@vex-chat/spire 0.7.4 → 1.0.0

package/dist/server/index.js

@@ -1,117 +1,642 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.initApp = exports.protect = exports.EXPIRY_TIME = void 0;
-const fs_1 = __importDefault(require("fs"));
-const cookie_parser_1 = __importDefault(require("cookie-parser"));
-const cors_1 = __importDefault(require("cors"));
-const express_1 = __importDefault(require("express"));
-const helmet_1 = __importDefault(require("helmet"));
-const morgan_1 = __importDefault(require("morgan"));
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const avatar_1 = require("./avatar");
-const file_1 = require("./file");
-const invite_1 = require("./invite");
-const user_1 = require("./user");
+import * as fs from "node:fs";
+import * as fsp from "node:fs/promises";
+import express from "express";
+import { XUtils } from "@vex-chat/crypto";
+import { xSignOpen } from "@vex-chat/crypto";
+import { PreKeysWSSchema, TokenScopes, UserSchema } from "@vex-chat/types";
+import cors from "cors";
+import { fileTypeFromBuffer, fileTypeFromFile } from "file-type";
+import helmet from "helmet";
+import jwt from "jsonwebtoken";
+import morgan from "morgan";
+import multer from "multer";
+import parseDuration from "parse-duration";
+import { stringify as uuidStringify } from "uuid";
+import { z } from "zod/v4";
+import { POWER_LEVELS } from "../ClientManager.js";
+import { JWT_EXPIRY } from "../Spire.js";
+import { getJwtSecret } from "../utils/jwtSecret.js";
+import { msgpack } from "../utils/msgpack.js";
+import { getAvatarRouter } from "./avatar.js";
+import { errorHandler } from "./errors.js";
+import { getFileRouter } from "./file.js";
+import { getInviteRouter } from "./invite.js";
+import { setupDocs } from "./openapi.js";
+import { hasAnyPermission, hasPermission, userHasPermission, } from "./permissions.js";
+import { globalLimiter } from "./rateLimit.js";
+import { getUserRouter } from "./user.js";
+import { censorUser, getParam, getUser } from "./utils.js";
 // expiry of regkeys
-exports.EXPIRY_TIME = 1000 * 60 * 5;
-const checkJwt = (req, res, next) => {
-    if (req.cookies.auth) {
+export const EXPIRY_TIME = 1000 * 60 * 5;
+export const ALLOWED_IMAGE_TYPES = [
+    "image/jpeg",
+    "image/png",
+    "image/gif",
+    "image/apng",
+    "image/avif",
+];
+// ── Zod schemas for trust-boundary validation ──────────────────────────
+const invitePayload = z.object({
+    duration: z.string().min(1),
+    serverID: z.string().min(1),
+});
+const channelPayload = z.object({
+    name: z.string().min(1).max(255),
+});
+const deviceListPayload = z.array(z.string());
+const connectPayload = z.object({
+    signed: z.custom((val) => val instanceof Uint8Array),
+});
+const safePathParam = z.string().regex(/^[a-zA-Z0-9._-]+$/);
+const emojiPayload = z.object({
+    file: z.string().optional(),
+    name: z.string().min(1),
+    signed: z.string().optional(),
+});
+const jwtUserPayload = z.object({
+    exp: z.number().optional(),
+    user: UserSchema,
+});
+const jwtDevicePayload = z.object({
+    device: z.object({
+        deleted: z.boolean(),
+        deviceID: z.string(),
+        lastLogin: z.string(),
+        name: z.string(),
+        owner: z.string(),
+        signKey: z.string(),
+    }),
+});
+/** Extract Bearer token from Authorization header. */
+function extractBearer(req) {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith("Bearer "))
+        return null;
+    return header.slice(7);
+}
+const checkAuth = (req, _res, next) => {
+    const token = extractBearer(req);
+    if (token) {
         try {
-            const result = jsonwebtoken_1.default.verify(req.cookies.auth, process.env.SPK);
-            // lol glad this is a try/catch block
-            req.user = result.user;
+            const result = jwt.verify(token, getJwtSecret());
+            const parsed = jwtUserPayload.safeParse(result);
+            if (parsed.success) {
+                req.user = parsed.data.user;
+                if (parsed.data.exp !== undefined) {
+                    req.exp = parsed.data.exp;
+                }
+                req.bearerToken = token;
+            }
         }
-        catch (err) {
-            console.warn(err.toString());
+        catch {
+            // Token verification failed — continue without auth
         }
     }
     next();
 };
-const protect = (req, res, next) => {
