package main import ( "log" "net/http" "os" "strconv" "time" "greencoast/internal/api" "greencoast/internal/index" "greencoast/internal/storage" ) func getenvBool(key string, def bool) bool { v := os.Getenv(key) if v == "" { return def } b, err := strconv.ParseBool(v) if err != nil { return def } return b } func staticHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Security posture for static client w.Header().Set("Referrer-Policy", "no-referrer") w.Header().Set("Cross-Origin-Opener-Policy", "same-origin") w.Header().Set("Cross-Origin-Resource-Policy", "same-site") w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()") w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload") // Strong CSP to block XSS/token theft (enumerate your API host) w.Header().Set("Content-Security-Policy", "default-src 'self'; base-uri 'none'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self' https://api-gc.fullmooncyberworks.com; frame-ancestors 'none'") // CORS for assets w.Header().Set("Access-Control-Allow-Origin", "*") if r.Method == http.MethodOptions { w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS") w.Header().Set("Access-Control-Allow-Headers", "Content-Type") w.WriteHeader(http.StatusNoContent) return } next.ServeHTTP(w, r) }) } func main() { httpAddr := os.Getenv("GC_HTTP_ADDR") if httpAddr == "" { httpAddr = ":9080" } httpsAddr := os.Getenv("GC_HTTPS_ADDR") certFile := os.Getenv("GC_TLS_CERT") keyFile := os.Getenv("GC_TLS_KEY") dataDir := os.Getenv("GC_DATA_DIR") if dataDir == "" { dataDir = "/var/lib/greencoast" } staticDir := os.Getenv("GC_STATIC_DIR") if staticDir == "" { staticDir = "/opt/greencoast/client" } staticAddr := os.Getenv("GC_STATIC_ADDR") if staticAddr == "" { staticAddr = ":9082" } coarseTS := getenvBool("GC_COARSE_TS", false) zeroTrust := getenvBool("GC_ZERO_TRUST", true) signingSecretHex := os.Getenv("GC_SIGNING_SECRET_HEX") discID := os.Getenv("GC_DISCORD_CLIENT_ID") discSecret := os.Getenv("GC_DISCORD_CLIENT_SECRET") discRedirect := os.Getenv("GC_DISCORD_REDIRECT_URI") store, err := storage.NewFS(dataDir) if err != nil { log.Fatalf("storage init: %v", err) } ix := index.New() // Auto-reindex on boot if possible if w, ok := any(store).(interface { Walk(func(hash string, size int64, mod time.Time) error) error }); ok { if err := w.Walk(func(hash string, size int64, mod time.Time) error { return ix.Put(index.Entry{ Hash: hash, Bytes: size, StoredAt: mod.UTC().Format(time.RFC3339Nano), Private: false, }) }); err != nil { log.Printf("reindex on boot: %v", err) } } ap := api.AuthProviders{ SigningSecretHex: signingSecretHex, Discord: api.DiscordProvider{ Enabled: discID != "" && discSecret != "" && discRedirect != "", ClientID: discID, ClientSecret: discSecret, RedirectURI: discRedirect, }, } srv := api.New(store, ix, coarseTS, zeroTrust, ap) // Static client server (9082) go func() { if st, err := os.Stat(staticDir); err != nil || !st.IsDir() { log.Printf("WARN: GC_STATIC_DIR %q not found or not a dir; client may 404", staticDir) } mux := http.NewServeMux() // Optional: forward API paths to API host to avoid 404 if user hits wrong host mux.Handle("/v1/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "https://api-gc.fullmooncyberworks.com"+r.URL.Path, http.StatusTemporaryRedirect) })) mux.Handle("/", http.FileServer(http.Dir(staticDir))) log.Printf("static listening on %s (dir=%s)", staticAddr, staticDir) if err := http.ListenAndServe(staticAddr, staticHeaders(mux)); err != nil { log.Fatalf("static server: %v", err) } }() if httpsAddr != "" && certFile != "" && keyFile != "" { log.Printf("starting HTTPS API on %s", httpsAddr) if err := srv.ListenHTTPS(httpsAddr, certFile, keyFile); err != nil { log.Fatal(err) } return } log.Printf("starting HTTP API on %s", httpAddr) if err := srv.ListenHTTP(httpAddr); err != nil { log.Fatal(err) } }