis.js';
+import { createCorsOriginMatcher } from './lib/config/cors.js';
 
 import { authLimiter, generalLimiter, helmetConfig, uploadLimiter } from './middleware/security.js';
 
@@ -27,6 +28,8 @@ import { openAIClient } from './utils/inference.js';
 
 const app = express();
 
+app.set('trust proxy', 1);
+
 app.use(helmetConfig);
 app.use(compression());
 app.use(express.json());
@@ -38,34 +41,24 @@ app.use((req, res, next) => {
   next();
 });
 
-const allowedOrigins = env.NODE_ENV === 'production'
-? [
-    'https://www.studious.sh',
-    'https://studious.sh',
-    'https://dev.studious.sh',
-    'https://www.dev.studious.sh',
-    env.NEXT_PUBLIC_APP_URL,
-    'http://localhost:3000',
-
-  ].filter(Boolean)
-: [
-    'http://localhost:3000',
-    'http://localhost:3001',
-    'http://127.0.0.1:3000',
-    'http://127.0.0.1:3001',
-
-    env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
-  ];
+const { allowedOrigins, allowedOriginPatterns, isAllowedOrigin } = createCorsOriginMatcher(env);
 
 // CORS middleware
 app.use(cors({
-  origin: allowedOrigins,
+  origin: (origin, callback) => {
+    if (!origin || isAllowedOrigin(origin)) {
+      callback(null, true);
+      return;
+    }
+
+    logger.warn('CORS origin rejected', { origin, allowedOrigins });
+    callback(null, false);
+  },
   credentials: true,
   methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
   allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With', 'x-user'],
-  preflightContinue: false, // Important: stop further handling of OPTIONS
-  optionsSuccessStatus: 204, // Recommended for modern browsers
-
+  preflightContinue: false,
+  optionsSuccessStatus: 204,
 }));
 
 app.use(generalLimiter);
@@ -243,15 +236,9 @@ app.post('/api/pusher/auth', async (req, res) => {
 // Setup Socket.IO
 const io = new Server(httpServer, {
   cors: {
-    origin: [
-      'http://localhost:3000',  // Frontend development server
-      'http://localhost:3001',  // Server port
-      'http://127.0.0.1:3000',  // Alternative localhost
-      'http://127.0.0.1:3001',  // Alternative localhost
-      'https://www.studious.sh',  // Production frontend
-      'https://studious.sh',     // Production frontend (without www)
-      env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
-    ],
+    origin: (origin, callback) => {
+      callback(null, !origin || isAllowedOrigin(origin));
+    },
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
     credentials: true,
     allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With', 'Access-Control-Allow-Origin', 'x-user']
@@ -491,20 +478,13 @@ function handleFileUpload(req: any, res: any) {
     
     // Set CORS headers for upload endpoint
     const origin = req.headers.origin;
-    const allowedOrigins = [
-      'http://localhost:3000',
-      'http://localhost:3001', 
-      'http://127.0.0.1:3000',
-      'http://127.0.0.1:3001',
-      'https://www.studious.sh',  // Production frontend
-      'https://studious.sh',     // Production frontend (without www)
-      env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
-    ];
     
-    if (origin && allowedOrigins.includes(origin)) {
+    if (origin && !isAllowedOrigin(origin)) {
+      return res.status(403).json({ error: 'Origin not allowed' });
+    }
+
+    if (origin) {
       res.header('Access-Control-Allow-Origin', origin);
-    } else {
-      res.header('Access-Control-Allow-Origin', 'http://localhost:3000');
     }
     
     res.header('Access-Control-Allow-Credentials', 'true');
@@ -550,6 +530,19 @@ function handleFileUpload(req: any, res: any) {
 // Create caller
 const createCaller = createCallerFactory(appRouter);
 
+// Fallback OPTIONS handler — prevents tRPC from rejecting preflight requests
+// when the cors middleware passes through without ending the response.
+app.options('/trpc/*', (req, res) => {
+  const origin = req.headers.origin;
+  if (origin && isAllowedOrigin(origin)) {
+    res.setHeader('Access-Control-Allow-Origin', origin);
+    res.setHeader('Access-Control-Allow-Credentials', 'true');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, x-user');
+  }
+  res.sendStatus(204);
+});
+
 // Setup tRPC middleware
 app.use(
   '/trpc',
@@ -594,13 +587,8 @@ logger.info('Configurations', {
 
