@vex-chat/spire 0.8.0 → 1.0.0

package/dist/server/index.js

@@ -1,520 +1,519 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.initApp = exports.msgpackParser = exports.protect = exports.ALLOWED_IMAGE_TYPES = exports.EXPIRY_TIME = void 0;
-const fs_1 = __importDefault(require("fs"));
-const types_1 = require("@vex-chat/types");
-const cookie_parser_1 = __importDefault(require("cookie-parser"));
-const cors_1 = __importDefault(require("cors"));
-const express_1 = __importDefault(require("express"));
-const helmet_1 = __importDefault(require("helmet"));
-const morgan_1 = __importDefault(require("morgan"));
-const parse_duration_1 = __importDefault(require("parse-duration"));
-const crypto_1 = require("@vex-chat/crypto");
-const atob_1 = __importDefault(require("atob"));
-const file_type_1 = __importDefault(require("file-type"));
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const msgpack_lite_1 = __importDefault(require("msgpack-lite"));
-const multer_1 = __importDefault(require("multer"));
-const tweetnacl_1 = __importDefault(require("tweetnacl"));
-const avatar_1 = require("./avatar");
-const file_1 = require("./file");
-const invite_1 = require("./invite");
-const user_1 = require("./user");
-const uuid = __importStar(require("uuid"));
-const ClientManager_1 = require("../ClientManager");
-const Spire_1 = require("../Spire");
-const utils_1 = require("./utils");
+import * as fs from "node:fs";
+import * as fsp from "node:fs/promises";
+import express from "express";
+import { XUtils } from "@vex-chat/crypto";
+import { xSignOpen } from "@vex-chat/crypto";
+import { PreKeysWSSchema, TokenScopes, UserSchema } from "@vex-chat/types";
+import cors from "cors";
+import { fileTypeFromBuffer, fileTypeFromFile } from "file-type";
+import helmet from "helmet";
+import jwt from "jsonwebtoken";
+import morgan from "morgan";
+import multer from "multer";
+import parseDuration from "parse-duration";
+import { stringify as uuidStringify } from "uuid";
+import { z } from "zod/v4";
+import { POWER_LEVELS } from "../ClientManager.js";
+import { JWT_EXPIRY } from "../Spire.js";
+import { getJwtSecret } from "../utils/jwtSecret.js";
+import { msgpack } from "../utils/msgpack.js";
+import { getAvatarRouter } from "./avatar.js";
+import { errorHandler } from "./errors.js";
+import { getFileRouter } from "./file.js";
+import { getInviteRouter } from "./invite.js";
+import { setupDocs } from "./openapi.js";
+import { hasAnyPermission, hasPermission, userHasPermission, } from "./permissions.js";
+import { globalLimiter } from "./rateLimit.js";
+import { getUserRouter } from "./user.js";
+import { censorUser, getParam, getUser } from "./utils.js";
 // expiry of regkeys
-exports.EXPIRY_TIME = 1000 * 60 * 5;
-exports.ALLOWED_IMAGE_TYPES = [
+export const EXPIRY_TIME = 1000 * 60 * 5;
+export const ALLOWED_IMAGE_TYPES = [
     "image/jpeg",
     "image/png",
     "image/gif",
     "image/apng",
     "image/avif",
 ];
-const TokenScopes = types_1.XTypes.HTTP.TokenScopes;
-const checkAuth = (req, res, next) => {
-    if (req.cookies.auth) {
+// ── Zod schemas for trust-boundary validation ──────────────────────────
+const invitePayload = z.object({
+    duration: z.string().min(1),
+    serverID: z.string().min(1),
+});
+const channelPayload = z.object({
+    name: z.string().min(1).max(255),
+});
+const deviceListPayload = z.array(z.string());
+const connectPayload = z.object({
+    signed: z.custom((val) => val instanceof Uint8Array),
+});
+const safePathParam = z.string().regex(/^[a-zA-Z0-9._-]+$/);
+const emojiPayload = z.object({
+    file: z.string().optional(),
+    name: z.string().min(1),
+    signed: z.string().optional(),
+});
+const jwtUserPayload = z.object({
+    exp: z.number().optional(),
+    user: UserSchema,
+});
+const jwtDevicePayload = z.object({
+    device: z.object({
+        deleted: z.boolean(),
+        deviceID: z.string(),
+        lastLogin: z.string(),
+        name: z.string(),
+        owner: z.string(),
+        signKey: z.string(),
+    }),
+});
+/** Extract Bearer token from Authorization header. */