+const checkDevice = (req, _res, next) => {
+    const token = req.headers["x-device-token"];
+    if (typeof token === "string" && token) {
+        try {
+            const result = jwt.verify(token, getJwtSecret());
+            const parsed = jwtDevicePayload.safeParse(result);
+            if (parsed.success) {
+                req.device = parsed.data.device;
+            }
+        }
+        catch {
+            // Device token verification failed — continue without device
+        }
+    }
+    next();
+};
+export const protect = (req, res, next) => {
     if (!req.user) {
         res.sendStatus(401);
         return;
     }
     next();
 };
-exports.protect = protect;
-// 3-19 chars long
+export const msgpackParser = (req, res, next) => {
+    if (req.is("application/msgpack")) {
+        try {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-argument -- Express req.body is any; decoded body is validated by route-level Zod schemas
+            req.body = msgpack.decode(req.body);
+        }
+        catch {
+            res.sendStatus(400);
+            return;
+        }
+    }
+    next();
+};
+const isProduction = process.env["NODE_ENV"] === "production";
 const directories = ["files", "avatars"];
 for (const dir of directories) {
-    if (!fs_1.default.existsSync(dir)) {
-        fs_1.default.mkdirSync(dir);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir);
     }
 }
-const initApp = (api, db, log, tokenValidator, signKeys, notify) => {
+export const initApp = (api, db, log, tokenValidator, signKeys, notify) => {
     // INIT ROUTERS
-    const userRouter = user_1.getUserRouter(db, log, tokenValidator);
-    const fileRouter = file_1.getFileRouter(db, log);
-    const avatarRouter = avatar_1.getAvatarRouter(db, log);
-    const inviteRouter = invite_1.getInviteRouter(db, log, tokenValidator, notify);
+    const userRouter = getUserRouter(db, log, tokenValidator);
+    const fileRouter = getFileRouter(db, log);
+    const avatarRouter = getAvatarRouter(db, log);
+    const inviteRouter = getInviteRouter(db, log, tokenValidator, notify);
     // MIDDLEWARE
-    api.use(express_1.default.json({ limit: "20mb" }));
-    api.use(helmet_1.default());
-    api.use(cookie_parser_1.default());
-    api.use(checkJwt);
+    // Global per-IP rate limit is the FIRST middleware so a flooded
+    // source hits the limiter before Express spends any cycles on
+    // body parsing, helmet, or auth. See src/server/rateLimit.ts.
+    api.use(globalLimiter);
+    api.use(express.json({ limit: "20mb" }));
+    api.use(express.raw({
+        limit: "20mb",
+        type: "application/msgpack",
+    }));
+    if (isProduction) {
+        api.use(helmet());
+    }
+    api.use(msgpackParser);
+    api.use(checkAuth);
+    api.use(checkDevice);
     if (!jestRun()) {
-        api.use(morgan_1.default("dev", { stream: process.stdout }));
+        api.use(morgan("dev", { stream: process.stdout }));
     }
-    api.use(cors_1.default({ credentials: true }));
-    // SIMPLE RESOURCES
-    api.get("/server/:id", (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const server = yield db.retrieveServer(req.params.id);
+    api.use(cors({ credentials: true }));
+    api.get("/server/:id", protect, async (req, res) => {
+        const server = await db.retrieveServer(getParam(req, "id"));
         if (server) {
-            return res.send(server);
+            return res.send(msgpack.encode(server));
         }
         else {
+            return res.sendStatus(404);
+        }
+    });
+    api.post("/server/:name", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverName = atob(getParam(req, "name"));
+        const server = await db.createServer(serverName, userDetails.userID);
+        res.send(msgpack.encode(server));
+    });
+    api.post("/server/:serverID/invites", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const parsedPayload = invitePayload.safeParse(req.body);
+        if (!parsedPayload.success) {
+            res.status(400).json({
+                error: "Invalid invite payload",
+                issues: parsedPayload.error.issues,
+            });
+            return;
+        }
+        const payload = parsedPayload.data;
+        const serverEntry = await db.retrieveServer(getParam(req, "serverID"));
+        if (!serverEntry) {
             res.sendStatus(404);
