import express from "express"; import { randomUUID } from "crypto"; import compression from "compression"; import logger from "./services/logger.js"; import helmet from "helmet"; import path from "path"; import { fileURLToPath } from "url"; import rateLimit from "express-rate-limit"; import { convertRouter } from "./routes/convert.js"; import { templatesRouter } from "./routes/templates.js"; import { healthRouter } from "./routes/health.js"; import { signupRouter } from "./routes/signup.js"; import { recoverRouter } from "./routes/recover.js"; import { billingRouter } from "./routes/billing.js"; import { emailChangeRouter } from "./routes/email-change.js"; import { authMiddleware } from "./middleware/auth.js"; import { usageMiddleware, loadUsageData } from "./middleware/usage.js"; import { getUsageStats } from "./middleware/usage.js"; import { pdfRateLimitMiddleware, getConcurrencyStats } from "./middleware/pdfRateLimit.js"; import { initBrowser, closeBrowser } from "./services/browser.js"; import { loadKeys, getAllKeys } from "./services/keys.js"; import { verifyToken, loadVerifications } from "./services/verification.js"; import { initDatabase, pool } from "./services/db.js"; const app = express(); const PORT = parseInt(process.env.PORT || "3100", 10); app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } })); // Request ID + request logging middleware app.use((req, res, next) => { const requestId = req.headers["x-request-id"] || randomUUID(); req.requestId = requestId; res.setHeader("X-Request-Id", requestId); const start = Date.now(); res.on("finish", () => { const ms = Date.now() - start; if (req.path !== "/health") { logger.info({ method: req.method, path: req.path, status: res.statusCode, ms, requestId }, "request"); } }); next(); }); // Permissions-Policy header app.use((_req, res, next) => { res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=(self)"); next(); }); // Compression app.use(compression()); // Differentiated CORS middleware app.use((req, res, next) => { const isAuthBillingRoute = req.path.startsWith('/v1/signup') || req.path.startsWith('/v1/recover') || req.path.startsWith('/v1/billing') || req.path.startsWith('/v1/email-change'); if (isAuthBillingRoute) { res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev"); } else { res.setHeader("Access-Control-Allow-Origin", "*"); } res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS"); res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Key"); res.setHeader("Access-Control-Max-Age", "86400"); if (req.method === "OPTIONS") { res.status(204).end(); return; } next(); }); // Raw body for Stripe webhook signature verification app.use("/v1/billing/webhook", express.raw({ type: "application/json" })); app.use(express.json({ limit: "2mb" })); app.use(express.text({ limit: "2mb", type: "text/*" })); // Trust nginx proxy app.set("trust proxy", 1); // Global rate limiting - reduced from 10,000 to reasonable limit const limiter = rateLimit({ windowMs: 60_000, max: 100, standardHeaders: true, legacyHeaders: false, }); app.use(limiter); // Public routes app.use("/health", healthRouter); app.use("/v1/signup", signupRouter); app.use("/v1/recover", recoverRouter); app.use("/v1/billing", billingRouter); app.use("/v1/email-change", emailChangeRouter); // Authenticated routes โ€” conversion routes get tighter body limits (500KB) const convertBodyLimit = express.json({ limit: "500kb" }); app.use("/v1/convert", convertBodyLimit, authMiddleware, usageMiddleware, pdfRateLimitMiddleware, convertRouter); app.use("/v1/templates", authMiddleware, usageMiddleware, templatesRouter); // Admin: usage stats (admin key required) const adminAuth = (req, res, next) => { const adminKey = process.env.ADMIN_API_KEY; if (!adminKey) { res.status(503).json({ error: "Admin access not configured" }); return; } if (req.apiKeyInfo?.key !== adminKey) { res.status(403).json({ error: "Admin access required" }); return; } next(); }; app.get("/v1/usage", authMiddleware, adminAuth, (req, res) => { res.json(getUsageStats(req.apiKeyInfo?.key)); }); // Admin: concurrency stats (admin key required) app.get("/v1/concurrency", authMiddleware, adminAuth, (_req, res) => { res.json(getConcurrencyStats()); }); // Email verification endpoint app.get("/verify", (req, res) => { const token = req.query.token; if (!token) { res.status(400).send(verifyPage("Invalid Link", "No verification token provided.", null)); return; } const result = verifyToken(token); switch (result.status) { case "ok": res.send(verifyPage("Email Verified! ๐Ÿš€", "Your DocFast API key is ready:", result.verification.apiKey)); break; case "already_verified": res.send(verifyPage("Already Verified", "This email was already verified. Here's your API key:", result.verification.apiKey)); break; case "expired": res.status(410).send(verifyPage("Link Expired", "This verification link has expired (24h). Please sign up again.", null)); break; case "invalid": res.status(404).send(verifyPage("Invalid Link", "This verification link is not valid.", null)); break; } }); function verifyPage(title, message, apiKey) { return ` ${title} โ€” DocFast

${title}

${message}

${apiKey ? `
โš ๏ธ Save your API key securely. You can recover it via email if needed.
${apiKey}
100 free PDFs/month ยท Read the docs โ†’
` : `
โ† Back to DocFast
`}
`; } // Landing page const __dirname = path.dirname(fileURLToPath(import.meta.url)); // Favicon route app.get("/favicon.ico", (_req, res) => { res.setHeader('Content-Type', 'image/svg+xml'); res.setHeader('Cache-Control', 'public, max-age=604800'); res.sendFile(path.join(__dirname, "../public/favicon.svg")); }); app.use(express.static(path.join(__dirname, "../public"), { maxAge: "1d", etag: true, setHeaders: (res) => { res.setHeader('Cache-Control', 'public, max-age=86400'); } })); // Docs page (clean URL) app.get("/docs", (_req, res) => { res.setHeader('Cache-Control', 'public, max-age=86400'); res.sendFile(path.join(__dirname, "../public/docs.html")); }); // Legal pages (clean URLs) app.get("/impressum", (_req, res) => { res.setHeader('Cache-Control', 'public, max-age=86400'); res.sendFile(path.join(__dirname, "../public/impressum.html")); }); app.get("/privacy", (_req, res) => { res.setHeader('Cache-Control', 'public, max-age=86400'); res.sendFile(path.join(__dirname, "../public/privacy.html")); }); app.get("/terms", (_req, res) => { res.setHeader('Cache-Control', 'public, max-age=86400'); res.sendFile(path.join(__dirname, "../public/terms.html")); }); app.get("/status", (_req, res) => { res.setHeader("Cache-Control", "public, max-age=60"); res.sendFile(path.join(__dirname, "../public/status.html")); }); // API root app.get("/api", (_req, res) => { res.json({ name: "DocFast API", version: "0.2.1", endpoints: [ "POST /v1/signup/free โ€” Get a free API key", "POST /v1/convert/html", "POST /v1/convert/markdown", "POST /v1/convert/url", "POST /v1/templates/:id/render", "GET /v1/templates", "POST /v1/billing/checkout โ€” Start Pro subscription", ], }); }); // 404 handler - must be after all routes app.use((req, res) => { // Check if it's an API request const isApiRequest = req.path.startsWith('/v1/') || req.path.startsWith('/api') || req.path.startsWith('/health'); if (isApiRequest) { // JSON 404 for API paths res.status(404).json({ error: `Not Found: ${req.method} ${req.path}` }); } else { // HTML 404 for browser paths res.status(404).send(` 404 - Page Not Found | DocFast
โšก

404

Page Not Found

The page you're looking for doesn't exist or has been moved.

โ† Back to DocFast | Read the docs

`); } }); async function start() { // Initialize PostgreSQL await initDatabase(); // Load data from PostgreSQL await loadKeys(); await loadVerifications(); await loadUsageData(); await initBrowser(); logger.info(`Loaded ${getAllKeys().length} API keys`); const server = app.listen(PORT, () => logger.info(`DocFast API running on :${PORT}`)); let shuttingDown = false; const shutdown = async (signal) => { if (shuttingDown) return; shuttingDown = true; logger.info(`Received ${signal}, starting graceful shutdown...`); // 1. Stop accepting new connections, wait for in-flight requests (max 10s) await new Promise((resolve) => { const forceTimeout = setTimeout(() => { logger.warn("Forcing server close after 10s timeout"); resolve(); }, 10_000); server.close(() => { clearTimeout(forceTimeout); logger.info("HTTP server closed (all in-flight requests completed)"); resolve(); }); }); // 2. Close Puppeteer browser pool try { await closeBrowser(); logger.info("Browser pool closed"); } catch (err) { logger.error({ err }, "Error closing browser pool"); } // 3. Close PostgreSQL connection pool try { await pool.end(); logger.info("PostgreSQL pool closed"); } catch (err) { logger.error({ err }, "Error closing PostgreSQL pool"); } logger.info("Graceful shutdown complete"); process.exit(0); }; process.on("SIGTERM", () => shutdown("SIGTERM")); process.on("SIGINT", () => shutdown("SIGINT")); } start().catch((err) => { logger.error({ err }, "Failed to start"); process.exit(1); }); export { app };