+function extractBearer(req) {
+    const header = req.headers.authorization;
+    if (!header || !header.startsWith("Bearer "))
+        return null;
+    return header.slice(7);
+}
+const checkAuth = (req, _res, next) => {
+    const token = extractBearer(req);
+    if (token) {
         try {
-            const result = jsonwebtoken_1.default.verify(req.cookies.auth, process.env.SPK);
-            // lol glad this is a try/catch block
-            req.user = result.user;
-            req.exp = result.exp;
+            const result = jwt.verify(token, getJwtSecret());
+            const parsed = jwtUserPayload.safeParse(result);
+            if (parsed.success) {
+                req.user = parsed.data.user;
+                if (parsed.data.exp !== undefined) {
+                    req.exp = parsed.data.exp;
+                }
+                req.bearerToken = token;
+            }
         }
-        catch (err) {
-            console.warn(err.toString());
+        catch {
+            // Token verification failed — continue without auth
         }
     }
     next();
 };
-const checkDevice = (req, res, next) => {
-    if (req.cookies.device) {
+const checkDevice = (req, _res, next) => {
+    const token = req.headers["x-device-token"];
+    if (typeof token === "string" && token) {
         try {
-            const result = jsonwebtoken_1.default.verify(req.cookies.device, process.env.SPK);
-            // lol glad this is a try/catch block
-            req.device = result.device;
+            const result = jwt.verify(token, getJwtSecret());
+            const parsed = jwtDevicePayload.safeParse(result);
+            if (parsed.success) {
+                req.device = parsed.data.device;
+            }
         }
-        catch (err) {
-            console.warn(err.toString());
+        catch {
+            // Device token verification failed — continue without device
         }
     }
     next();
 };
-const protect = (req, res, next) => {
+export const protect = (req, res, next) => {
     if (!req.user) {
         res.sendStatus(401);
-        throw new Error("not authenticated!");
+        return;
     }
     next();
 };
-exports.protect = protect;
-const msgpackParser = (req, res, next) => {
+export const msgpackParser = (req, res, next) => {
     if (req.is("application/msgpack")) {
         try {
-            req.body = msgpack_lite_1.default.decode(req.body);
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-argument -- Express req.body is any; decoded body is validated by route-level Zod schemas
+            req.body = msgpack.decode(req.body);
         }
-        catch (err) {
+        catch {
             res.sendStatus(400);
             return;
         }
     }
     next();
 };
-exports.msgpackParser = msgpackParser;
+const isProduction = process.env["NODE_ENV"] === "production";
 const directories = ["files", "avatars"];
 for (const dir of directories) {
-    if (!fs_1.default.existsSync(dir)) {
-        fs_1.default.mkdirSync(dir);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir);
     }
 }
-const initApp = (api, db, log, tokenValidator, signKeys, notify) => {
+export const initApp = (api, db, log, tokenValidator, signKeys, notify) => {
     // INIT ROUTERS
-    const userRouter = user_1.getUserRouter(db, log, tokenValidator);
-    const fileRouter = file_1.getFileRouter(db, log);
-    const avatarRouter = avatar_1.getAvatarRouter(db, log);
-    const inviteRouter = invite_1.getInviteRouter(db, log, tokenValidator, notify);
+    const userRouter = getUserRouter(db, log, tokenValidator);
+    const fileRouter = getFileRouter(db, log);
+    const avatarRouter = getAvatarRouter(db, log);
+    const inviteRouter = getInviteRouter(db, log, tokenValidator, notify);
     // MIDDLEWARE
-    api.use(express_1.default.json({ limit: "20mb" }));
-    api.use(express_1.default.raw({
-        type: "application/msgpack",
+    // Global per-IP rate limit is the FIRST middleware so a flooded
+    // source hits the limiter before Express spends any cycles on
+    // body parsing, helmet, or auth. See src/server/rateLimit.ts.
+    api.use(globalLimiter);
+    api.use(express.json({ limit: "20mb" }));
+    api.use(express.raw({
         limit: "20mb",
+        type: "application/msgpack",
     }));
-    api.use(helmet_1.default());
-    api.use(cookie_parser_1.default());
-    api.use(exports.msgpackParser);
+    if (isProduction) {
+        api.use(helmet());
+    }
+    api.use(msgpackParser);
     api.use(checkAuth);
     api.use(checkDevice);
     if (!jestRun()) {
-        api.use(morgan_1.default("dev", { stream: process.stdout }));
+        api.use(morgan("dev", { stream: process.stdout }));
     }
-    api.use(cors_1.default({ credentials: true }));
-    api.get("/server/:id", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const server = yield db.retrieveServer(req.params.id);
+    api.use(cors({ credentials: true }));
+    api.get("/server/:id", protect, async (req, res) => {
+        const server = await db.retrieveServer(getParam(req, "id"));
         if (server) {
-            return res.send(msgpack_lite_1.default.encode(server));
+            return res.send(msgpack.encode(server));
         }
         else {
-            res.sendStatus(404);
+            return res.sendStatus(404);
         }
-    }));
-    api.post("/server/:name", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const serverName = atob_1.default(req.params.name);
-        const server = yield db.createServer(serverName, userDetails.userID);
-        res.send(msgpack_lite_1.default.encode(server));
-    }));
-    api.post("/server/:serverID/invites", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const payload = req.body;
-        const serverEntry = yield db.retrieveServer(req.params.serverID);
+    });
+    api.post("/server/:name", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverName = atob(getParam(req, "name"));
+        const server = await db.createServer(serverName, userDetails.userID);
+        res.send(msgpack.encode(server));
+    });
+    api.post("/server/:serverID/invites", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const parsedPayload = invitePayload.safeParse(req.body);
+        if (!parsedPayload.success) {
+            res.status(400).json({
+                error: "Invalid invite payload",
+                issues: parsedPayload.error.issues,
+            });
+            return;
+        }
+        const payload = parsedPayload.data;
+        const serverEntry = await db.retrieveServer(getParam(req, "serverID"));
         if (!serverEntry) {
             res.sendStatus(404);
             return;
         }
-        const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-        let hasPermission = false;
-        for (const permission of permissions) {
-            if (permission.resourceID === req.params.serverID &&
-                permission.powerLevel > ClientManager_1.POWER_LEVELS.INVITE) {
-                hasPermission = true;
-            }
-        }
-        if (!hasPermission) {
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (!hasPermission(permissions, getParam(req, "serverID"), POWER_LEVELS.INVITE)) {
             log.warn("No permission!");
             res.sendStatus(401);
             return;
         }
-        const duration = parse_duration_1.default(payload.duration, "ms");
+        const duration = parseDuration(payload.duration, "ms");
         if (!duration) {
             res.sendStatus(400);
             return;
         }
         const expires = new Date(Date.now() + duration);
-        const invite = yield db.createInvite(uuid.v4(), serverEntry.serverID, userDetails.userID, expires.toString());
-        res.send(msgpack_lite_1.default.encode(invite));
-    }));
-    api.get("/server/:serverID/invites", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-        let hasPermission = false;
-        for (const permission of permissions) {
-            if (permission.resourceID === req.params.serverID &&
-                permission.powerLevel > ClientManager_1.POWER_LEVELS.INVITE) {
-                hasPermission = true;
-            }
-        }
-        if (!hasPermission) {
+        const invite = await db.createInvite(crypto.randomUUID(), serverEntry.serverID, userDetails.userID, expires.toString());
+        res.send(msgpack.encode(invite));
+    });
+    api.get("/server/:serverID/invites", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (!hasPermission(permissions, getParam(req, "serverID"), POWER_LEVELS.INVITE)) {
             res.sendStatus(401);
             return;
         }
-        const inviteList = yield db.retrieveServerInvites(req.params.serverID);
-        res.send(msgpack_lite_1.default.encode(inviteList));
-    }));
-    api.delete("/server/:id", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const serverID = req.params.id;
-        const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-        for (const permission of permissions) {
-            if (permission.resourceID === serverID &&
-                permission.powerLevel > ClientManager_1.POWER_LEVELS.DELETE) {
-                // msg.data is the serverID
-                yield db.deleteServer(serverID);
-                res.sendStatus(200);
-                return;
-            }
+        const inviteList = await db.retrieveServerInvites(getParam(req, "serverID"));
+        res.send(msgpack.encode(inviteList));
+    });
+    api.delete("/server/:id", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverID = getParam(req, "id");
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (hasPermission(permissions, serverID, POWER_LEVELS.DELETE)) {
+            await db.deleteServer(serverID);
+            res.sendStatus(200);
+            return;
         }
         res.sendStatus(401);
-    }));
-    api.post("/server/:id/channels", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const serverID = req.params.id;
+    });
+    api.post("/server/:id/channels", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverID = getParam(req, "id");
         // resourceID is serverID
-        const { name } = req.body;
-        const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-        for (const permission of permissions) {
-            if (permission.resourceID === serverID &&
-                permission.powerLevel > ClientManager_1.POWER_LEVELS.CREATE) {
-                const channel = yield db.createChannel(name, serverID);
-                res.send(msgpack_lite_1.default.encode(channel));
-                const affectedUsers = yield db.retrieveAffectedUsers(serverID);
-                // tell everyone about server change
-                for (const user of affectedUsers) {
-                    notify(user.userID, "serverChange", uuid.v4(), serverID);
-                }
-                return;
-            }
+        const parsedBody = channelPayload.safeParse(req.body);
+        if (!parsedBody.success) {
+            res.status(400).json({
+                error: "Invalid channel payload",
+                issues: parsedBody.error.issues,
+            });
+            return;
         }
-        res.sendStatus(401);
-    }));
-    api.get("/server/:id/channels", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const serverID = req.params.id;
-        const userDetails = req.user;
-        const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-        for (const permission of permissions) {
-            if (serverID === permission.resourceID) {
-                const channels = yield db.retrieveChannels(permission.resourceID);
-                res.send(msgpack_lite_1.default.encode(channels));
-                return;
+        const { name } = parsedBody.data;
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (hasPermission(permissions, serverID, POWER_LEVELS.CREATE)) {
+            const channel = await db.createChannel(name, serverID);
+            res.send(msgpack.encode(channel));
+            const affectedUsers = await db.retrieveAffectedUsers(serverID);
+            // tell everyone about server change
+            for (const user of affectedUsers) {
+                notify(user.userID, "serverChange", crypto.randomUUID(), serverID);
             }
+            return;
         }
         res.sendStatus(401);
-    }));
-    api.get("/server/:serverID/emoji", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const rows = yield db.retrieveEmojiList(req.params.serverID);
-        res.send(msgpack_lite_1.default.encode(rows));
-    }));
-    api.get("/server/:serverID/permissions", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const serverID = req.params.serverID;
-        try {
-            const permissions = yield db.retrievePermissionsByResourceID(serverID);
-            if (permissions) {
-                let found = false;
-                for (const perm of permissions) {
-                    if (perm.userID === userDetails.userID) {
-                        res.send(msgpack_lite_1.default.encode(permissions));
-                        found = true;
-                        break;
-                    }
-                }
-                if (!found) {
-                    res.sendStatus(401);
-                    return;
-                }
-            }
-            else {
-                res.sendStatus(404);
-            }
+    });
+    api.get("/server/:id/channels", protect, async (req, res) => {
+        const serverID = getParam(req, "id");
+        const userDetails = getUser(req);
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        if (hasAnyPermission(permissions, serverID)) {
+            const channels = await db.retrieveChannels(serverID);
+            res.send(msgpack.encode(channels));
+            return;
         }
-        catch (err) {
-            res.status(500).send(err.toString());
+        res.sendStatus(401);
+    });
+    api.get("/server/:serverID/emoji", protect, async (req, res) => {
+        const rows = await db.retrieveEmojiList(getParam(req, "serverID"));
+        res.send(msgpack.encode(rows));
+    });
+    api.get("/server/:serverID/permissions", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const serverID = getParam(req, "serverID");
+        const permissions = await db.retrievePermissionsByResourceID(serverID);
+        const canSee = permissions.some((perm) => perm.userID === userDetails.userID);
+        if (!canSee) {
+            res.sendStatus(401);
+            return;
         }
-    }));
-    api.delete("/channel/:id", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const channelID = req.params.id;
-        const userDetails = req.user;
-        const channel = yield db.retrieveChannel(channelID);
+        res.send(msgpack.encode(permissions));
+    });
+    api.delete("/channel/:id", protect, async (req, res) => {
+        const channelID = getParam(req, "id");
+        const userDetails = getUser(req);
+        const channel = await db.retrieveChannel(channelID);
         if (!channel) {
             res.sendStatus(401);
             return;
         }
-        const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-        let found = false;
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
         for (const permission of permissions) {
             if (permission.resourceID === channel.serverID &&
                 permission.powerLevel > 50) {
-                found = true;
-                // msg.data is the channelID
-                yield db.deleteChannel(channelID);
+                await db.deleteChannel(channelID);
                 res.sendStatus(200);
-                const affectedUsers = yield db.retrieveAffectedUsers(channel.serverID);
+                const affectedUsers = await db.retrieveAffectedUsers(channel.serverID);
                 // tell everyone about server change
                 for (const user of affectedUsers) {
-                    notify(user.userID, "serverChange", uuid.v4(), channel.serverID);
+                    notify(user.userID, "serverChange", crypto.randomUUID(), channel.serverID);
                 }
                 return;
             }
         }
         res.sendStatus(401);
-    }));
-    api.get("/channel/:id", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const channel = yield db.retrieveChannel(req.params.id);
+    });
+    api.get("/channel/:id", protect, async (req, res) => {
+        const channel = await db.retrieveChannel(getParam(req, "id"));
         if (channel) {
-            return res.send(msgpack_lite_1.default.encode(channel));
+            return res.send(msgpack.encode(channel));
         }
         else {
+            return res.sendStatus(404);
+        }
+    });
+    api.delete("/permission/:permissionID", protect, async (req, res) => {
+        const permissionID = getParam(req, "permissionID");
+        const userDetails = getUser(req);
+        const permToDelete = await db.retrievePermission(permissionID);
+        if (!permToDelete) {
             res.sendStatus(404);
+            return;
         }
-    }));
-    api.delete("/permission/:permissionID", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const permissionID = req.params.permissionID;
-        const userDetails = req.user;
-        try {
-            // msg.data is permID
-            const permToDelete = yield db.retrievePermission(permissionID);
-            if (!permToDelete) {
-                res.sendStatus(404);
+        const permissions = await db.retrievePermissions(userDetails.userID, permToDelete.resourceType);
+        for (const perm of permissions) {
+            if (perm.resourceID === permToDelete.resourceID &&
+                (perm.userID === userDetails.userID ||
+                    (perm.powerLevel > POWER_LEVELS.DELETE &&
+                        perm.powerLevel > permToDelete.powerLevel))) {
+                await db.deletePermission(permToDelete.permissionID);
+                res.sendStatus(200);
                 return;
             }
-            const permissions = yield db.retrievePermissions(userDetails.userID, permToDelete.resourceType);
-            for (const perm of permissions) {
-                // msg.data is resourceID
-                if (perm.resourceID === permToDelete.resourceID &&
-                    (perm.userID === userDetails.userID ||
-                        (perm.powerLevel > ClientManager_1.POWER_LEVELS.DELETE &&
-                            perm.powerLevel > permToDelete.powerLevel))) {
-                    db.deletePermission(permToDelete.permissionID);
-                    res.sendStatus(200);
-                    return;
-                }
-            }
-            res.sendStatus(401);
-            return;
         }
-        catch (err) {
-            res.status(500).send(err.toString());
+        res.sendStatus(401);
+    });
+    api.post("/userList/:channelID", protect, async (req, res) => {
+        const userDetails = getUser(req);
+        const channelID = getParam(req, "channelID");
+        const channel = await db.retrieveChannel(channelID);
+        if (!channel) {
+            res.sendStatus(404);
+            return;
         }
-    }));
-    api.post("/userList/:channelID", (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userDetails = req.user;
-        const channelID = req.params.channelID;
-        try {
-            const channel = yield db.retrieveChannel(channelID);
-            if (!channel) {
-                res.sendStatus(404);
+        const permissions = await db.retrievePermissions(userDetails.userID, "server");
+        for (const permission of permissions) {
+            if (permission.resourceID === channel.serverID) {
+                const groupMembers = await db.retrieveGroupMembers(channelID);
+                res.send(msgpack.encode(groupMembers.map((user) => censorUser(user))));
                 return;
             }
-            const permissions = yield db.retrievePermissions(userDetails.userID, "server");
-            for (const permission of permissions) {
-                if (permission.resourceID === channel.serverID) {
-                    // we've got the permission, it's ok to give them the userlist
-                    const groupMembers = yield db.retrieveGroupMembers(channelID);
-                    res.send(msgpack_lite_1.default.encode(groupMembers.map((user) => utils_1.censorUser(user))));
-                }
-            }
         }
-        catch (err) {
-            log.error(err.toString());
-            res.status(500).send(err.toString());
+        res.sendStatus(401);
+    });
+    api.post("/deviceList", protect, async (req, res) => {
+        const parsed = deviceListPayload.safeParse(req.body);
+        if (!parsed.success) {
+            res.status(400).json({
+                error: "Expected array of user ID strings",
+                issues: parsed.error.issues,
+            });
+            return;
         }
-    }));
-    api.post("/deviceList", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const userIDs = req.body;
-        const devices = yield db.retrieveUserDeviceList(userIDs);
-        res.send(msgpack_lite_1.default.encode(devices));
-    }));
-    api.get("/device/:id", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const device = yield db.retrieveDevice(req.params.id);
+        const devices = await db.retrieveUserDeviceList(parsed.data);
+        res.send(msgpack.encode(devices));
+    });
+    api.get("/device/:id", protect, async (req, res) => {
+        const device = await db.retrieveDevice(getParam(req, "id"));
         if (device) {
-            return res.send(msgpack_lite_1.default.encode(device));
+            return res.send(msgpack.encode(device));
         }
         else {
-            res.sendStatus(404);
+            return res.sendStatus(404);
         }
-    }));
-    api.post("/device/:id/keyBundle", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
+    });
+    api.post("/device/:id/keyBundle", protect, async (req, res) => {
         try {
-            const keyBundle = yield db.getKeyBundle(req.params.id);
+            const keyBundle = await db.getKeyBundle(getParam(req, "id"));
             if (keyBundle) {
-                res.send(msgpack_lite_1.default.encode(keyBundle));
+                res.send(msgpack.encode(keyBundle));
             }
             else {
                 res.sendStatus(404);
             }
         }
-        catch (err) {
+        catch {
             res.sendStatus(500);
         }
-    }));
-    api.post("/device/:id/mail", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const deviceDetails = req
-            .device;
+    });
+    api.post("/device/:id/mail", protect, async (req, res) => {
+        const deviceDetails = req.device;
         if (!deviceDetails) {
             res.sendStatus(401);
             return;
         }
-        try {
-            const inbox = yield db.retrieveMail(deviceDetails.deviceID);
-            res.send(msgpack_lite_1.default.encode(inbox));
-        }
-        catch (err) {
-            res.status(500).send(err.toString());
+        const inbox = await db.retrieveMail(deviceDetails.deviceID);
+        res.send(msgpack.encode(inbox));
+    });
+    api.post("/device/:id/connect", protect, async (req, res) => {
+        const parsedBody = connectPayload.safeParse(req.body);
+        if (!parsedBody.success) {
+            res.status(400).json({
+                error: "Invalid connect payload",
+                issues: parsedBody.error.issues,
+            });
+            return;
         }
-    }));
-    api.post("/device/:id/connect", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const { signed } = req.body;
-        const device = yield db.retrieveDevice(req.params.id);
+        const { signed } = parsedBody.data;
+        const device = await db.retrieveDevice(getParam(req, "id"));
         if (!device) {
             res.sendStatus(404);
             return;
         }
-        const regKey = tweetnacl_1.default.sign.open(signed, crypto_1.XUtils.decodeHex(device.signKey));
+        const regKey = xSignOpen(signed, XUtils.decodeHex(device.signKey));
         if (regKey &&
-            tokenValidator(uuid.stringify(regKey), TokenScopes.Connect)) {
-            const token = jsonwebtoken_1.default.sign({ device }, process.env.SPK, {
-                expiresIn: Spire_1.JWT_EXPIRY,
+            tokenValidator(uuidStringify(regKey), TokenScopes.Connect)) {
+            const token = jwt.sign({ device }, getJwtSecret(), {
+                expiresIn: JWT_EXPIRY,
             });
-            jsonwebtoken_1.default.verify(token, process.env.SPK);
-            res.cookie("device", token, { path: "/" });
-            res.sendStatus(200);
+            jwt.verify(token, getJwtSecret());
+            res.send(msgpack.encode({ deviceToken: token }));
         }
         else {
             res.sendStatus(401);
         }
-    }));
-    api.get("/device/:id/otk/count", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const deviceDetails = req
-            .device;
+    });
+    api.get("/device/:id/otk/count", protect, async (req, res) => {
+        const deviceDetails = req.device;
         if (!deviceDetails) {
             res.sendStatus(401);
             return;
         }
-        try {
-            const count = yield db.getOTKCount(deviceDetails.deviceID);
-            res.send(msgpack_lite_1.default.encode({ count }));
+        const count = await db.getOTKCount(deviceDetails.deviceID);
+        res.send(msgpack.encode({ count }));
+    });
+    api.post("/device/:id/otk", protect, async (req, res) => {
+        const parsedOTKs = z.array(PreKeysWSSchema).safeParse(req.body);
+        if (!parsedOTKs.success) {
+            res.status(400).json({
+                error: "Invalid OTK payload",
+                issues: parsedOTKs.error.issues,
+            });
             return;
         }
-        catch (err) {
-            res.status(500).send(err.toString());
+        const submittedOTKs = parsedOTKs.data;
+        if (submittedOTKs.length === 0) {
+            res.sendStatus(200);
+            return;
         }
-    }));
-    api.post("/device/:id/otk", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const submittedOTKs = req.body;
-        const userDetails = req.user;
-        const deviceID = req.params.id;
-        const [otk] = submittedOTKs;
-        const device = yield db.retrieveDevice(deviceID);
-        if (!device) {
+        const userDetails = getUser(req);