+            return;
         }
-    }));
-    api.get("/channel/:id", (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const channel = yield db.retrieveChannel(req.params.id);
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (!hasPermission(permissions, getParam(req, "serverID"), POWER_LEVELS.INVITE)) {
+            log.warn("No permission!");
+            res.sendStatus(401);
+            return;
+        }
+        const duration = parseDuration(payload.duration, "ms");
+        if (!duration) {
+            res.sendStatus(400);
+            return;
+        }
+        const expires = new Date(Date.now() + duration);
+        const invite = await db.createInvite(crypto.randomUUID(), serverEntry.serverID, userDetails.userID, expires.toString());
+        res.send(msgpack.encode(invite));
+    });
+    api.get("/server/:serverID/invites", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (!hasPermission(permissions, getParam(req, "serverID"), POWER_LEVELS.INVITE)) {
+            res.sendStatus(401);
+            return;
+        }
+        const inviteList = await db.retrieveServerInvites(getParam(req, "serverID"));
+        res.send(msgpack.encode(inviteList));
+    });
+    api.delete("/server/:id", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverID = getParam(req, "id");
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (hasPermission(permissions, serverID, POWER_LEVELS.DELETE)) {
+            await db.deleteServer(serverID);
+            res.sendStatus(200);
+            return;
+        }
+        res.sendStatus(401);
+    });
+    api.post("/server/:id/channels", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverID = getParam(req, "id");
+        // resourceID is serverID
+        const parsedBody = channelPayload.safeParse(req.body);
+        if (!parsedBody.success) {
+            res.status(400).json({
+                error: "Invalid channel payload",
+                issues: parsedBody.error.issues,
+            });
+            return;
+        }
+        const { name } = parsedBody.data;
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (hasPermission(permissions, serverID, POWER_LEVELS.CREATE)) {
+            const channel = await db.createChannel(name, serverID);
+            res.send(msgpack.encode(channel));
+            const affectedUsers = await db.retrieveAffectedUsers(serverID);
+            // tell everyone about server change
+            for (const user of affectedUsers) {
+                notify(user.userID, "serverChange", crypto.randomUUID(), serverID);
+            }
+            return;
+        }
+        res.sendStatus(401);
+    });
+    api.get("/server/:id/channels", protect, async (req, res) => {
+        const serverID = getParam(req, "id");
+        const userDetails = getUser(req);
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (hasAnyPermission(permissions, serverID)) {
+            const channels = await db.retrieveChannels(serverID);
+            res.send(msgpack.encode(channels));
+            return;
+        }
+        res.sendStatus(401);
+    });
+    api.get("/server/:serverID/emoji", protect, async (req, res) => {
+        const rows = await db.retrieveEmojiList(getParam(req, "serverID"));
+        res.send(msgpack.encode(rows));
+    });
+    api.get("/server/:serverID/permissions", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverID = getParam(req, "serverID");
+        const permissions = await db.retrievePermissionsByResourceID(serverID);
+        const canSee = permissions.some((perm) => perm.userID === userDetails.userID);
+        if (!canSee) {
+            res.sendStatus(401);
+            return;
+        }
+        res.send(msgpack.encode(permissions));
+    });
+    api.delete("/channel/:id", protect, async (req, res) => {
+        const channelID = getParam(req, "id");
+        const userDetails = getUser(req);
+        const channel = await db.retrieveChannel(channelID);
+        if (!channel) {
+            res.sendStatus(401);
+            return;
+        }
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        for (const permission of permissions) {
+            if (permission.resourceID === channel.serverID &&
+                permission.powerLevel > 50) {
+                await db.deleteChannel(channelID);
+                res.sendStatus(200);