 // Log CORS configuration
 logger.info('CORS Configuration', {
-  allowedOrigins: [
-    'http://localhost:3000',
-    'http://localhost:3001', 
-    'http://127.0.0.1:3000',
-    'http://127.0.0.1:3001',
-    env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
-  ]
+  allowedOrigins,
+  allowedOriginPatterns: allowedOriginPatterns.map((pattern) => pattern.source),
 });
 
 const gracefulShutdown = (signal: string) => {
@@ -632,4 +620,4 @@ const gracefulShutdown = (signal: string) => {
 };
 
 process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
-process.on('SIGINT', () => gracefulShutdown('SIGINT'));
+process.on('SIGINT', () => gracefulShutdown('SIGINT'));

package/src/lib/config/cors.ts

@@ -0,0 +1,96 @@
+type CorsEnv = {
+  NODE_ENV?: 'development' | 'production' | 'test';
+  NEXT_PUBLIC_APP_URL?: string;
+  CORS_ALLOWED_ORIGINS?: string;
+  CORS_ALLOWED_ORIGIN_PATTERNS?: string;
+};
+
+const productionOrigins = [
+  'https://www.studious.sh',
+  'https://studious.sh',
+  'https://dev.studious.sh',
+  'https://www.dev.studious.sh',
+];
+
+const nonProductionOrigins = [
+  'http://localhost:3000',
+  'http://localhost:3001',
+  'http://127.0.0.1:3000',
+  'http://127.0.0.1:3001',
+];
+const MAX_PATTERN_LENGTH = 200;
+// This heuristic only targets common nested-quantifier cases like `(a+)+`.
+// It does not catch every risky construct (for example `.*.*` or deep alternation nesting),
+// so `parseCorsOriginPatterns` should still be limited to operator-controlled, anchored patterns.
+const SUSPICIOUS_QUANTIFIER_PATTERN = /(\([^)]*[+*{][^)]*\)|\[[^\]]+[+*{][^\]]*\])[+*{]/;
+
+const parseList = (value?: string) =>
+  value
+    ?.split(',')
+    .map((item) => item.trim())
+    .filter(Boolean) ?? [];
+
+const isDefined = <T>(value: T | undefined | null): value is T => Boolean(value);
+
+const toCorsOrigin = (value: string) => {
+  try {
+    return new URL(value).origin;
+  } catch {
+    return value.replace(/\/+$/, '');
+  }
+};
+
+export const parseCorsOrigins = (origins?: string) =>
+  parseList(origins).map(toCorsOrigin);
+
+const validateCorsOriginPattern = (pattern: string) => {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    throw new Error(`CORS pattern exceeds maximum length of ${MAX_PATTERN_LENGTH}`);
+  }
+
+  // Prefer short, anchored patterns and avoid other complex regex features even if they pass this check.
+  if (SUSPICIOUS_QUANTIFIER_PATTERN.test(pattern)) {
+    throw new Error("CORS pattern contains nested or ambiguous quantifiers");
+  }
+
+  return pattern;
+};
+
+// Patterns are operator-controlled and matched against bounded URL origins, so ReDoS risk is low.
+// Syntax validation does not guarantee safety; prefer anchored patterns and avoid nested quantifiers.
+export const parseCorsOriginPatterns = (patterns?: string) =>
+  parseList(patterns).map((pattern) => new RegExp(validateCorsOriginPattern(pattern)));
+
+export const isValidCorsOriginPatternList = (patterns?: string) => {
+  try {
+    parseCorsOriginPatterns(patterns);
+    return true;
+  } catch {
+    return false;
+  }
+};
+
+export const createCorsOriginMatcher = (env: CorsEnv) => {
+  const allowedOrigins = Array.from(new Set([
+    ...(env.NODE_ENV === 'production' ? productionOrigins : nonProductionOrigins),
+    env.NEXT_PUBLIC_APP_URL ? toCorsOrigin(env.NEXT_PUBLIC_APP_URL) : undefined,
+    ...parseCorsOrigins(env.CORS_ALLOWED_ORIGINS),
+  ].filter(isDefined)));
+
+  const allowedOriginPatterns = parseCorsOriginPatterns(env.CORS_ALLOWED_ORIGIN_PATTERNS);
+
+  const isAllowedOrigin = (origin?: string) => {
+    const corsOrigin = origin ? toCorsOrigin(origin) : undefined;
+
+    return Boolean(corsOrigin && (
+      allowedOrigins.includes(corsOrigin) ||
+      allowedOriginPatterns.some((pattern) => pattern.test(corsOrigin))
+    ));
+  };
+
+  return {
+    allowedOrigins,
+    allowedOriginPatterns,
+    isAllowedOrigin,
+  };
+};

package/src/lib/config/env.ts

@@ -2,6 +2,7 @@ import { z } from 'zod';
 import dotenv from 'dotenv';
 import { resolve } from 'path';
 import { logger } from '../../utils/logger.js';
+import { isValidCorsOriginPatternList } from './cors.js';
 