+        const deviceID = getParam(req, "id");
+        const otk = submittedOTKs[0];
+        const device = await db.retrieveDevice(deviceID);
+        if (!device || !otk) {
             res.sendStatus(404);
             return;
         }
-        const message = tweetnacl_1.default.sign.open(otk.signature, crypto_1.XUtils.decodeHex(device.signKey));
+        const message = xSignOpen(otk.signature, XUtils.decodeHex(device.signKey));
         if (!message) {
             res.sendStatus(401);
             return;
         }
-        try {
-            yield db.saveOTK(userDetails.userID, deviceID, submittedOTKs);
-            res.sendStatus(200);
-        }
-        catch (err) {
-            res.status(500).send(err.toString());
+        await db.saveOTK(userDetails.userID, deviceID, submittedOTKs);
+        res.sendStatus(200);
+    });
+    api.get("/emoji/:emojiID/details", protect, async (req, res) => {
+        const emoji = await db.retrieveEmoji(getParam(req, "emojiID"));
+        res.send(msgpack.encode(emoji));
+    });
+    api.get("/emoji/:emojiID", protect, async (req, res) => {
+        const safeId = safePathParam.safeParse(getParam(req, "emojiID"));
+        if (!safeId.success) {
+            res.sendStatus(400);
+            return;
         }
-    }));
-    api.get("/emoji/:emojiID/details", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const emoji = yield db.retrieveEmoji(req.params.emojiID);
-        res.send(msgpack_lite_1.default.encode(emoji));
-    }));
-    api.get("/emoji/:emojiID", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const stream = fs_1.default.createReadStream("./emoji/" + req.params.emojiID);
-        stream.on("error", (err) => {
-            // log.error(err.toString());
+        const filePath = "./emoji/" + safeId.data;
+        const typeDetails = await fileTypeFromFile(filePath).catch(() => null);
+        if (!typeDetails) {
             res.sendStatus(404);
-        });
-        const typeDetails = yield file_type_1.default.fromStream(stream);
-        if (typeDetails) {
-            res.set("Content-type", typeDetails.mime);
+            return;
         }
+        res.set("Content-type", typeDetails.mime);
         res.set("Cache-control", "public, max-age=31536000");
-        const stream2 = fs_1.default.createReadStream("./emoji/" + req.params.emojiID);
-        stream2.on("error", (err) => {
+        const stream = fs.createReadStream(filePath);
+        stream.on("error", (err) => {
             log.error(err.toString());
             res.sendStatus(500);
         });
-        stream2.pipe(res);
-    }));
-    api.post("/emoji/:serverID/json", exports.protect, (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const payload = req.body;
-        const userDetails = req.user;
+        stream.pipe(res);
+    });
+    api.post("/emoji/:serverID/json", protect, async (req, res) => {
+        const parsedPayload = emojiPayload.safeParse(req.body);
+        if (!parsedPayload.success) {
+            res.status(400).json({
+                error: "Invalid emoji payload",
+                issues: parsedPayload.error.issues,
+            });
+            return;
+        }
+        const payload = parsedPayload.data;
+        const userDetails = getUser(req);
         const device = req.device;
         if (!device) {
             res.sendStatus(401);
             return;
         }
-        const buf = Buffer.from(crypto_1.XUtils.decodeBase64(payload.file));
-        const serverEntry = yield db.retrieveServer(req.params.serverID);
-        const permissionList = yield db.retrievePermissionsByResourceID(req.params.serverID);
-        let hasPermission = false;
-        for (const permission of permissionList) {
-            if (permission.userID === userDetails.userID &&
-                permission.powerLevel > ClientManager_1.POWER_LEVELS.EMOJI) {
-                hasPermission = true;
-                break;
-            }
+        if (!payload.file) {
+            res.sendStatus(400);
+            return;
         }
-        if (!hasPermission) {
+        const buf = Buffer.from(XUtils.decodeBase64(payload.file));
+        const serverEntry = await db.retrieveServer(getParam(req, "serverID"));
+        const permissionList = await db.retrievePermissionsByResourceID(getParam(req, "serverID"));
+        if (!userHasPermission(permissionList, userDetails.userID, POWER_LEVELS.EMOJI)) {
             res.sendStatus(401);
             return;
         }
@@ -526,54 +525,58 @@ const initApp = (api, db, log, tokenValidator, signKeys, notify) => {
             res.sendStatus(400);
         }
         if (Buffer.byteLength(buf) > 256000) {
-            console.warn("File to big.");
+            log.warn("File too big.");
             res.sendStatus(413);
         }
-        const mimeType = yield file_type_1.default.fromBuffer(buf);
-        if (!exports.ALLOWED_IMAGE_TYPES.includes((mimeType === null || mimeType === void 0 ? void 0 : mimeType.mime) || "no/type")) {
+        const mimeType = await fileTypeFromBuffer(buf);
+        if (!ALLOWED_IMAGE_TYPES.includes(mimeType?.mime || "no/type")) {
             res.status(400).send({
-                error: "Unsupported file type. Expected jpeg, png, gif, apng, or avif but received " + (mimeType === null || mimeType === void 0 ? void 0 : mimeType.ext),
+                error: "Unsupported file type. Expected jpeg, png, gif, apng, or avif but received " +
+                    String(mimeType?.ext),
             });
             return;
         }
         const emoji = {
-            emojiID: uuid.v4(),
-            owner: req.params.serverID,
+            emojiID: crypto.randomUUID(),
             name: payload.name,
+            owner: getParam(req, "serverID"),
         };
-        yield db.createEmoji(emoji);
+        await db.createEmoji(emoji);
         try {
             // write the file to disk
-            fs_1.default.writeFile("emoji/" + emoji.emojiID, buf, () => {
-                log.info("Wrote new emoji " + emoji.emojiID);
-            });
-            res.send(msgpack_lite_1.default.encode(emoji));
+            await fsp.writeFile("emoji/" + emoji.emojiID, buf);
+            log.info("Wrote new emoji " + emoji.emojiID);
+            res.send(msgpack.encode(emoji));
         }
         catch (err) {
-            log.warn(err);
+            log.warn(String(err));
             res.sendStatus(500);
         }
-    }));
-    api.post("/emoji/:serverID", exports.protect, multer_1.default().single("emoji"), (req, res) => __awaiter(void 0, void 0, void 0, function* () {
-        const payload = req.body;
-        const serverEntry = yield db.retrieveServer(req.params.serverID);
-        const userDetails = req.user;
-        const deviceDetails = req
-            .device;
+    });
+    api.post("/emoji/:serverID", protect, multer().single("emoji"), async (req, res) => {
+        const parsedPayload = emojiPayload.safeParse(req.body);
+        if (!parsedPayload.success) {
+            res.status(400).json({
+                error: "Invalid emoji payload",
+                issues: parsedPayload.error.issues,
+            });
+            return;
+        }
+        const payload = parsedPayload.data;
+        const serverID = getParam(req, "serverID");
+        if (typeof serverID !== "string") {
+            res.sendStatus(400);
+            return;
+        }
+        const serverEntry = await db.retrieveServer(serverID);
+        const userDetails = getUser(req);
+        const deviceDetails = req.device;
         if (!deviceDetails) {
             res.sendStatus(401);
             return;
         }
-        const permissionList = yield db.retrievePermissionsByResourceID(req.params.serverID);
-        let hasPermission = false;
-        for (const permission of permissionList) {
-            if (permission.userID === userDetails.userID &&
-                permission.powerLevel > ClientManager_1.POWER_LEVELS.EMOJI) {
-                hasPermission = true;
-                break;
-            }
-        }
-        if (!hasPermission) {
+        const permissionList = await db.retrievePermissionsByResourceID(serverID);
+        if (!userHasPermission(permissionList, userDetails.userID, POWER_LEVELS.EMOJI)) {
             res.sendStatus(401);
             return;
         }
@@ -585,49 +588,55 @@ const initApp = (api, db, log, tokenValidator, signKeys, notify) => {
             res.sendStatus(400);
         }
         if (!req.file) {
-            console.warn("MISSING FILE");
+            log.warn("MISSING FILE");
             res.sendStatus(400);
             return;
         }
         if (Buffer.byteLength(req.file.buffer) > 256000) {
-            console.warn("File to big.");
+            log.warn("File too big.");
             res.sendStatus(413);
         }
-        const mimeType = yield file_type_1.default.fromBuffer(req.file.buffer);
-        if (!exports.ALLOWED_IMAGE_TYPES.includes((mimeType === null || mimeType === void 0 ? void 0 : mimeType.mime) || "no/type")) {
+        const mimeType = await fileTypeFromBuffer(req.file.buffer);
+        if (!ALLOWED_IMAGE_TYPES.includes(mimeType?.mime || "no/type")) {
             res.status(400).send({
-                error: "Unsupported file type. Expected jpeg, png, gif, apng, or avif but received " + (mimeType === null || mimeType === void 0 ? void 0 : mimeType.ext),
+                error: "Unsupported file type. Expected jpeg, png, gif, apng, or avif but received " +
+                    String(mimeType?.ext),
             });
             return;
         }
         const emoji = {
-            emojiID: uuid.v4(),
-            owner: req.params.serverID,
+            emojiID: crypto.randomUUID(),
             name: payload.name,
+            owner: serverID,
         };
-        yield db.createEmoji(emoji);
+        await db.createEmoji(emoji);
         try {
             // write the file to disk
-            fs_1.default.writeFile("emoji/" + emoji.emojiID, req.file.buffer, () => {
-                log.info("Wrote new emoji " + emoji.emojiID);
-            });
-            res.send(msgpack_lite_1.default.encode(emoji));
+            await fsp.writeFile("emoji/" + emoji.emojiID, req.file.buffer);
+            log.info("Wrote new emoji " + emoji.emojiID);
+            res.send(msgpack.encode(emoji));
         }
         catch (err) {
-            log.warn(err);
+            log.warn(String(err));
             res.sendStatus(500);
         }
-    }));
+    });
     // COMPLEX RESOURCES
     api.use("/user", userRouter);
     api.use("/file", fileRouter);
     api.use("/avatar", avatarRouter);
     api.use("/invite", inviteRouter);
+    setupDocs(api);
+    // Central error handler MUST be last. Handles both thrown AppErrors
+    // (client-safe status + message) and programmer errors (generic 500
+    // with full details logged server-side). See src/server/errors.ts
+    // for the CWE mapping.
+    api.use(errorHandler(log));
 };
-exports.initApp = initApp;
 /**
  * @ignore
  */
 const jestRun = () => {
-    return process.env.JEST_WORKER_ID !== undefined;
+    return process.env["JEST_WORKER_ID"] !== undefined;
 };
+//# sourceMappingURL=index.js.map