OmniAI/omniai-server
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
56955e32f7ffa33da6b8f5b41abd1678c3beca9f
omniai-server/src/index.js
T
stringadmin 56955e32f7 Initial commit: OmniAI backend server
2026-06-02 13:14:10 +08:00

154 lines
4.8 KiB
JavaScript
Raw Blame History

require('dotenv').config()
const express = require('express')
const rateLimit = require('express-rate-limit')
const cors = require('cors')
const helmet = require('helmet')
const { startSettlementWorker } = require('./settlementWorker')
const { startProviderHealthMonitor } = require('./providerHealthMonitor')
const { ensureDatabase } = require('./dbSetup')
const { assertRuntimeSecurityConfig } = require('./securityConfig')
const { loadPriceCache } = require('./pricing')
assertRuntimeSecurityConfig()
const routes = require('./routes')
const PORT = Number(process.env.PORT) || 3600
const HOST = process.env.HOST || '0.0.0.0'
const IS_PRODUCTION = process.env.NODE_ENV === 'production'
// CORS: in production, require explicit allowlist; in dev, allow all with credentials
function buildCorsOptions() {
const raw = process.env.CORS_ORIGINS || ''
if (IS_PRODUCTION) {
if (!raw || raw === '*') {
console.warn('[security] CORS_ORIGINS not set in production, defaulting to same-origin only')
return { origin: false, credentials: true }
}
return {
origin: raw.split(',').map((s) => s.trim()),
credentials: true,
}
}
// Development: allow any origin for local testing
return { origin: true, credentials: true }
}
async function main() {
const { createdDefaultAdmin } = await ensureDatabase()
if (createdDefaultAdmin) {
console.log('[db] Created default admin user: admin (password sourced from configuration)')
}
await loadPriceCache()
const app = express()
// Trust single-hop Nginx reverse proxy (X-Forwarded-For, X-Real-IP)
app.set('trust proxy', 1)
// Security headers via helmet
app.use(helmet({
contentSecurityPolicy: false, // Disable CSP for now (SPA needs inline scripts in dev)
crossOriginEmbedderPolicy: false, // Allow OSS images/videos
crossOriginResourcePolicy: { policy: 'cross-origin' },
}))
// CORS
app.use(cors(buildCorsOptions()))
// Rate limiting: global (100 req/min per IP)
const globalLimiter = rateLimit({
windowMs: 60 * 1000,
max: 100,
standardHeaders: true,
legacyHeaders: false,
message: { error: '请求过于频繁,请稍后再试' },
})
app.use('/api', globalLimiter)
// Rate limiting: auth endpoints (stricter — 10 req/min per IP)
const authLimiter = rateLimit({
windowMs: 60 * 1000,
max: 10,
standardHeaders: true,
legacyHeaders: false,
message: { error: '登录尝试过于频繁,请1分钟后再试' },
})
app.use('/api/auth/login', authLimiter)
app.use('/api/auth/register', authLimiter)
app.use('/api/auth/sms', authLimiter)
// Rate limiting: AI generation endpoints (20 req/min per IP)
const aiGenerationLimiter = rateLimit({
windowMs: 60 * 1000,
max: 20,
standardHeaders: true,
legacyHeaders: false,
message: { error: 'AI生成请求过于频繁,请稍后再试' },
})
app.use('/api/ai/image', aiGenerationLimiter)
app.use('/api/ai/video', aiGenerationLimiter)
// JSON body limit: 5MB globally (upload routes override locally)
app.use('/api/oss/upload', express.json({ limit: '200mb' }))
app.use(express.json({ limit: process.env.JSON_BODY_LIMIT || '5mb' }))
app.use('/api', routes)
app.use('/api', (req, res) => {
res.status(404).json({
error: 'API route not found',
path: req.originalUrl
})
})
app.use('/api', (err, req, res, next) => {
if (res.headersSent) return next(err)
const status = Number(err.status || err.statusCode || 500)
const safeStatus = status >= 400 && status < 600 ? status : 500
// Log full error internally, but don't leak details to client
console.error('[api] error:', err)
const message = safeStatus >= 500
? '服务器内部错误,请稍后重试'
: (err.message || '请求处理失败')
res.status(safeStatus).json({
error: message,
code: err.code || undefined,
})
})
// Periodic stale lease cleanup (every 5 min)
const { cleanStaleLeases } = require('./keyManager')
setInterval(() => {
cleanStaleLeases().then((cleaned) => {
if (cleaned > 0) console.log(`[cleanup] Released ${cleaned} stale lease(s)`)
}).catch((err) => {
console.error('[cleanup] error:', err)
})
}, 5 * 60 * 1000)
startSettlementWorker()
startProviderHealthMonitor()
const { startStaleTaskCleanup } = require('./aiTaskWorker')
startStaleTaskCleanup()
app.listen(PORT, HOST, () => {
console.log(`OmniAI Key Server running at http://${HOST}:${PORT}`)
console.log(`Health check: http://${HOST}:${PORT}/api/health`)
})
}
main().catch((err) => {
console.error('[startup] Fatal error:', err)
process.exit(1)
})
process.on('unhandledRejection', (reason) => {
console.error('[fatal] Unhandled promise rejection:', reason)
})
process.on('uncaughtException', (err) => {
console.error('[fatal] Uncaught exception:', err)
process.exit(1)
})
Reference in New Issue View Git Blame Copy Permalink