 // Determine which env file to load based on NODE_ENV
 const nodeEnv = process.env.NODE_ENV || 'development';
@@ -23,6 +24,12 @@ dotenv.config({ path: envPath, override: true }); // Override with env-specific
 const isTest = nodeEnv === 'test';
 const isProduction = nodeEnv === 'production';
 
+const corsAllowedOriginsSchema = z.string().optional();
+const corsAllowedOriginPatternsSchema = z.string().optional().refine(
+  isValidCorsOriginPatternList,
+  { message: 'CORS_ALLOWED_ORIGIN_PATTERNS must contain valid regex patterns' }
+);
+
 // Base schema with required vars for all environments
 const baseSchema = z.object({
   NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
@@ -33,6 +40,8 @@ const baseSchema = z.object({
 // Production/development schema with all required vars
 const fullSchema = baseSchema.extend({
   NEXT_PUBLIC_APP_URL: z.string().url().default('http://localhost:3000'),
+  CORS_ALLOWED_ORIGINS: corsAllowedOriginsSchema,
+  CORS_ALLOWED_ORIGIN_PATTERNS: corsAllowedOriginPatternsSchema,
   BACKEND_URL: z.string().url().default('http://localhost:3001'),
   SENTRY_DSN: z.string().url().optional(),
   EMAIL_HOST: z.string().min(1, 'EMAIL_HOST is required'),
@@ -59,6 +68,8 @@ const fullSchema = baseSchema.extend({
 // Test schema - only require what's needed for tests
 const testSchema = baseSchema.extend({
   NEXT_PUBLIC_APP_URL: z.string().url().optional().default('http://localhost:3000'),
+  CORS_ALLOWED_ORIGINS: corsAllowedOriginsSchema,
+  CORS_ALLOWED_ORIGIN_PATTERNS: corsAllowedOriginPatternsSchema,
   BACKEND_URL: z.string().url().optional().default('http://localhost:3001'),
   SENTRY_DSN: z.string().url().optional(),
   EMAIL_HOST: z.string().optional().default('smtp.test.com'),
@@ -129,4 +140,4 @@ function validateEnv() {
 export const env = validateEnv();
 
 // Type-safe environment access
-export type Env = z.infer<typeof envSchema>;
+export type Env = z.infer<typeof envSchema>;

package/src/lib/prisma.ts

@@ -12,13 +12,32 @@ const getLogLevel = () => {
   }
 }
 
+const getDatabaseUrl = () => {
+  try {
+    const url = new URL(env.DATABASE_URL);
+    // Reduce per-instance DB pressure in hosted/serverless environments.
+    if (env.NODE_ENV === 'production') {
+      if (!url.searchParams.has('connection_limit')) {
+        url.searchParams.set('connection_limit', '1');
+      }
+      if (!url.searchParams.has('pool_timeout')) {
+        url.searchParams.set('pool_timeout', '20');
+      }
+    }
+    return url.toString();
+  } catch {
+    return env.DATABASE_URL;
+  }
+};
+
 const prismaClientSingleton = () => {
-  // return new PrismaClient({
-  //   log: env.NODE_ENV === 'development' 
-  //     ? ['query', 'error', 'warn'] 
-  //     : ['error'],
-  // });
-  return new PrismaClient();
+  return new PrismaClient({
+    datasources: {
+      db: {
+        url: getDatabaseUrl(),
+      },
+    },
+  });
 };
 
 // Prevent multiple instances of Prisma Client in development

package/src/middleware/security.ts

@@ -19,7 +19,7 @@ const rateLimitHandler = (req: Request, res: Response) => {
 
 // General API rate limiter - applies to all routes
 export const generalLimiter = rateLimit({
-  windowMs: 10 * 60, // 10 minutes
+  windowMs: 10 * 60 * 1000, // 10 minutes
   max: 100, // Limit each IP to 100 requests per windowMs
   message: 'Too many requests from this IP, please try again later.',
   standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers