require('dotenv').config(); const express = require('express'); const cors = require('cors'); const helmet = require('helmet'); const rateLimit = require('express-rate-limit'); const path = require('path'); const cron = require('node-cron'); const apiRouter = require('./routes/api'); const authRouter = require('./routes/auth'); const beneficiariesRouter = require('./routes/beneficiaries'); const invitationsRouter = require('./routes/invitations'); const pushTokensRouter = require('./routes/push-tokens'); const notificationSettingsRouter = require('./routes/notification-settings'); const ordersRouter = require('./routes/orders'); const stripeRouter = require('./routes/stripe'); const webhookRouter = require('./routes/webhook'); const adminRouter = require('./routes/admin'); const { syncAllSubscriptions } = require('./services/subscription-sync'); const app = express(); const PORT = process.env.PORT || 3000; // Trust proxy for correct IP when behind nginx app.set('trust proxy', 1); // ============ SECURITY ============ // Helmet - добавляет security headers app.use(helmet({ contentSecurityPolicy: false // отключаем для admin panel })); // CORS - разрешаем только наши домены const allowedOrigins = [ 'https://wellnuo.smartlaunchhub.com', 'https://wellnuo.com', 'http://localhost:3000', 'http://localhost:8081', // Expo dev 'exp://192.168.1.*' // Expo local ]; app.use(cors({ origin: function(origin, callback) { // Разрешаем запросы без origin (mobile apps, Postman) if (!origin) return callback(null, true); // Проверяем разрешённые домены if (allowedOrigins.some(allowed => { if (allowed.includes('*')) { const regex = new RegExp(allowed.replace('*', '.*')); return regex.test(origin); } return allowed === origin; })) { return callback(null, true); } callback(new Error('Not allowed by CORS')); }, credentials: true })); // Rate Limiting - защита от DDoS const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 минут max: 100, // максимум 100 запросов за 15 минут message: { error: 'Too many requests, please try again later' }, standardHeaders: true, legacyHeaders: false }); // Лимит для auth endpoints const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 30, // 30 попыток логина за 15 минут message: { error: 'Too many login attempts, please try again later' }, // Пропускаем админов без лимита skip: (req) => { const adminEmails = ['serter2069@gmail.com', 'ezmrzli@gmail.com', 'apple@zmrinc.com']; return adminEmails.includes(req.body?.email?.toLowerCase()); } }); // Применяем rate limiting app.use(limiter); app.use('/api/auth', authLimiter); // Auth endpoints app.use('/function/well-api/api', authLimiter); // Legacy API с auth // Stripe webhooks need raw body for signature verification // Must be before express.json() app.use('/api/webhook/stripe', express.raw({ type: 'application/json' })); // JSON body parser for other routes app.use(express.json()); app.use(express.urlencoded({ extended: true })); // ============ ROUTES ============ // Legacy API route - matches old API structure // POST /function/well-api/api with function parameter app.use('/function/well-api/api', apiRouter); // New REST API routes app.use('/api/auth', authRouter); app.use('/api/me/beneficiaries', beneficiariesRouter); app.use('/api/invitations', invitationsRouter); app.use('/api/push-tokens', pushTokensRouter); app.use('/api/notification-settings', notificationSettingsRouter); app.use('/api/orders', ordersRouter); app.use('/api/stripe', stripeRouter); app.use('/api/webhook', webhookRouter); app.use('/api/admin', adminRouter); // Admin UI app.get('/admin', (req, res) => { res.sendFile(path.join(__dirname, 'admin', 'index.html')); }); // Health check app.get('/health', (req, res) => { res.json({ status: 'ok', timestamp: new Date().toISOString(), stripe: process.env.STRIPE_SECRET_KEY ? 'configured' : 'missing' }); }); // API info app.get('/api', (req, res) => { res.json({ name: 'WellNuo API', version: '2.0.0', endpoints: { auth: '/api/auth', beneficiaries: '/api/me/beneficiaries', invitations: '/api/invitations', pushTokens: '/api/push-tokens', notificationSettings: '/api/notification-settings', orders: '/api/orders', stripe: '/api/stripe', webhook: '/api/webhook/stripe', admin: '/api/admin', legacy: '/function/well-api/api' } }); }); // ============ CRON JOBS ============ // Sync subscriptions from Stripe every hour cron.schedule('0 * * * *', async () => { console.log('[CRON] Running subscription sync...'); const result = await syncAllSubscriptions(); console.log('[CRON] Subscription sync result:', result); }); // Run sync on startup (after 10 seconds to let everything initialize) setTimeout(async () => { console.log('[STARTUP] Running initial subscription sync...'); const result = await syncAllSubscriptions(); console.log('[STARTUP] Initial sync result:', result); }, 10000); // Manual sync endpoint (for admin) app.post('/api/admin/sync-subscriptions', async (req, res) => { console.log('[ADMIN] Manual subscription sync requested'); const result = await syncAllSubscriptions(); res.json(result); }); app.listen(PORT, () => { console.log(`WellNuo API running on port ${PORT}`); console.log(`Stripe: ${process.env.STRIPE_SECRET_KEY ? '✓ configured' : '✗ missing'}`); });