+                const affectedUsers = await db.retrieveAffectedUsers(channel.serverID);
+                // tell everyone about server change
+                for (const user of affectedUsers) {
+                    notify(user.userID, "serverChange", crypto.randomUUID(), channel.serverID);
+                }
+                return;
+            }
+        }
+        res.sendStatus(401);
+    });
+    api.get("/channel/:id", protect, async (req, res) => {
+        const channel = await db.retrieveChannel(getParam(req, "id"));
         if (channel) {
-            return res.send(channel);
+            return res.send(msgpack.encode(channel));
         }
         else {
+            return res.sendStatus(404);
+        }
+    });
+    api.delete("/permission/:permissionID", protect, async (req, res) => {
+        const permissionID = getParam(req, "permissionID");
+        const userDetails = getUser(req);
+        const permToDelete = await db.retrievePermission(permissionID);
+        if (!permToDelete) {
             res.sendStatus(404);
+            return;
         }
-    }));
-    api.post("/deviceList", (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userIDs = req.body;
-        const devices = yield db.retrieveUserDeviceList(userIDs);
-        res.send(devices);
-    }));
-    api.get("/device/:id", (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const device = yield db.retrieveDevice(req.params.id);
+        const permissions = await db.retrievePermissions(userDetails.userID, permToDelete.resourceType);
+        for (const perm of permissions) {
+            if (perm.resourceID === permToDelete.resourceID &&
+                (perm.userID === userDetails.userID ||
+                    (perm.powerLevel > POWER_LEVELS.DELETE &&
+                        perm.powerLevel > permToDelete.powerLevel))) {
+                await db.deletePermission(permToDelete.permissionID);
+                res.sendStatus(200);
+                return;
+            }
+        }
+        res.sendStatus(401);
+    });
+    api.post("/userList/:channelID", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const channelID = getParam(req, "channelID");
+        const channel = await db.retrieveChannel(channelID);
+        if (!channel) {
+            res.sendStatus(404);
+            return;
+        }
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        for (const permission of permissions) {
+            if (permission.resourceID === channel.serverID) {
+                const groupMembers = await db.retrieveGroupMembers(channelID);
+                res.send(msgpack.encode(groupMembers.map((user) => censorUser(user))));
+                return;
+            }
+        }
+        res.sendStatus(401);
+    });
+    api.post("/deviceList", protect, async (req, res) => {
+        const parsed = deviceListPayload.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json({
+                error: "Expected array of user ID strings",
+                issues: parsed.error.issues,
+            });
+            return;
+        }
+        const devices = await db.retrieveUserDeviceList(parsed.data);
+        res.send(msgpack.encode(devices));
+    });
+    api.get("/device/:id", protect, async (req, res) => {
+        const device = await db.retrieveDevice(getParam(req, "id"));
         if (device) {
-            return res.send(device);
+            return res.send(msgpack.encode(device));
         }
         else {
+            return res.sendStatus(404);
+        }
+    });
+    api.post("/device/:id/keyBundle", protect, async (req, res) => {
+        try {
+            const keyBundle = await db.getKeyBundle(getParam(req, "id"));
+            if (keyBundle) {
+                res.send(msgpack.encode(keyBundle));
+            }
+            else {
+                res.sendStatus(404);
+            }
+        }
+        catch {
+            res.sendStatus(500);
+        }
+    });
+    api.post("/device/:id/mail", protect, async (req, res) => {
+        const deviceDetails = req.device;
+        if (!deviceDetails) {
+            res.sendStatus(401);
+            return;
+        }
+        const inbox = await db.retrieveMail(deviceDetails.deviceID);
+        res.send(msgpack.encode(inbox));
+    });
+    api.post("/device/:id/connect", protect, async (req, res) => {
+        const parsedBody = connectPayload.safeParse(req.body);
+        if (!parsedBody.success) {
+            res.status(400).json({
+                error: "Invalid connect payload",
+                issues: parsedBody.error.issues,
+            });
+            return;
+        }
+        const { signed } = parsedBody.data;
+        const device = await db.retrieveDevice(getParam(req, "id"));
+        if (!device) {
             res.sendStatus(404);
+            return;
         }
-    }));
+        const regKey = xSignOpen(signed, XUtils.decodeHex(device.signKey));
+        if (regKey &&
+            tokenValidator(uuidStringify(regKey), TokenScopes.Connect)) {
+            const token = jwt.sign({ device }, getJwtSecret(), {
+                expiresIn: JWT_EXPIRY,
+            });
+            jwt.verify(token, getJwtSecret());
+            res.send(msgpack.encode({ deviceToken: token }));
+        }
+        else {
+            res.sendStatus(401);
+        }
+    });
+    api.get("/device/:id/otk/count", protect, async (req, res) => {
+        const deviceDetails = req.device;
+        if (!deviceDetails) {
+            res.sendStatus(401);
+            return;
+        }
+        const count = await db.getOTKCount(deviceDetails.deviceID);
+        res.send(msgpack.encode({ count }));
+    });
+    api.post("/device/:id/otk", protect, async (req, res) => {
+        const parsedOTKs = z.array(PreKeysWSSchema).safeParse(req.body);
+        if (!parsedOTKs.success) {
+            res.status(400).json({
+                error: "Invalid OTK payload",
+                issues: parsedOTKs.error.issues,
+            });
+            return;
+        }
+        const submittedOTKs = parsedOTKs.data;
+        if (submittedOTKs.length === 0) {
+            res.sendStatus(200);
+            return;
+        }
+        const userDetails = getUser(req);
+        const deviceID = getParam(req, "id");
+        const otk = submittedOTKs[0];
+        const device = await db.retrieveDevice(deviceID);
+        if (!device || !otk) {
+            res.sendStatus(404);
+            return;
+        }
+        const message = xSignOpen(otk.signature, XUtils.decodeHex(device.signKey));
+        if (!message) {
+            res.sendStatus(401);
+            return;
+        }
+        await db.saveOTK(userDetails.userID, deviceID, submittedOTKs);
+        res.sendStatus(200);
+    });
+    api.get("/emoji/:emojiID/details", protect, async (req, res) => {
+        const emoji = await db.retrieveEmoji(getParam(req, "emojiID"));
+        res.send(msgpack.encode(emoji));
+    });
+    api.get("/emoji/:emojiID", protect, async (req, res) => {
+        const safeId = safePathParam.safeParse(getParam(req, "emojiID"));
+        if (!safeId.success) {
+            res.sendStatus(400);
+            return;
+        }
+        const filePath = "./emoji/" + safeId.data;
+        const typeDetails = await fileTypeFromFile(filePath).catch(() => null);
+        if (!typeDetails) {
+            res.sendStatus(404);
+            return;
+        }
+        res.set("Content-type", typeDetails.mime);
+        res.set("Cache-control", "public, max-age=31536000");
+        const stream = fs.createReadStream(filePath);
+        stream.on("error", (err) => {
+            log.error(err.toString());
+            res.sendStatus(500);
+        });
+        stream.pipe(res);
+    });
+    api.post("/emoji/:serverID/json", protect, async (req, res) => {
+        const parsedPayload = emojiPayload.safeParse(req.body);
+        if (!parsedPayload.success) {
+            res.status(400).json({
+                error: "Invalid emoji payload",
+                issues: parsedPayload.error.issues,
+            });
+            return;
+        }
+        const payload = parsedPayload.data;
+        const userDetails = getUser(req);
+        const device = req.device;
+        if (!device) {
+            res.sendStatus(401);
+            return;
+        }
+        if (!payload.file) {
+            res.sendStatus(400);
+            return;
+        }
+        const buf = Buffer.from(XUtils.decodeBase64(payload.file));
+        const serverEntry = await db.retrieveServer(getParam(req, "serverID"));
+        const permissionList = await db.retrievePermissionsByResourceID(getParam(req, "serverID"));
+        if (!userHasPermission(permissionList, userDetails.userID, POWER_LEVELS.EMOJI)) {
+            res.sendStatus(401);
+            return;
+        }
+        if (!serverEntry) {
+            res.sendStatus(404);
+            return;
+        }
+        if (!payload.name) {
+            res.sendStatus(400);
+        }
+        if (Buffer.byteLength(buf) > 256000) {
+            log.warn("File too big.");
+            res.sendStatus(413);
+        }
+        const mimeType = await fileTypeFromBuffer(buf);
+        if (!ALLOWED_IMAGE_TYPES.includes(mimeType?.mime || "no/type")) {
+            res.status(400).send({
+                error: "Unsupported file type. Expected jpeg, png, gif, apng, or avif but received " +
+                    String(mimeType?.ext),
+            });
+            return;
+        }
+        const emoji = {
+            emojiID: crypto.randomUUID(),
+            name: payload.name,
+            owner: getParam(req, "serverID"),
+        };
+        await db.createEmoji(emoji);
+        try {
+            // write the file to disk
+            await fsp.writeFile("emoji/" + emoji.emojiID, buf);
+            log.info("Wrote new emoji " + emoji.emojiID);
+            res.send(msgpack.encode(emoji));
+        }
+        catch (err) {
+            log.warn(String(err));
+            res.sendStatus(500);
+        }
+    });
+    api.post("/emoji/:serverID", protect, multer().single("emoji"), async (req, res) => {
+        const parsedPayload = emojiPayload.safeParse(req.body);
+        if (!parsedPayload.success) {
+            res.status(400).json({
+                error: "Invalid emoji payload",
+                issues: parsedPayload.error.issues,
+            });
+            return;
+        }
+        const payload = parsedPayload.data;
+        const serverID = getParam(req, "serverID");
+        if (typeof serverID !== "string") {
+            res.sendStatus(400);
+            return;
+        }
+        const serverEntry = await db.retrieveServer(serverID);
+        const userDetails = getUser(req);
+        const deviceDetails = req.device;
+        if (!deviceDetails) {
+            res.sendStatus(401);
+            return;
+        }
+        const permissionList = await db.retrievePermissionsByResourceID(serverID);
+        if (!userHasPermission(permissionList, userDetails.userID, POWER_LEVELS.EMOJI)) {
+            res.sendStatus(401);
+            return;
+        }
+        if (!serverEntry) {
+            res.sendStatus(404);
+            return;
+        }
+        if (!payload.name) {
+            res.sendStatus(400);
+        }
+        if (!req.file) {
+            log.warn("MISSING FILE");
+            res.sendStatus(400);
+            return;
+        }
+        if (Buffer.byteLength(req.file.buffer) > 256000) {
+            log.warn("File too big.");
+            res.sendStatus(413);
+        }
+        const mimeType = await fileTypeFromBuffer(req.file.buffer);
+        if (!ALLOWED_IMAGE_TYPES.includes(mimeType?.mime || "no/type")) {
+            res.status(400).send({
+                error: "Unsupported file type. Expected jpeg, png, gif, apng, or avif but received " +
+                    String(mimeType?.ext),
+            });
+            return;
+        }
+        const emoji = {
+            emojiID: crypto.randomUUID(),
+            name: payload.name,
+            owner: serverID,
+        };
+        await db.createEmoji(emoji);
+        try {
+            // write the file to disk
+            await fsp.writeFile("emoji/" + emoji.emojiID, req.file.buffer);
+            log.info("Wrote new emoji " + emoji.emojiID);
+            res.send(msgpack.encode(emoji));
+        }
+        catch (err) {
+            log.warn(String(err));
+            res.sendStatus(500);
+        }
+    });
     // COMPLEX RESOURCES
     api.use("/user", userRouter);
     api.use("/file", fileRouter);
     api.use("/avatar", avatarRouter);
     api.use("/invite", inviteRouter);
+    setupDocs(api);
+    // Central error handler MUST be last. Handles both thrown AppErrors
+    // (client-safe status + message) and programmer errors (generic 500
+    // with full details logged server-side). See src/server/errors.ts
+    // for the CWE mapping.
+    api.use(errorHandler(log));
 };
-exports.initApp = initApp;
 /**
  * @ignore
  */
 const jestRun = () => {
-    return process.env.JEST_WORKER_ID !== undefined;
+    return process.env["JEST_WORKER_ID"] !== undefined;
 };
+//# sourceMappingURL=index.js.map